From xen-announce-bounces@lists.xen.org Mon Dec 03 18:02:50 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 03 Dec 2012 18:02:50 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaK9-0006iq-0J; Mon, 03 Dec 2012 18:00:57 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaBT-0003Ez-2H; Mon, 03 Dec 2012 17:51:59 +0000 Received: from [85.158.139.83:64222] by server-10.bemta-5.messagelabs.com id C0/EE-09257-EB6ECB05; Mon, 03 Dec 2012 17:51:58 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-4.tower-182.messagelabs.com!1354557116!25493258!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.6.1.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 18144 invoked from network); 3 Dec 2012 17:51:57 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-4.tower-182.messagelabs.com with AES256-SHA encrypted SMTP; 3 Dec 2012 17:51:57 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaBH-0002Nb-J6; Mon, 03 Dec 2012 17:51:47 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TfaBH-00068a-7n; Mon, 03 Dec 2012 17:51:47 +0000 Date: Mon, 03 Dec 2012 17:51:47 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Mon, 03 Dec 2012 18:00:54 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 31 (CVE-2012-5515) - Several memory hypercall operations allow invalid extent order values X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5515 / XSA-31 version 3 Several memory hypercall operations allow invalid extent order values UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Allowing arbitrary extent_order input values for XENMEM_decrease_reservation, XENMEM_populate_physmap, and XENMEM_exchange can cause arbitrarily long time being spent in loops without allowing vital other code to get a chance to execute. This may also cause inconsistent state resulting at the completion of these hypercalls. IMPACT ====== A malicious guest administrator can cause Xen to hang. VULNERABLE SYSTEMS ================== All Xen versions are vulnerable. However, older versions (not supporting Populate-on-Demand, i.e. before 3.4) may only be theoretically affected. MITIGATION ========== Running only trusted guest kernels will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa31-4.1.patch Xen 4.1.x xsa31-4.2-unstable.patch Xen 4.2.x, xen-unstable $ sha256sum xsa31*.patch 8e4bb43999d1a72d7f1b6ad3e66d0c173ca711c8145c5804b025eaa63d2c1691 xsa31-4.1.patch 090d0cca3eddaee798e5f06a8d5f469d47f874c657abcd6028248d949d36da81 xsa31-4.2-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQvOJ4AAoJEIP+FMlX6CvZhCgIAIAkB8EpoFU0vwCW26toELFh 3odZ8kji4hBoIaR6vOj4BIrSuTxC+0TZl3JGSwxQ+zo2k15njNqPZM/8m5kztLzZ K79GXhSRb6zo96EmAhxX6wU4qpBdDH7htdAsO74ApHdfw3hw9yXY2h+OkwiYTO6J K0TegvNYoJ+9NJ4ePTgZpHp4B1H4ymtvw84uzNBJQ6ePR95lV4aOq7h1loIvMPzB Mcxy+3LTAZasK7yYZLClyHXR46pN41qbMawKYNMp70+fQvyP58P6cExwZ4ODrbHf dfgEg2yNeI4YXzOx2vbRSDRDAzf4lhGHq9fXhUpNF/denRJJCC9r/E0+nWTzWog= =CUvM -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa31-4.1.patch" Content-Disposition: attachment; filename="xsa31-4.1.patch" Content-Transfer-Encoding: base64 bWVtb3A6IGxpbWl0IGd1ZXN0IHNwZWNpZmllZCBleHRlbnQgb3JkZXIKCkFs bG93aW5nIHVuYm91bmRlZCBvcmRlciB2YWx1ZXMgaGVyZSBjYXVzZXMgYWxt b3N0IHVuYm91bmRlZCBsb29wcwphbmQvb3IgcGFydGlhbGx5IGluY29tcGxl dGUgcmVxdWVzdHMsIHBhcnRpY3VsYXJseSBpbiBQb0QgY29kZS4KClRoZSBh ZGRlZCByYW5nZSBjaGVja3MgaW4gcG9wdWxhdGVfcGh5c21hcCgpLCBkZWNy ZWFzZV9yZXNlcnZhdGlvbigpLAphbmQgdGhlICJpbiIgb25lIGluIG1lbW9y eV9leGNoYW5nZSgpIGFyY2hpdGVjdHVyYWxseSBhbGwgY291bGQgdXNlClBB RERSX0JJVFMgLSBQQUdFX1NISUZULCBhbmQgYXJlIGJlaW5nIGFydGlmaWNp YWxseSBjb25zdHJhaW5lZCB0bwpNQVhfT1JERVIuCgpUaGlzIGlzIFhTQS0z MSAvIENWRS0yMDEyLTU1MTUuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGlj aCA8amJldWxpY2hAc3VzZS5jb20+CkFja2VkLWJ5OiBUaW0gRGVlZ2FuIDx0 aW1AeGVuLm9yZz4KQWNrZWQtYnk6IElhbiBKYWNrc29uIDxpYW4uamFja3Nv bkBldS5jaXRyaXguY29tPgoKZGlmZiAtLWdpdCBhL3hlbi9jb21tb24vbWVt b3J5LmMgYi94ZW4vY29tbW9uL21lbW9yeS5jCmluZGV4IDRlN2MyMzQuLjli OWZiMTggMTAwNjQ0Ci0tLSBhL3hlbi9jb21tb24vbWVtb3J5LmMKKysrIGIv eGVuL2NvbW1vbi9tZW1vcnkuYwpAQCAtMTE3LDcgKzExNyw4IEBAIHN0YXRp YyB2b2lkIHBvcHVsYXRlX3BoeXNtYXAoc3RydWN0IG1lbW9wX2FyZ3MgKmEp CiAKICAgICAgICAgaWYgKCBhLT5tZW1mbGFncyAmIE1FTUZfcG9wdWxhdGVf b25fZGVtYW5kICkKICAgICAgICAgewotICAgICAgICAgICAgaWYgKCBndWVz dF9waHlzbWFwX21hcmtfcG9wdWxhdGVfb25fZGVtYW5kKGQsIGdwZm4sCisg ICAgICAgICAgICBpZiAoIGEtPmV4dGVudF9vcmRlciA+IE1BWF9PUkRFUiB8 fAorICAgICAgICAgICAgICAgICBndWVzdF9waHlzbWFwX21hcmtfcG9wdWxh dGVfb25fZGVtYW5kKGQsIGdwZm4sCiAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYS0+ZXh0ZW50X29y ZGVyKSA8IDAgKQogICAgICAgICAgICAgICAgIGdvdG8gb3V0OwogICAgICAg ICB9CkBAIC0yMTYsNyArMjE3LDggQEAgc3RhdGljIHZvaWQgZGVjcmVhc2Vf cmVzZXJ2YXRpb24oc3RydWN0IG1lbW9wX2FyZ3MgKmEpCiAgICAgeGVuX3Bm bl90IGdtZm47CiAKICAgICBpZiAoICFndWVzdF9oYW5kbGVfc3VicmFuZ2Vf b2theShhLT5leHRlbnRfbGlzdCwgYS0+bnJfZG9uZSwKLSAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICBhLT5ucl9leHRlbnRzLTEpICkK KyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhLT5ucl9l eHRlbnRzLTEpIHx8CisgICAgICAgICBhLT5leHRlbnRfb3JkZXIgPiBNQVhf T1JERVIgKQogICAgICAgICByZXR1cm47CiAKICAgICBmb3IgKCBpID0gYS0+ bnJfZG9uZTsgaSA8IGEtPm5yX2V4dGVudHM7IGkrKyApCkBAIC0yNzgsNiAr MjgwLDkgQEAgc3RhdGljIGxvbmcgbWVtb3J5X2V4Y2hhbmdlKFhFTl9HVUVT VF9IQU5ETEUoeGVuX21lbW9yeV9leGNoYW5nZV90KSBhcmcpCiAgICAgaWYg KCAoZXhjaC5ucl9leGNoYW5nZWQgPiBleGNoLmluLm5yX2V4dGVudHMpIHx8 CiAgICAgICAgICAvKiBJbnB1dCBhbmQgb3V0cHV0IGRvbWFpbiBpZGVudGlm aWVycyBtYXRjaD8gKi8KICAgICAgICAgIChleGNoLmluLmRvbWlkICE9IGV4 Y2gub3V0LmRvbWlkKSB8fAorICAgICAgICAgLyogRXh0ZW50IG9yZGVycyBh cmUgc2Vuc2libGU/ICovCisgICAgICAgICAoZXhjaC5pbi5leHRlbnRfb3Jk ZXIgPiBNQVhfT1JERVIpIHx8CisgICAgICAgICAoZXhjaC5vdXQuZXh0ZW50 X29yZGVyID4gTUFYX09SREVSKSB8fAogICAgICAgICAgLyogU2l6ZXMgb2Yg aW5wdXQgYW5kIG91dHB1dCBsaXN0cyBkbyBub3Qgb3ZlcmZsb3cgYSBsb25n PyAqLwogICAgICAgICAgKCh+MFVMID4+IGV4Y2guaW4uZXh0ZW50X29yZGVy KSA8IGV4Y2guaW4ubnJfZXh0ZW50cykgfHwKICAgICAgICAgICgofjBVTCA+ PiBleGNoLm91dC5leHRlbnRfb3JkZXIpIDwgZXhjaC5vdXQubnJfZXh0ZW50 cykgfHwK --=separator Content-Type: application/octet-stream; name="xsa31-4.2-unstable.patch" Content-Disposition: attachment; filename="xsa31-4.2-unstable.patch" Content-Transfer-Encoding: base64 bWVtb3A6IGxpbWl0IGd1ZXN0IHNwZWNpZmllZCBleHRlbnQgb3JkZXIKCkFs bG93aW5nIHVuYm91bmRlZCBvcmRlciB2YWx1ZXMgaGVyZSBjYXVzZXMgYWxt b3N0IHVuYm91bmRlZCBsb29wcwphbmQvb3IgcGFydGlhbGx5IGluY29tcGxl dGUgcmVxdWVzdHMsIHBhcnRpY3VsYXJseSBpbiBQb0QgY29kZS4KClRoZSBh ZGRlZCByYW5nZSBjaGVja3MgaW4gcG9wdWxhdGVfcGh5c21hcCgpLCBkZWNy ZWFzZV9yZXNlcnZhdGlvbigpLAphbmQgdGhlICJpbiIgb25lIGluIG1lbW9y eV9leGNoYW5nZSgpIGFyY2hpdGVjdHVyYWxseSBhbGwgY291bGQgdXNlClBB RERSX0JJVFMgLSBQQUdFX1NISUZULCBhbmQgYXJlIGJlaW5nIGFydGlmaWNp YWxseSBjb25zdHJhaW5lZCB0bwpNQVhfT1JERVIuCgpUaGlzIGlzIFhTQS0z MSAvIENWRS0yMDEyLTU1MTUuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGlj aCA8amJldWxpY2hAc3VzZS5jb20+CkFja2VkLWJ5OiBUaW0gRGVlZ2FuIDx0 aW1AeGVuLm9yZz4KQWNrZWQtYnk6IElhbiBKYWNrc29uIDxpYW4uamFja3Nv bkBldS5jaXRyaXguY29tPgoKZGlmZiAtLWdpdCBhL3hlbi9jb21tb24vbWVt b3J5LmMgYi94ZW4vY29tbW9uL21lbW9yeS5jCmluZGV4IDgzZTI2NjYuLjJl NTZkNDYgMTAwNjQ0Ci0tLSBhL3hlbi9jb21tb24vbWVtb3J5LmMKKysrIGIv eGVuL2NvbW1vbi9tZW1vcnkuYwpAQCAtMTE1LDcgKzExNSw4IEBAIHN0YXRp YyB2b2lkIHBvcHVsYXRlX3BoeXNtYXAoc3RydWN0IG1lbW9wX2FyZ3MgKmEp CiAKICAgICAgICAgaWYgKCBhLT5tZW1mbGFncyAmIE1FTUZfcG9wdWxhdGVf b25fZGVtYW5kICkKICAgICAgICAgewotICAgICAgICAgICAgaWYgKCBndWVz dF9waHlzbWFwX21hcmtfcG9wdWxhdGVfb25fZGVtYW5kKGQsIGdwZm4sCisg ICAgICAgICAgICBpZiAoIGEtPmV4dGVudF9vcmRlciA+IE1BWF9PUkRFUiB8 fAorICAgICAgICAgICAgICAgICBndWVzdF9waHlzbWFwX21hcmtfcG9wdWxh dGVfb25fZGVtYW5kKGQsIGdwZm4sCiAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYS0+ZXh0ZW50X29y ZGVyKSA8IDAgKQogICAgICAgICAgICAgICAgIGdvdG8gb3V0OwogICAgICAg ICB9CkBAIC0yMzUsNyArMjM2LDggQEAgc3RhdGljIHZvaWQgZGVjcmVhc2Vf cmVzZXJ2YXRpb24oc3RydWN0IG1lbW9wX2FyZ3MgKmEpCiAgICAgeGVuX3Bm bl90IGdtZm47CiAKICAgICBpZiAoICFndWVzdF9oYW5kbGVfc3VicmFuZ2Vf b2theShhLT5leHRlbnRfbGlzdCwgYS0+bnJfZG9uZSwKLSAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICBhLT5ucl9leHRlbnRzLTEpICkK KyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhLT5ucl9l eHRlbnRzLTEpIHx8CisgICAgICAgICBhLT5leHRlbnRfb3JkZXIgPiBNQVhf T1JERVIgKQogICAgICAgICByZXR1cm47CiAKICAgICBmb3IgKCBpID0gYS0+ bnJfZG9uZTsgaSA8IGEtPm5yX2V4dGVudHM7IGkrKyApCkBAIC0yOTcsNiAr Mjk5LDkgQEAgc3RhdGljIGxvbmcgbWVtb3J5X2V4Y2hhbmdlKFhFTl9HVUVT VF9IQU5ETEVfUEFSQU0oeGVuX21lbW9yeV9leGNoYW5nZV90KSBhcmcpCiAg ICAgaWYgKCAoZXhjaC5ucl9leGNoYW5nZWQgPiBleGNoLmluLm5yX2V4dGVu dHMpIHx8CiAgICAgICAgICAvKiBJbnB1dCBhbmQgb3V0cHV0IGRvbWFpbiBp ZGVudGlmaWVycyBtYXRjaD8gKi8KICAgICAgICAgIChleGNoLmluLmRvbWlk ICE9IGV4Y2gub3V0LmRvbWlkKSB8fAorICAgICAgICAgLyogRXh0ZW50IG9y ZGVycyBhcmUgc2Vuc2libGU/ICovCisgICAgICAgICAoZXhjaC5pbi5leHRl bnRfb3JkZXIgPiBNQVhfT1JERVIpIHx8CisgICAgICAgICAoZXhjaC5vdXQu ZXh0ZW50X29yZGVyID4gTUFYX09SREVSKSB8fAogICAgICAgICAgLyogU2l6 ZXMgb2YgaW5wdXQgYW5kIG91dHB1dCBsaXN0cyBkbyBub3Qgb3ZlcmZsb3cg YSBsb25nPyAqLwogICAgICAgICAgKCh+MFVMID4+IGV4Y2guaW4uZXh0ZW50 X29yZGVyKSA8IGV4Y2guaW4ubnJfZXh0ZW50cykgfHwKICAgICAgICAgICgo fjBVTCA+PiBleGNoLm91dC5leHRlbnRfb3JkZXIpIDwgZXhjaC5vdXQubnJf ZXh0ZW50cykgfHwK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Dec 03 18:02:50 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 03 Dec 2012 18:02:50 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaK7-0006i5-OI; Mon, 03 Dec 2012 18:00:55 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaBO-0003Ez-Jp; Mon, 03 Dec 2012 17:51:55 +0000 Received: from [85.158.139.211:48146] by server-10.bemta-5.messagelabs.com id 5E/BE-09257-9B6ECB05; Mon, 03 Dec 2012 17:51:53 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-5.tower-206.messagelabs.com!1354557111!18824868!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.6.1.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 13587 invoked from network); 3 Dec 2012 17:51:52 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-5.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 3 Dec 2012 17:51:52 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaBD-0002Mr-Qx; Mon, 03 Dec 2012 17:51:43 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TfaBC-00066G-S2; Mon, 03 Dec 2012 17:51:42 +0000 Date: Mon, 03 Dec 2012 17:51:42 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Mon, 03 Dec 2012 18:00:54 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 26 (CVE-2012-5510) - Grant table version switch list corruption vulnerability X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5510 / XSA-26 version 3 Grant table version switch list corruption vulnerability UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Downgrading the grant table version of a guest involves freeing its status pages. This freeing was incomplete - the page(s) are freed back to the allocator, but not removed from the domain's tracking list. This would cause list corruption, eventually leading to a hypervisor crash. IMPACT ====== A malicious guest administrator can cause Xen to crash, leading to a denial of service attack. VULNERABLE SYSTEMS ================== All Xen version from 4.0 on are vulnerable. Version 3.4 and earlier are not vulnerable. MITIGATION ========== Running only guests with trusted kernels will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa26-4.1.patch Xen 4.1.x xsa26-4.2.patch Xen 4.2.x xsa26-unstable.patch xen-unstable $ sha256sum xsa26*.patch b4674ddaf9a9786d5e7e5e4f248f6095e118184df581036e0531b5db5e1d645b xsa26-4.1.patch a6e2ed7bae3e62d4294fdb48e8a5418b1de8e0e690f4fea4bb430d2b7cf758e6 xsa26-4.2.patch ac2d5a82f0dba0f4213607a0e3bb9be586d90173bbadc4b402c2f19fbe4b2cf3 xsa26-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQvOJ1AAoJEIP+FMlX6CvZBHIH/jI42gGLsThzGlgkFg2aqE74 EUKIPZE4DLQNl6oTQ/fp0dfJgsQ8XHldovl4EphWK+oO0osloE2HjAY5mesOraui IIQHRkbosbDshDcSqFDndl+xjAEk1ohlGMMpSdUImIHdFF8ZJneXdK11cqxMtCKR 27ych3lDViqy0OqxFGRZpsBE0hHqU7aiL8Orr+tI4sANnd/qVfZcdqizoTRuAJX3 KOmaq+8VwoRSeppAvVgcnGkDLyCd5udRLNEenjrFo1YkC01bVIdbD59/ZwEIC6eZ iR7bvppV1nuq9WnbCkx+FVkNc9AuGwUZMOdePH2PwLYqIZGMBi9uqUD3Y0HHMoo= =OtT0 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa26-4.1.patch" Content-Disposition: attachment; filename="xsa26-4.1.patch" Content-Transfer-Encoding: base64 Z250dGFiOiBmaXggcmVsZWFzaW5nIG9mIG1lbW9yeSB1cG9uIHN3aXRjaGVz IGJldHdlZW4gdmVyc2lvbnMKCmdudHRhYl91bnBvcHVsYXRlX3N0YXR1c19m cmFtZXMoKSBpbmNvbXBsZXRlbHkgZnJlZWQgdGhlIHBhZ2VzCnByZXZpb3Vz bHkgdXNlZCBhcyBzdGF0dXMgZnJhbWUgaW4gdGhhdCB0aGV5IGRpZCBub3Qg Z2V0IHJlbW92ZWQgZnJvbQp0aGUgZG9tYWluJ3MgeGVucGFnZV9saXN0LCB0 aHVzIGNhdXNpbmcgc3Vic2VxdWVudCBsaXN0IGNvcnJ1cHRpb24Kd2hlbiB0 aG9zZSBwYWdlcyBkaWQgZ2V0IGFsbG9jYXRlZCBhZ2FpbiBmb3IgdGhlIHNh bWUgb3IgYW5vdGhlciBwdXJwb3NlLgoKU2ltaWxhcmx5LCBncmFudF90YWJs ZV9jcmVhdGUoKSBhbmQgZ250dGFiX2dyb3dfdGFibGUoKSBib3RoIGltcHJv cGVybHkKY2xlYW4gdXAgaW4gdGhlIGV2ZW50IG9mIGFuIGVycm9yIC0gcGFn ZXMgYWxyZWFkeSBzaGFyZWQgd2l0aCB0aGUgZ3Vlc3QKY2FuJ3QgYmUgZnJl ZWQgYnkganVzdCBwYXNzaW5nIHRoZW0gdG8gZnJlZV94ZW5oZWFwX3BhZ2Uo KS4gRml4IHRoaXMgYnkKc2hhcmluZyB0aGUgcGFnZXMgb25seSBhZnRlciBh bGwgYWxsb2NhdGlvbnMgc3VjY2VlZGVkLgoKVGhpcyBpcyBDVkUtMjAxMi01 NTEwIC8gWFNBLTI2LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpi ZXVsaWNoQHN1c2UuY29tPgpBY2tlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4u Y2FtcGJlbGxAY2l0cml4LmNvbT4KCmRpZmYgLS1naXQgYS94ZW4vY29tbW9u L2dyYW50X3RhYmxlLmMgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMKaW5k ZXggNmMwYWE2Zi4uYTE4MGFlZiAxMDA2NDQKLS0tIGEveGVuL2NvbW1vbi9n cmFudF90YWJsZS5jCisrKyBiL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwpA QCAtMTEyNiwxMiArMTEyNiwxMyBAQCBmYXVsdDoKIH0KIAogc3RhdGljIGlu dAotZ250dGFiX3BvcHVsYXRlX3N0YXR1c19mcmFtZXMoc3RydWN0IGRvbWFp biAqZCwgc3RydWN0IGdyYW50X3RhYmxlICpndCkKK2dudHRhYl9wb3B1bGF0 ZV9zdGF0dXNfZnJhbWVzKHN0cnVjdCBkb21haW4gKmQsIHN0cnVjdCBncmFu dF90YWJsZSAqZ3QsCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1 bnNpZ25lZCBpbnQgcmVxX25yX2ZyYW1lcykKIHsKICAgICB1bnNpZ25lZCBp OwogICAgIHVuc2lnbmVkIHJlcV9zdGF0dXNfZnJhbWVzOwogCi0gICAgcmVx X3N0YXR1c19mcmFtZXMgPSBncmFudF90b19zdGF0dXNfZnJhbWVzKGd0LT5u cl9ncmFudF9mcmFtZXMpOworICAgIHJlcV9zdGF0dXNfZnJhbWVzID0gZ3Jh bnRfdG9fc3RhdHVzX2ZyYW1lcyhyZXFfbnJfZnJhbWVzKTsKICAgICBmb3Ig KCBpID0gbnJfc3RhdHVzX2ZyYW1lcyhndCk7IGkgPCByZXFfc3RhdHVzX2Zy YW1lczsgaSsrICkKICAgICB7CiAgICAgICAgIGlmICggKGd0LT5zdGF0dXNb aV0gPSBhbGxvY194ZW5oZWFwX3BhZ2UoKSkgPT0gTlVMTCApCkBAIC0xMTYy LDcgKzExNjMsMTIgQEAgZ250dGFiX3VucG9wdWxhdGVfc3RhdHVzX2ZyYW1l cyhzdHJ1Y3QgZG9tYWluICpkLCBzdHJ1Y3QgZ3JhbnRfdGFibGUgKmd0KQog CiAgICAgZm9yICggaSA9IDA7IGkgPCBucl9zdGF0dXNfZnJhbWVzKGd0KTsg aSsrICkKICAgICB7Ci0gICAgICAgIHBhZ2Vfc2V0X293bmVyKHZpcnRfdG9f cGFnZShndC0+c3RhdHVzW2ldKSwgZG9tX3hlbik7CisgICAgICAgIHN0cnVj dCBwYWdlX2luZm8gKnBnID0gdmlydF90b19wYWdlKGd0LT5zdGF0dXNbaV0p OworCisgICAgICAgIEJVR19PTihwYWdlX2dldF9vd25lcihwZykgIT0gZCk7 CisgICAgICAgIGlmICggdGVzdF9hbmRfY2xlYXJfYml0KF9QR0NfYWxsb2Nh dGVkLCAmcGctPmNvdW50X2luZm8pICkKKyAgICAgICAgICAgIHB1dF9wYWdl KHBnKTsKKyAgICAgICAgQlVHX09OKHBnLT5jb3VudF9pbmZvICYgflBHQ194 ZW5faGVhcCk7CiAgICAgICAgIGZyZWVfeGVuaGVhcF9wYWdlKGd0LT5zdGF0 dXNbaV0pOwogICAgICAgICBndC0+c3RhdHVzW2ldID0gTlVMTDsKICAgICB9 CkBAIC0xMjAwLDE5ICsxMjA2LDE4IEBAIGdudHRhYl9ncm93X3RhYmxlKHN0 cnVjdCBkb21haW4gKmQsIHVuc2lnbmVkIGludCByZXFfbnJfZnJhbWVzKQog ICAgICAgICBjbGVhcl9wYWdlKGd0LT5zaGFyZWRfcmF3W2ldKTsKICAgICB9 CiAKLSAgICAvKiBTaGFyZSB0aGUgbmV3IHNoYXJlZCBmcmFtZXMgd2l0aCB0 aGUgcmVjaXBpZW50IGRvbWFpbiAqLwotICAgIGZvciAoIGkgPSBucl9ncmFu dF9mcmFtZXMoZ3QpOyBpIDwgcmVxX25yX2ZyYW1lczsgaSsrICkKLSAgICAg ICAgZ250dGFiX2NyZWF0ZV9zaGFyZWRfcGFnZShkLCBndCwgaSk7Ci0KLSAg ICBndC0+bnJfZ3JhbnRfZnJhbWVzID0gcmVxX25yX2ZyYW1lczsKLQogICAg IC8qIFN0YXR1cyBwYWdlcyAtIHZlcnNpb24gMiAqLwogICAgIGlmIChndC0+ Z3RfdmVyc2lvbiA+IDEpCiAgICAgewotICAgICAgICBpZiAoIGdudHRhYl9w b3B1bGF0ZV9zdGF0dXNfZnJhbWVzKGQsIGd0KSApCisgICAgICAgIGlmICgg Z250dGFiX3BvcHVsYXRlX3N0YXR1c19mcmFtZXMoZCwgZ3QsIHJlcV9ucl9m cmFtZXMpICkKICAgICAgICAgICAgIGdvdG8gc2hhcmVkX2FsbG9jX2ZhaWxl ZDsKICAgICB9CiAKKyAgICAvKiBTaGFyZSB0aGUgbmV3IHNoYXJlZCBmcmFt ZXMgd2l0aCB0aGUgcmVjaXBpZW50IGRvbWFpbiAqLworICAgIGZvciAoIGkg PSBucl9ncmFudF9mcmFtZXMoZ3QpOyBpIDwgcmVxX25yX2ZyYW1lczsgaSsr ICkKKyAgICAgICAgZ250dGFiX2NyZWF0ZV9zaGFyZWRfcGFnZShkLCBndCwg aSk7CisgICAgZ3QtPm5yX2dyYW50X2ZyYW1lcyA9IHJlcV9ucl9mcmFtZXM7 CisKICAgICByZXR1cm4gMTsKIAogc2hhcmVkX2FsbG9jX2ZhaWxlZDoKQEAg LTIxMzQsNyArMjEzOSw3IEBAIGdudHRhYl9zZXRfdmVyc2lvbihYRU5fR1VF U1RfSEFORExFKGdudHRhYl9zZXRfdmVyc2lvbl90IHVvcCkpCiAKICAgICBp ZiAoIG9wLnZlcnNpb24gPT0gMiAmJiBndC0+Z3RfdmVyc2lvbiA8IDIgKQog ICAgIHsKLSAgICAgICAgcmVzID0gZ250dGFiX3BvcHVsYXRlX3N0YXR1c19m cmFtZXMoZCwgZ3QpOworICAgICAgICByZXMgPSBnbnR0YWJfcG9wdWxhdGVf c3RhdHVzX2ZyYW1lcyhkLCBndCwgbnJfZ3JhbnRfZnJhbWVzKGd0KSk7CiAg ICAgICAgIGlmICggcmVzIDwgMCkKICAgICAgICAgICAgIGdvdG8gb3V0X3Vu bG9jazsKICAgICB9CkBAIC0yNDQ5LDkgKzI0NTQsNiBAQCBncmFudF90YWJs ZV9jcmVhdGUoCiAgICAgICAgIGNsZWFyX3BhZ2UodC0+c2hhcmVkX3Jhd1tp XSk7CiAgICAgfQogICAgIAotICAgIGZvciAoIGkgPSAwOyBpIDwgSU5JVElB TF9OUl9HUkFOVF9GUkFNRVM7IGkrKyApCi0gICAgICAgIGdudHRhYl9jcmVh dGVfc2hhcmVkX3BhZ2UoZCwgdCwgaSk7Ci0KICAgICAvKiBTdGF0dXMgcGFn ZXMgZm9yIGdyYW50IHRhYmxlIC0gZm9yIHZlcnNpb24gMiAqLwogICAgIHQt PnN0YXR1cyA9IHhtYWxsb2NfYXJyYXkoZ3JhbnRfc3RhdHVzX3QgKiwKICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdyYW50X3RvX3N0YXR1c19m cmFtZXMobWF4X25yX2dyYW50X2ZyYW1lcykpOwpAQCAtMjQ1OSw2ICsyNDYx LDEwIEBAIGdyYW50X3RhYmxlX2NyZWF0ZSgKICAgICAgICAgZ290byBub19t ZW1fNDsKICAgICBtZW1zZXQodC0+c3RhdHVzLCAwLAogICAgICAgICAgICBn cmFudF90b19zdGF0dXNfZnJhbWVzKG1heF9ucl9ncmFudF9mcmFtZXMpICog c2l6ZW9mKHQtPnN0YXR1c1swXSkpOworCisgICAgZm9yICggaSA9IDA7IGkg PCBJTklUSUFMX05SX0dSQU5UX0ZSQU1FUzsgaSsrICkKKyAgICAgICAgZ250 dGFiX2NyZWF0ZV9zaGFyZWRfcGFnZShkLCB0LCBpKTsKKwogICAgIHQtPm5y X3N0YXR1c19mcmFtZXMgPSAwOwogCiAgICAgLyogT2theSwgaW5zdGFsbCB0 aGUgc3RydWN0dXJlLiAqLwo= --=separator Content-Type: application/octet-stream; name="xsa26-4.2.patch" Content-Disposition: attachment; filename="xsa26-4.2.patch" Content-Transfer-Encoding: base64 Z250dGFiOiBmaXggcmVsZWFzaW5nIG9mIG1lbW9yeSB1cG9uIHN3aXRjaGVz IGJldHdlZW4gdmVyc2lvbnMKCmdudHRhYl91bnBvcHVsYXRlX3N0YXR1c19m cmFtZXMoKSBpbmNvbXBsZXRlbHkgZnJlZWQgdGhlIHBhZ2VzCnByZXZpb3Vz bHkgdXNlZCBhcyBzdGF0dXMgZnJhbWUgaW4gdGhhdCB0aGV5IGRpZCBub3Qg Z2V0IHJlbW92ZWQgZnJvbQp0aGUgZG9tYWluJ3MgeGVucGFnZV9saXN0LCB0 aHVzIGNhdXNpbmcgc3Vic2VxdWVudCBsaXN0IGNvcnJ1cHRpb24Kd2hlbiB0 aG9zZSBwYWdlcyBkaWQgZ2V0IGFsbG9jYXRlZCBhZ2FpbiBmb3IgdGhlIHNh bWUgb3IgYW5vdGhlciBwdXJwb3NlLgoKU2ltaWxhcmx5LCBncmFudF90YWJs ZV9jcmVhdGUoKSBhbmQgZ250dGFiX2dyb3dfdGFibGUoKSBib3RoIGltcHJv cGVybHkKY2xlYW4gdXAgaW4gdGhlIGV2ZW50IG9mIGFuIGVycm9yIC0gcGFn ZXMgYWxyZWFkeSBzaGFyZWQgd2l0aCB0aGUgZ3Vlc3QKY2FuJ3QgYmUgZnJl ZWQgYnkganVzdCBwYXNzaW5nIHRoZW0gdG8gZnJlZV94ZW5oZWFwX3BhZ2Uo KS4gRml4IHRoaXMgYnkKc2hhcmluZyB0aGUgcGFnZXMgb25seSBhZnRlciBh bGwgYWxsb2NhdGlvbnMgc3VjY2VlZGVkLgoKVGhpcyBpcyBDVkUtMjAxMi01 NTEwIC8gWFNBLTI2LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpi ZXVsaWNoQHN1c2UuY29tPgpBY2tlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4u Y2FtcGJlbGxAY2l0cml4LmNvbT4KCmRpZmYgLS1naXQgYS94ZW4vY29tbW9u L2dyYW50X3RhYmxlLmMgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMKaW5k ZXggYzAxYWQwMC4uNmZiMmJlOSAxMDA2NDQKLS0tIGEveGVuL2NvbW1vbi9n cmFudF90YWJsZS5jCisrKyBiL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwpA QCAtMTE3MywxMiArMTE3MywxMyBAQCBmYXVsdDoKIH0KIAogc3RhdGljIGlu dAotZ250dGFiX3BvcHVsYXRlX3N0YXR1c19mcmFtZXMoc3RydWN0IGRvbWFp biAqZCwgc3RydWN0IGdyYW50X3RhYmxlICpndCkKK2dudHRhYl9wb3B1bGF0 ZV9zdGF0dXNfZnJhbWVzKHN0cnVjdCBkb21haW4gKmQsIHN0cnVjdCBncmFu dF90YWJsZSAqZ3QsCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1 bnNpZ25lZCBpbnQgcmVxX25yX2ZyYW1lcykKIHsKICAgICB1bnNpZ25lZCBp OwogICAgIHVuc2lnbmVkIHJlcV9zdGF0dXNfZnJhbWVzOwogCi0gICAgcmVx X3N0YXR1c19mcmFtZXMgPSBncmFudF90b19zdGF0dXNfZnJhbWVzKGd0LT5u cl9ncmFudF9mcmFtZXMpOworICAgIHJlcV9zdGF0dXNfZnJhbWVzID0gZ3Jh bnRfdG9fc3RhdHVzX2ZyYW1lcyhyZXFfbnJfZnJhbWVzKTsKICAgICBmb3Ig KCBpID0gbnJfc3RhdHVzX2ZyYW1lcyhndCk7IGkgPCByZXFfc3RhdHVzX2Zy YW1lczsgaSsrICkKICAgICB7CiAgICAgICAgIGlmICggKGd0LT5zdGF0dXNb aV0gPSBhbGxvY194ZW5oZWFwX3BhZ2UoKSkgPT0gTlVMTCApCkBAIC0xMjA5 LDcgKzEyMTAsMTIgQEAgZ250dGFiX3VucG9wdWxhdGVfc3RhdHVzX2ZyYW1l cyhzdHJ1Y3QgZG9tYWluICpkLCBzdHJ1Y3QgZ3JhbnRfdGFibGUgKmd0KQog CiAgICAgZm9yICggaSA9IDA7IGkgPCBucl9zdGF0dXNfZnJhbWVzKGd0KTsg aSsrICkKICAgICB7Ci0gICAgICAgIHBhZ2Vfc2V0X293bmVyKHZpcnRfdG9f cGFnZShndC0+c3RhdHVzW2ldKSwgZG9tX3hlbik7CisgICAgICAgIHN0cnVj dCBwYWdlX2luZm8gKnBnID0gdmlydF90b19wYWdlKGd0LT5zdGF0dXNbaV0p OworCisgICAgICAgIEJVR19PTihwYWdlX2dldF9vd25lcihwZykgIT0gZCk7 CisgICAgICAgIGlmICggdGVzdF9hbmRfY2xlYXJfYml0KF9QR0NfYWxsb2Nh dGVkLCAmcGctPmNvdW50X2luZm8pICkKKyAgICAgICAgICAgIHB1dF9wYWdl KHBnKTsKKyAgICAgICAgQlVHX09OKHBnLT5jb3VudF9pbmZvICYgflBHQ194 ZW5faGVhcCk7CiAgICAgICAgIGZyZWVfeGVuaGVhcF9wYWdlKGd0LT5zdGF0 dXNbaV0pOwogICAgICAgICBndC0+c3RhdHVzW2ldID0gTlVMTDsKICAgICB9 CkBAIC0xMjQ3LDE5ICsxMjUzLDE4IEBAIGdudHRhYl9ncm93X3RhYmxlKHN0 cnVjdCBkb21haW4gKmQsIHVuc2lnbmVkIGludCByZXFfbnJfZnJhbWVzKQog ICAgICAgICBjbGVhcl9wYWdlKGd0LT5zaGFyZWRfcmF3W2ldKTsKICAgICB9 CiAKLSAgICAvKiBTaGFyZSB0aGUgbmV3IHNoYXJlZCBmcmFtZXMgd2l0aCB0 aGUgcmVjaXBpZW50IGRvbWFpbiAqLwotICAgIGZvciAoIGkgPSBucl9ncmFu dF9mcmFtZXMoZ3QpOyBpIDwgcmVxX25yX2ZyYW1lczsgaSsrICkKLSAgICAg ICAgZ250dGFiX2NyZWF0ZV9zaGFyZWRfcGFnZShkLCBndCwgaSk7Ci0KLSAg ICBndC0+bnJfZ3JhbnRfZnJhbWVzID0gcmVxX25yX2ZyYW1lczsKLQogICAg IC8qIFN0YXR1cyBwYWdlcyAtIHZlcnNpb24gMiAqLwogICAgIGlmIChndC0+ Z3RfdmVyc2lvbiA+IDEpCiAgICAgewotICAgICAgICBpZiAoIGdudHRhYl9w b3B1bGF0ZV9zdGF0dXNfZnJhbWVzKGQsIGd0KSApCisgICAgICAgIGlmICgg Z250dGFiX3BvcHVsYXRlX3N0YXR1c19mcmFtZXMoZCwgZ3QsIHJlcV9ucl9m cmFtZXMpICkKICAgICAgICAgICAgIGdvdG8gc2hhcmVkX2FsbG9jX2ZhaWxl ZDsKICAgICB9CiAKKyAgICAvKiBTaGFyZSB0aGUgbmV3IHNoYXJlZCBmcmFt ZXMgd2l0aCB0aGUgcmVjaXBpZW50IGRvbWFpbiAqLworICAgIGZvciAoIGkg PSBucl9ncmFudF9mcmFtZXMoZ3QpOyBpIDwgcmVxX25yX2ZyYW1lczsgaSsr ICkKKyAgICAgICAgZ250dGFiX2NyZWF0ZV9zaGFyZWRfcGFnZShkLCBndCwg aSk7CisgICAgZ3QtPm5yX2dyYW50X2ZyYW1lcyA9IHJlcV9ucl9mcmFtZXM7 CisKICAgICByZXR1cm4gMTsKIAogc2hhcmVkX2FsbG9jX2ZhaWxlZDoKQEAg LTIxNTcsNyArMjE2Miw3IEBAIGdudHRhYl9zZXRfdmVyc2lvbihYRU5fR1VF U1RfSEFORExFKGdudHRhYl9zZXRfdmVyc2lvbl90IHVvcCkpCiAKICAgICBp ZiAoIG9wLnZlcnNpb24gPT0gMiAmJiBndC0+Z3RfdmVyc2lvbiA8IDIgKQog ICAgIHsKLSAgICAgICAgcmVzID0gZ250dGFiX3BvcHVsYXRlX3N0YXR1c19m cmFtZXMoZCwgZ3QpOworICAgICAgICByZXMgPSBnbnR0YWJfcG9wdWxhdGVf c3RhdHVzX2ZyYW1lcyhkLCBndCwgbnJfZ3JhbnRfZnJhbWVzKGd0KSk7CiAg ICAgICAgIGlmICggcmVzIDwgMCkKICAgICAgICAgICAgIGdvdG8gb3V0X3Vu bG9jazsKICAgICB9CkBAIC0yNjAwLDE0ICsyNjA1LDE1IEBAIGdyYW50X3Rh YmxlX2NyZWF0ZSgKICAgICAgICAgY2xlYXJfcGFnZSh0LT5zaGFyZWRfcmF3 W2ldKTsKICAgICB9CiAgICAgCi0gICAgZm9yICggaSA9IDA7IGkgPCBJTklU SUFMX05SX0dSQU5UX0ZSQU1FUzsgaSsrICkKLSAgICAgICAgZ250dGFiX2Ny ZWF0ZV9zaGFyZWRfcGFnZShkLCB0LCBpKTsKLQogICAgIC8qIFN0YXR1cyBw YWdlcyBmb3IgZ3JhbnQgdGFibGUgLSBmb3IgdmVyc2lvbiAyICovCiAgICAg dC0+c3RhdHVzID0geHphbGxvY19hcnJheShncmFudF9zdGF0dXNfdCAqLAog ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JhbnRfdG9fc3RhdHVz X2ZyYW1lcyhtYXhfbnJfZ3JhbnRfZnJhbWVzKSk7CiAgICAgaWYgKCB0LT5z dGF0dXMgPT0gTlVMTCApCiAgICAgICAgIGdvdG8gbm9fbWVtXzQ7CisKKyAg ICBmb3IgKCBpID0gMDsgaSA8IElOSVRJQUxfTlJfR1JBTlRfRlJBTUVTOyBp KysgKQorICAgICAgICBnbnR0YWJfY3JlYXRlX3NoYXJlZF9wYWdlKGQsIHQs IGkpOworCiAgICAgdC0+bnJfc3RhdHVzX2ZyYW1lcyA9IDA7CiAKICAgICAv KiBPa2F5LCBpbnN0YWxsIHRoZSBzdHJ1Y3R1cmUuICovCg== --=separator Content-Type: application/octet-stream; name="xsa26-unstable.patch" Content-Disposition: attachment; filename="xsa26-unstable.patch" Content-Transfer-Encoding: base64 Z250dGFiOiBmaXggcmVsZWFzaW5nIG9mIG1lbW9yeSB1cG9uIHN3aXRjaGVz IGJldHdlZW4gdmVyc2lvbnMKCmdudHRhYl91bnBvcHVsYXRlX3N0YXR1c19m cmFtZXMoKSBpbmNvbXBsZXRlbHkgZnJlZWQgdGhlIHBhZ2VzCnByZXZpb3Vz bHkgdXNlZCBhcyBzdGF0dXMgZnJhbWUgaW4gdGhhdCB0aGV5IGRpZCBub3Qg Z2V0IHJlbW92ZWQgZnJvbQp0aGUgZG9tYWluJ3MgeGVucGFnZV9saXN0LCB0 aHVzIGNhdXNpbmcgc3Vic2VxdWVudCBsaXN0IGNvcnJ1cHRpb24Kd2hlbiB0 aG9zZSBwYWdlcyBkaWQgZ2V0IGFsbG9jYXRlZCBhZ2FpbiBmb3IgdGhlIHNh bWUgb3IgYW5vdGhlciBwdXJwb3NlLgoKU2ltaWxhcmx5LCBncmFudF90YWJs ZV9jcmVhdGUoKSBhbmQgZ250dGFiX2dyb3dfdGFibGUoKSBib3RoIGltcHJv cGVybHkKY2xlYW4gdXAgaW4gdGhlIGV2ZW50IG9mIGFuIGVycm9yIC0gcGFn ZXMgYWxyZWFkeSBzaGFyZWQgd2l0aCB0aGUgZ3Vlc3QKY2FuJ3QgYmUgZnJl ZWQgYnkganVzdCBwYXNzaW5nIHRoZW0gdG8gZnJlZV94ZW5oZWFwX3BhZ2Uo KS4gRml4IHRoaXMgYnkKc2hhcmluZyB0aGUgcGFnZXMgb25seSBhZnRlciBh bGwgYWxsb2NhdGlvbnMgc3VjY2VlZGVkLgoKVGhpcyBpcyBDVkUtMjAxMi01 NTEwIC8gWFNBLTI2LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpi ZXVsaWNoQHN1c2UuY29tPgpBY2tlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4u Y2FtcGJlbGxAY2l0cml4LmNvbT4KCmRpZmYgLS1naXQgYS94ZW4vY29tbW9u L2dyYW50X3RhYmxlLmMgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMKaW5k ZXggNzkxMjc2OS4uZWM5ZWNmNCAxMDA2NDQKLS0tIGEveGVuL2NvbW1vbi9n cmFudF90YWJsZS5jCisrKyBiL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwpA QCAtMTIwOCwxMiArMTIwOCwxMyBAQCBmYXVsdDoKIH0KIAogc3RhdGljIGlu dAotZ250dGFiX3BvcHVsYXRlX3N0YXR1c19mcmFtZXMoc3RydWN0IGRvbWFp biAqZCwgc3RydWN0IGdyYW50X3RhYmxlICpndCkKK2dudHRhYl9wb3B1bGF0 ZV9zdGF0dXNfZnJhbWVzKHN0cnVjdCBkb21haW4gKmQsIHN0cnVjdCBncmFu dF90YWJsZSAqZ3QsCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1 bnNpZ25lZCBpbnQgcmVxX25yX2ZyYW1lcykKIHsKICAgICB1bnNpZ25lZCBp OwogICAgIHVuc2lnbmVkIHJlcV9zdGF0dXNfZnJhbWVzOwogCi0gICAgcmVx X3N0YXR1c19mcmFtZXMgPSBncmFudF90b19zdGF0dXNfZnJhbWVzKGd0LT5u cl9ncmFudF9mcmFtZXMpOworICAgIHJlcV9zdGF0dXNfZnJhbWVzID0gZ3Jh bnRfdG9fc3RhdHVzX2ZyYW1lcyhyZXFfbnJfZnJhbWVzKTsKICAgICBmb3Ig KCBpID0gbnJfc3RhdHVzX2ZyYW1lcyhndCk7IGkgPCByZXFfc3RhdHVzX2Zy YW1lczsgaSsrICkKICAgICB7CiAgICAgICAgIGlmICggKGd0LT5zdGF0dXNb aV0gPSBhbGxvY194ZW5oZWFwX3BhZ2UoKSkgPT0gTlVMTCApCkBAIC0xMjQ0 LDcgKzEyNDUsMTIgQEAgZ250dGFiX3VucG9wdWxhdGVfc3RhdHVzX2ZyYW1l cyhzdHJ1Y3QgZG9tYWluICpkLCBzdHJ1Y3QgZ3JhbnRfdGFibGUgKmd0KQog CiAgICAgZm9yICggaSA9IDA7IGkgPCBucl9zdGF0dXNfZnJhbWVzKGd0KTsg aSsrICkKICAgICB7Ci0gICAgICAgIHBhZ2Vfc2V0X293bmVyKHZpcnRfdG9f cGFnZShndC0+c3RhdHVzW2ldKSwgZG9tX3hlbik7CisgICAgICAgIHN0cnVj dCBwYWdlX2luZm8gKnBnID0gdmlydF90b19wYWdlKGd0LT5zdGF0dXNbaV0p OworCisgICAgICAgIEJVR19PTihwYWdlX2dldF9vd25lcihwZykgIT0gZCk7 CisgICAgICAgIGlmICggdGVzdF9hbmRfY2xlYXJfYml0KF9QR0NfYWxsb2Nh dGVkLCAmcGctPmNvdW50X2luZm8pICkKKyAgICAgICAgICAgIHB1dF9wYWdl KHBnKTsKKyAgICAgICAgQlVHX09OKHBnLT5jb3VudF9pbmZvICYgflBHQ194 ZW5faGVhcCk7CiAgICAgICAgIGZyZWVfeGVuaGVhcF9wYWdlKGd0LT5zdGF0 dXNbaV0pOwogICAgICAgICBndC0+c3RhdHVzW2ldID0gTlVMTDsKICAgICB9 CkBAIC0xMjgyLDE5ICsxMjg4LDE4IEBAIGdudHRhYl9ncm93X3RhYmxlKHN0 cnVjdCBkb21haW4gKmQsIHVuc2lnbmVkIGludCByZXFfbnJfZnJhbWVzKQog ICAgICAgICBjbGVhcl9wYWdlKGd0LT5zaGFyZWRfcmF3W2ldKTsKICAgICB9 CiAKLSAgICAvKiBTaGFyZSB0aGUgbmV3IHNoYXJlZCBmcmFtZXMgd2l0aCB0 aGUgcmVjaXBpZW50IGRvbWFpbiAqLwotICAgIGZvciAoIGkgPSBucl9ncmFu dF9mcmFtZXMoZ3QpOyBpIDwgcmVxX25yX2ZyYW1lczsgaSsrICkKLSAgICAg ICAgZ250dGFiX2NyZWF0ZV9zaGFyZWRfcGFnZShkLCBndCwgaSk7Ci0KLSAg ICBndC0+bnJfZ3JhbnRfZnJhbWVzID0gcmVxX25yX2ZyYW1lczsKLQogICAg IC8qIFN0YXR1cyBwYWdlcyAtIHZlcnNpb24gMiAqLwogICAgIGlmIChndC0+ Z3RfdmVyc2lvbiA+IDEpCiAgICAgewotICAgICAgICBpZiAoIGdudHRhYl9w b3B1bGF0ZV9zdGF0dXNfZnJhbWVzKGQsIGd0KSApCisgICAgICAgIGlmICgg Z250dGFiX3BvcHVsYXRlX3N0YXR1c19mcmFtZXMoZCwgZ3QsIHJlcV9ucl9m cmFtZXMpICkKICAgICAgICAgICAgIGdvdG8gc2hhcmVkX2FsbG9jX2ZhaWxl ZDsKICAgICB9CiAKKyAgICAvKiBTaGFyZSB0aGUgbmV3IHNoYXJlZCBmcmFt ZXMgd2l0aCB0aGUgcmVjaXBpZW50IGRvbWFpbiAqLworICAgIGZvciAoIGkg PSBucl9ncmFudF9mcmFtZXMoZ3QpOyBpIDwgcmVxX25yX2ZyYW1lczsgaSsr ICkKKyAgICAgICAgZ250dGFiX2NyZWF0ZV9zaGFyZWRfcGFnZShkLCBndCwg aSk7CisgICAgZ3QtPm5yX2dyYW50X2ZyYW1lcyA9IHJlcV9ucl9mcmFtZXM7 CisKICAgICByZXR1cm4gMTsKIAogc2hhcmVkX2FsbG9jX2ZhaWxlZDoKQEAg LTIxOTIsNyArMjE5Nyw3IEBAIGdudHRhYl9zZXRfdmVyc2lvbihYRU5fR1VF U1RfSEFORExFX1BBUkFNKGdudHRhYl9zZXRfdmVyc2lvbl90IHVvcCkpCiAK ICAgICBpZiAoIG9wLnZlcnNpb24gPT0gMiAmJiBndC0+Z3RfdmVyc2lvbiA8 IDIgKQogICAgIHsKLSAgICAgICAgcmVzID0gZ250dGFiX3BvcHVsYXRlX3N0 YXR1c19mcmFtZXMoZCwgZ3QpOworICAgICAgICByZXMgPSBnbnR0YWJfcG9w dWxhdGVfc3RhdHVzX2ZyYW1lcyhkLCBndCwgbnJfZ3JhbnRfZnJhbWVzKGd0 KSk7CiAgICAgICAgIGlmICggcmVzIDwgMCkKICAgICAgICAgICAgIGdvdG8g b3V0X3VubG9jazsKICAgICB9CkBAIC0yNjI4LDE0ICsyNjMzLDE1IEBAIGdy YW50X3RhYmxlX2NyZWF0ZSgKICAgICAgICAgY2xlYXJfcGFnZSh0LT5zaGFy ZWRfcmF3W2ldKTsKICAgICB9CiAgICAgCi0gICAgZm9yICggaSA9IDA7IGkg PCBJTklUSUFMX05SX0dSQU5UX0ZSQU1FUzsgaSsrICkKLSAgICAgICAgZ250 dGFiX2NyZWF0ZV9zaGFyZWRfcGFnZShkLCB0LCBpKTsKLQogICAgIC8qIFN0 YXR1cyBwYWdlcyBmb3IgZ3JhbnQgdGFibGUgLSBmb3IgdmVyc2lvbiAyICov CiAgICAgdC0+c3RhdHVzID0geHphbGxvY19hcnJheShncmFudF9zdGF0dXNf dCAqLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JhbnRfdG9f c3RhdHVzX2ZyYW1lcyhtYXhfbnJfZ3JhbnRfZnJhbWVzKSk7CiAgICAgaWYg KCB0LT5zdGF0dXMgPT0gTlVMTCApCiAgICAgICAgIGdvdG8gbm9fbWVtXzQ7 CisKKyAgICBmb3IgKCBpID0gMDsgaSA8IElOSVRJQUxfTlJfR1JBTlRfRlJB TUVTOyBpKysgKQorICAgICAgICBnbnR0YWJfY3JlYXRlX3NoYXJlZF9wYWdl KGQsIHQsIGkpOworCiAgICAgdC0+bnJfc3RhdHVzX2ZyYW1lcyA9IDA7CiAK ICAgICAvKiBPa2F5LCBpbnN0YWxsIHRoZSBzdHJ1Y3R1cmUuICovCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Dec 03 18:02:51 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 03 Dec 2012 18:02:51 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaK9-0006jl-NV; Mon, 03 Dec 2012 18:00:57 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaBT-0003GY-VZ; Mon, 03 Dec 2012 17:52:00 +0000 Received: from [85.158.138.51:23427] by server-8.bemta-3.messagelabs.com id 3F/D4-07786-EB6ECB05; Mon, 03 Dec 2012 17:51:58 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-16.tower-174.messagelabs.com!1354557116!32440021!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.6.1.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 30664 invoked from network); 3 Dec 2012 17:51:57 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-16.tower-174.messagelabs.com with AES256-SHA encrypted SMTP; 3 Dec 2012 17:51:57 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaBI-0002Np-9g; Mon, 03 Dec 2012 17:51:48 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TfaBI-000691-0m; Mon, 03 Dec 2012 17:51:48 +0000 Date: Mon, 03 Dec 2012 17:51:48 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Mon, 03 Dec 2012 18:00:54 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 32 (CVE-2012-5525) - several hypercalls do not validate input GFNs X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5525 / XSA-32 version 4 several hypercalls do not validate input GFNs UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= The function get_page_from_gfn does not validate its input GFN. An invalid GFN passed to a hypercall which uses this function will cause the hypervisor to read off the end of the frame table and potentially crash. IMPACT ====== A malicious guest administrator of a PV guest can cause Xen to crash. If the out of bounds access does not lead to a crash, a carefully crafted privilege escalation cannot be excluded, even though the guest doesn't itself control the values written. VULNERABLE SYSTEMS ================== Only Xen 4.2 and Xen unstable are vulnerable. Xen 4.1 and earlier are not vulnerable. The vulnerability is exposed only to PV guests. MITIGATION ========== Running only trusted PV guest kernels will avoid this vulnerability. Running only HVM guests will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa32-4.2.patch Xen 4.2.x, xen-unstable xsa32-unstable.patch xen-unstable $ sha256sum xsa32*.patch ad25c9298b543ef7af40e9f09cae232d36efc1932804678355ab724a19e3afd9 xsa32-4.2.patch 734cff82a93f032165ef26633acb30a499cc063141c2b16fccb294703718fcb0 xsa32-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQvOWxAAoJEIP+FMlX6CvZ9uUH/RM5PGHxWTuFv11kAEJAaQK7 m3dB9GZvjRo/zcRTrSQX2JCumM8rwXffNR9oUHQkC3WxRPjyNRdsiI02sSRLSDAh q2tsalK1PpFNX2DRrOezWrkBA2zR7pnGe3sCzgO3sGGpqMMoG5+u6/IcZHu86LGm zk+e0hMHtuurz6+uB0w8TJoLge4XSTw0K3ck70vCL4ysKmyOcEWcAgDmNA+OwnQ8 duw4UGkXLrxCF1X7RbAh31lUWPSLxPvxsytja+78/9ggpQRxZkF5x6T4oABcZ7jg vjzYkNN3MdN41RIbmZps1SECLm/SKoOvsBxfOJArf0DYgVmJloxZrLK4TyquCDk= =oEp3 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa32-4.2.patch" Content-Disposition: attachment; filename="xsa32-4.2.patch" Content-Transfer-Encoding: base64 eDg2OiBnZXRfcGFnZV9mcm9tX2dmbigpIG11c3QgcmV0dXJuIE5VTEwgZm9y IGludmFsaWQgR0ZOcwoKLi4uIGFsc28gaW4gdGhlIG5vbi10cmFuc2xhdGVk IGNhc2UuCgpUaGlzIGlzIFhTQS0zMiAvIENWRS0yMDEyLXh4eHguCgpTaWdu ZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CkFj a2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9yZz4KCmRpZmYgLS1naXQg YS94ZW4vaW5jbHVkZS9hc20teDg2L3AybS5oIGIveGVuL2luY2x1ZGUvYXNt LXg4Ni9wMm0uaAppbmRleCA3YTdjN2ViLi5kNTY2NWI4IDEwMDY0NAotLS0g YS94ZW4vaW5jbHVkZS9hc20teDg2L3AybS5oCisrKyBiL3hlbi9pbmNsdWRl L2FzbS14ODYvcDJtLmgKQEAgLTQwMCw3ICs0MDAsNyBAQCBzdGF0aWMgaW5s aW5lIHN0cnVjdCBwYWdlX2luZm8gKmdldF9wYWdlX2Zyb21fZ2ZuKAogICAg IGlmICh0KQogICAgICAgICAqdCA9IHAybV9yYW1fcnc7CiAgICAgcGFnZSA9 IF9fbWZuX3RvX3BhZ2UoZ2ZuKTsKLSAgICByZXR1cm4gZ2V0X3BhZ2UocGFn ZSwgZCkgPyBwYWdlIDogTlVMTDsKKyAgICByZXR1cm4gbWZuX3ZhbGlkKGdm bikgJiYgZ2V0X3BhZ2UocGFnZSwgZCkgPyBwYWdlIDogTlVMTDsKIH0KIAog Cg== --=separator Content-Type: application/octet-stream; name="xsa32-unstable.patch" Content-Disposition: attachment; filename="xsa32-unstable.patch" Content-Transfer-Encoding: base64 eDg2OiBnZXRfcGFnZV9mcm9tX2dmbigpIG11c3QgcmV0dXJuIE5VTEwgZm9y IGludmFsaWQgR0ZOcwoKLi4uIGFsc28gaW4gdGhlIG5vbi10cmFuc2xhdGVk IGNhc2UuCgpUaGlzIGlzIFhTQS0zMiAvIENWRS0yMDEyLXh4eHguCgpTaWdu ZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CkFj a2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9yZz4KCmRpZmYgLS1naXQg YS94ZW4vaW5jbHVkZS9hc20teDg2L3AybS5oIGIveGVuL2luY2x1ZGUvYXNt LXg4Ni9wMm0uaAppbmRleCAyOGJlNGU4Li45MDdhODE3IDEwMDY0NAotLS0g YS94ZW4vaW5jbHVkZS9hc20teDg2L3AybS5oCisrKyBiL3hlbi9pbmNsdWRl L2FzbS14ODYvcDJtLmgKQEAgLTM4NCw3ICszODQsNyBAQCBzdGF0aWMgaW5s aW5lIHN0cnVjdCBwYWdlX2luZm8gKmdldF9wYWdlX2Zyb21fZ2ZuKAogICAg IGlmICh0KQogICAgICAgICAqdCA9IHAybV9yYW1fcnc7CiAgICAgcGFnZSA9 IF9fbWZuX3RvX3BhZ2UoZ2ZuKTsKLSAgICByZXR1cm4gZ2V0X3BhZ2UocGFn ZSwgZCkgPyBwYWdlIDogTlVMTDsKKyAgICByZXR1cm4gbWZuX3ZhbGlkKGdm bikgJiYgZ2V0X3BhZ2UocGFnZSwgZCkgPyBwYWdlIDogTlVMTDsKIH0KIAog Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Dec 03 18:02:51 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 03 Dec 2012 18:02:51 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaKA-0006kA-DV; Mon, 03 Dec 2012 18:00:58 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaBU-0003FH-JP; Mon, 03 Dec 2012 17:52:00 +0000 Received: from [85.158.138.51:39190] by server-7.bemta-3.messagelabs.com id E3/F4-01713-0C6ECB05; Mon, 03 Dec 2012 17:52:00 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-11.tower-174.messagelabs.com!1354557117!32536337!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.6.1.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 24587 invoked from network); 3 Dec 2012 17:51:58 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-11.tower-174.messagelabs.com with AES256-SHA encrypted SMTP; 3 Dec 2012 17:51:58 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaBG-0002NP-Sj; Mon, 03 Dec 2012 17:51:46 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TfaBG-000688-Od; Mon, 03 Dec 2012 17:51:46 +0000 Date: Mon, 03 Dec 2012 17:51:46 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Mon, 03 Dec 2012 18:00:54 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 30 (CVE-2012-5514) - Broken error handling in guest_physmap_mark_populate_on_demand() X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5514 / XSA-30 version 4 Broken error handling in guest_physmap_mark_populate_on_demand() UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= guest_physmap_mark_populate_on_demand(), before carrying out its actual operation, checks that the subject GFNs are not in use. If that check fails, the code prints a message and bypasses the gfn_unlock() matching the gfn_lock() carried out before entering the loop. Further, the function is exposed to the use of guests on their own behalf. While we believe that this does not cause any further issues, we have not conducted a thorough enough review to be sure. Rather, it should be exposed only to privileged domains. IMPACT ====== A malicious guest administrator can cause Xen to hang. VULNERABLE SYSTEMS ================== All Xen version from 3.4 on are vulnerable. The vulnerability is only exposed by HVM guests. MITIGATION ========== Running only PV guests will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa30-4.1.patch Xen 4.1.x xsa30-4.2.patch Xen 4.2.x xsa30-4.unstable.patch xen-unstable $ sha256sum xsa30*.patch 586adda04271e91e42f42bb53636e2aa6fc7379e2c2c4b825e7ec6e34350669e xsa30-4.1.patch c410bffb90a551be30fde5ec4593c361b69e9c261878255fdb4f8447e7177418 xsa30-4.2.patch 2270eed8b89e4e28c4c79e5a284203632a7189474d6f0a6152d6cf56b287497b xsa30-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQvOJ3AAoJEIP+FMlX6CvZjRgIAIF1cvAxVM3nE55HwvIlMWto ldpam6YtFKAIr5XXBD6IQ0NrghJNNXyeZT4bxSdQAqyqUg9tYgkIMgYJx3kxQuVZ uhUIyg+mL5bZ+kN1TkHTVPVF1X1D0WbRDD//3V3MV8q6Dy1OEfTaQVb7ZLaNmwv5 tmZ0+D6nrMe24UEr5RjzupBgX5iMeGdKyh87Zg/OM0CG5y8EQOaxlb9i47K/DLDh l4lc6Jpxz1+tW9B9T/SUDiH37BABturvr1XvDsbencuNZeicLr8y1YKDgf2OyN5L RfCjSNadtJRBV4BcyGTqdboZfnmavGqmYoDdJg3eSRZ+ls9PZ9hyEMETaRsCeOc= =MBWJ -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa30-4.1.patch" Content-Disposition: attachment; filename="xsa30-4.1.patch" Content-Transfer-Encoding: base64 eGVuOiBmaXggZXJyb3IgaGFuZGxpbmcgb2YgZ3Vlc3RfcGh5c21hcF9tYXJr X3BvcHVsYXRlX29uX2RlbWFuZCgpCgpUaGUgb25seSB1c2VyIG9mIHRoZSAi b3V0IiBsYWJlbCBieXBhc3NlcyBhIG5lY2Vzc2FyeSB1bmxvY2ssIHRodXMK ZW5hYmxpbmcgdGhlIGNhbGxlciB0byBsb2NrIHVwIFhlbi4KCkFsc28sIHRo ZSBmdW5jdGlvbiB3YXMgbmV2ZXIgbWVhbnQgdG8gYmUgY2FsbGVkIGJ5IGEg Z3Vlc3QgZm9yIGl0c2VsZiwKc28gcmF0aGVyIHRoYW4gaW5zcGVjdGluZyB0 aGUgY29kZSBwYXRocyBpbiBkZXB0aCBmb3IgcG90ZW50aWFsIG90aGVyCnBy b2JsZW1zIHRoaXMgbWlnaHQgY2F1c2UsIGFuZCBhZGp1c3RpbmcgZS5nLiB0 aGUgbm9uLWd1ZXN0IHByaW50aygpCmluIHRoZSBhYm92ZSBlcnJvciBwYXRo LCBqdXN0IGRpc2FsbG93IHRoZSBndWVzdCBhY2Nlc3MgdG8gaXQuCgpGaW5h bGx5LCB0aGUgcHJpbnRrKCkgKGNvbnNpZGVyaW5nIGl0cyBwb3RlbnRpYWwg b2Ygc3BhbW1pbmcgdGhlIGxvZywKdGhlIG1vcmUgdGhhdCBpdCdzIG5vdCB1 c2luZyBYRU5MT0dfR1VFU1QpLCBpcyBiZWluZyBjb252ZXJ0ZWQgdG8KUDJN X0RFQlVHKCksIGFzIGRlYnVnZ2luZyBpcyB3aGF0IGl0IGFwcGFyZW50bHkg d2FzIGFkZGVkIGZvciBpbiB0aGUKZmlyc3QgcGxhY2UuCgpUaGlzIGlzIFhT QS0zMCAvIENWRS0yMDEyLTU1MTQuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1 bGljaCA8amJldWxpY2hAc3VzZS5jb20+CkFja2VkLWJ5OiBJYW4gQ2FtcGJl bGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgpBY2tlZC1ieTogR2Vvcmdl IER1bmxhcCA8Z2VvcmdlLmR1bmxhcEBldS5jaXRyaXguY29tPgpBY2tlZC1i eTogSWFuIEphY2tzb24gPGlhbi5qYWNrc29uQGV1LmNpdHJpeC5jb20+Cgpk aWZmIC1yIDU2MzkwNDdkNmM5ZiB4ZW4vYXJjaC94ODYvbW0vcDJtLmMKLS0t IGEveGVuL2FyY2gveDg2L21tL3AybS5jCU1vbiBOb3YgMTkgMDk6NDM6NDgg MjAxMiArMDEwMAorKysgYi94ZW4vYXJjaC94ODYvbW0vcDJtLmMJVGh1IE5v diAyMiAxNzowNzozNyAyMDEyICswMDAwCkBAIC0yNDEyLDYgKzI0MTIsOSBA QCBndWVzdF9waHlzbWFwX21hcmtfcG9wdWxhdGVfb25fZGVtYW5kKHN0CiAg ICAgbWZuX3Qgb21mbjsKICAgICBpbnQgcmMgPSAwOwogCisgICAgaWYgKCAh SVNfUFJJVl9GT1IoY3VycmVudC0+ZG9tYWluLCBkKSApCisgICAgICAgIHJl dHVybiAtRVBFUk07CisKICAgICBpZiAoICFwYWdpbmdfbW9kZV90cmFuc2xh dGUoZCkgKQogICAgICAgICByZXR1cm4gLUVJTlZBTDsKIApAQCAtMjQzMCw4 ICsyNDMzLDcgQEAgZ3Vlc3RfcGh5c21hcF9tYXJrX3BvcHVsYXRlX29uX2Rl bWFuZChzdAogICAgICAgICBvbWZuID0gZ2ZuX3RvX21mbl9xdWVyeShwMm0s IGdmbiArIGksICZvdCk7CiAgICAgICAgIGlmICggcDJtX2lzX3JhbShvdCkg KQogICAgICAgICB7Ci0gICAgICAgICAgICBwcmludGsoIiVzOiBnZm5fdG9f bWZuIHJldHVybmVkIHR5cGUgJWQhXG4iLAotICAgICAgICAgICAgICAgICAg IF9fZnVuY19fLCBvdCk7CisgICAgICAgICAgICBQMk1fREVCVUcoImdmbl90 b19tZm4gcmV0dXJuZWQgdHlwZSAlZCFcbiIsIG90KTsKICAgICAgICAgICAg IHJjID0gLUVCVVNZOwogICAgICAgICAgICAgZ290byBvdXQ7CiAgICAgICAg IH0KQEAgLTI0NTMsMTAgKzI0NTUsMTAgQEAgZ3Vlc3RfcGh5c21hcF9tYXJr X3BvcHVsYXRlX29uX2RlbWFuZChzdAogICAgICAgICBCVUdfT04ocDJtLT5w b2QuZW50cnlfY291bnQgPCAwKTsKICAgICB9CiAKK291dDoKICAgICBhdWRp dF9wMm0ocDJtLCAxKTsKICAgICBwMm1fdW5sb2NrKHAybSk7CiAKLW91dDoK ICAgICByZXR1cm4gcmM7CiB9CiAK --=separator Content-Type: application/octet-stream; name="xsa30-4.2.patch" Content-Disposition: attachment; filename="xsa30-4.2.patch" Content-Transfer-Encoding: base64 eGVuOiBmaXggZXJyb3IgaGFuZGxpbmcgb2YgZ3Vlc3RfcGh5c21hcF9tYXJr X3BvcHVsYXRlX29uX2RlbWFuZCgpCgpUaGUgb25seSB1c2VyIG9mIHRoZSAi b3V0IiBsYWJlbCBieXBhc3NlcyBhIG5lY2Vzc2FyeSB1bmxvY2ssIHRodXMK ZW5hYmxpbmcgdGhlIGNhbGxlciB0byBsb2NrIHVwIFhlbi4KCkFsc28sIHRo ZSBmdW5jdGlvbiB3YXMgbmV2ZXIgbWVhbnQgdG8gYmUgY2FsbGVkIGJ5IGEg Z3Vlc3QgZm9yIGl0c2VsZiwKc28gcmF0aGVyIHRoYW4gaW5zcGVjdGluZyB0 aGUgY29kZSBwYXRocyBpbiBkZXB0aCBmb3IgcG90ZW50aWFsIG90aGVyCnBy b2JsZW1zIHRoaXMgbWlnaHQgY2F1c2UsIGFuZCBhZGp1c3RpbmcgZS5nLiB0 aGUgbm9uLWd1ZXN0IHByaW50aygpCmluIHRoZSBhYm92ZSBlcnJvciBwYXRo LCBqdXN0IGRpc2FsbG93IHRoZSBndWVzdCBhY2Nlc3MgdG8gaXQuCgpGaW5h bGx5LCB0aGUgcHJpbnRrKCkgKGNvbnNpZGVyaW5nIGl0cyBwb3RlbnRpYWwg b2Ygc3BhbW1pbmcgdGhlIGxvZywKdGhlIG1vcmUgdGhhdCBpdCdzIG5vdCB1 c2luZyBYRU5MT0dfR1VFU1QpLCBpcyBiZWluZyBjb252ZXJ0ZWQgdG8KUDJN X0RFQlVHKCksIGFzIGRlYnVnZ2luZyBpcyB3aGF0IGl0IGFwcGFyZW50bHkg d2FzIGFkZGVkIGZvciBpbiB0aGUKZmlyc3QgcGxhY2UuCgpUaGlzIGlzIFhT QS0zMCAvIENWRS0yMDEyLTU1MTQuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1 bGljaCA8amJldWxpY2hAc3VzZS5jb20+CkFja2VkLWJ5OiBJYW4gQ2FtcGJl bGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgpBY2tlZC1ieTogR2Vvcmdl IER1bmxhcCA8Z2VvcmdlLmR1bmxhcEBldS5jaXRyaXguY29tPgpBY2tlZC1i eTogSWFuIEphY2tzb24gPGlhbi5qYWNrc29uQGV1LmNpdHJpeC5jb20+Cgpk aWZmIC1yIDdjNGQ4MDZiMzc1MyB4ZW4vYXJjaC94ODYvbW0vcDJtLXBvZC5j Ci0tLSBhL3hlbi9hcmNoL3g4Ni9tbS9wMm0tcG9kLmMJRnJpIE5vdiAxNiAx NTo1NjoxNCAyMDEyICswMDAwCisrKyBiL3hlbi9hcmNoL3g4Ni9tbS9wMm0t cG9kLmMJVGh1IE5vdiAyMiAxNzowMjozMiAyMDEyICswMDAwCkBAIC0xMTE3 LDYgKzExMTcsOSBAQCBndWVzdF9waHlzbWFwX21hcmtfcG9wdWxhdGVfb25f ZGVtYW5kKHN0CiAgICAgbWZuX3Qgb21mbjsKICAgICBpbnQgcmMgPSAwOwog CisgICAgaWYgKCAhSVNfUFJJVl9GT1IoY3VycmVudC0+ZG9tYWluLCBkKSAp CisgICAgICAgIHJldHVybiAtRVBFUk07CisKICAgICBpZiAoICFwYWdpbmdf bW9kZV90cmFuc2xhdGUoZCkgKQogICAgICAgICByZXR1cm4gLUVJTlZBTDsK IApAQCAtMTEzNSw4ICsxMTM4LDcgQEAgZ3Vlc3RfcGh5c21hcF9tYXJrX3Bv cHVsYXRlX29uX2RlbWFuZChzdAogICAgICAgICBvbWZuID0gcDJtLT5nZXRf ZW50cnkocDJtLCBnZm4gKyBpLCAmb3QsICZhLCAwLCBOVUxMKTsKICAgICAg ICAgaWYgKCBwMm1faXNfcmFtKG90KSApCiAgICAgICAgIHsKLSAgICAgICAg ICAgIHByaW50aygiJXM6IGdmbl90b19tZm4gcmV0dXJuZWQgdHlwZSAlZCFc biIsCi0gICAgICAgICAgICAgICAgICAgX19mdW5jX18sIG90KTsKKyAgICAg ICAgICAgIFAyTV9ERUJVRygiZ2ZuX3RvX21mbiByZXR1cm5lZCB0eXBlICVk IVxuIiwgb3QpOwogICAgICAgICAgICAgcmMgPSAtRUJVU1k7CiAgICAgICAg ICAgICBnb3RvIG91dDsKICAgICAgICAgfQpAQCAtMTE2MCw5ICsxMTYyLDkg QEAgZ3Vlc3RfcGh5c21hcF9tYXJrX3BvcHVsYXRlX29uX2RlbWFuZChzdAog ICAgICAgICBwb2RfdW5sb2NrKHAybSk7CiAgICAgfQogCitvdXQ6CiAgICAg Z2ZuX3VubG9jayhwMm0sIGdmbiwgb3JkZXIpOwogCi1vdXQ6CiAgICAgcmV0 dXJuIHJjOwogfQogCg== --=separator Content-Type: application/octet-stream; name="xsa30-unstable.patch" Content-Disposition: attachment; filename="xsa30-unstable.patch" Content-Transfer-Encoding: base64 eGVuOiBmaXggZXJyb3IgaGFuZGxpbmcgb2YgZ3Vlc3RfcGh5c21hcF9tYXJr X3BvcHVsYXRlX29uX2RlbWFuZCgpCgpUaGUgb25seSB1c2VyIG9mIHRoZSAi b3V0IiBsYWJlbCBieXBhc3NlcyBhIG5lY2Vzc2FyeSB1bmxvY2ssIHRodXMK ZW5hYmxpbmcgdGhlIGNhbGxlciB0byBsb2NrIHVwIFhlbi4KCkFsc28sIHRo ZSBmdW5jdGlvbiB3YXMgbmV2ZXIgbWVhbnQgdG8gYmUgY2FsbGVkIGJ5IGEg Z3Vlc3QgZm9yIGl0c2VsZiwKc28gcmF0aGVyIHRoYW4gaW5zcGVjdGluZyB0 aGUgY29kZSBwYXRocyBpbiBkZXB0aCBmb3IgcG90ZW50aWFsIG90aGVyCnBy b2JsZW1zIHRoaXMgbWlnaHQgY2F1c2UsIGFuZCBhZGp1c3RpbmcgZS5nLiB0 aGUgbm9uLWd1ZXN0IHByaW50aygpCmluIHRoZSBhYm92ZSBlcnJvciBwYXRo LCBqdXN0IGRpc2FsbG93IHRoZSBndWVzdCBhY2Nlc3MgdG8gaXQuCgpGaW5h bGx5LCB0aGUgcHJpbnRrKCkgKGNvbnNpZGVyaW5nIGl0cyBwb3RlbnRpYWwg b2Ygc3BhbW1pbmcgdGhlIGxvZywKdGhlIG1vcmUgdGhhdCBpdCdzIG5vdCB1 c2luZyBYRU5MT0dfR1VFU1QpLCBpcyBiZWluZyBjb252ZXJ0ZWQgdG8KUDJN X0RFQlVHKCksIGFzIGRlYnVnZ2luZyBpcyB3aGF0IGl0IGFwcGFyZW50bHkg d2FzIGFkZGVkIGZvciBpbiB0aGUKZmlyc3QgcGxhY2UuCgpUaGlzIGlzIFhT QS0zMCAvIENWRS0yMDEyLTU1MTQuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1 bGljaCA8amJldWxpY2hAc3VzZS5jb20+CkFja2VkLWJ5OiBJYW4gQ2FtcGJl bGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgpBY2tlZC1ieTogR2Vvcmdl IER1bmxhcCA8Z2VvcmdlLmR1bmxhcEBldS5jaXRyaXguY29tPgpBY2tlZC1i eTogSWFuIEphY2tzb24gPGlhbi5qYWNrc29uQGV1LmNpdHJpeC5jb20+Cgot LS0gYS94ZW4vYXJjaC94ODYvbW0vcDJtLXBvZC5jCisrKyBiL3hlbi9hcmNo L3g4Ni9tbS9wMm0tcG9kLmMKQEAgLTExMTcsNiArMTExNyw5IEBAIGd1ZXN0 X3BoeXNtYXBfbWFya19wb3B1bGF0ZV9vbl9kZW1hbmQoc3QKICAgICBtZm5f dCBvbWZuOwogICAgIGludCByYyA9IDA7CiAKKyAgICBpZiAoICFJU19QUklW X0ZPUihjdXJyZW50LT5kb21haW4sIGQpICkKKyAgICAgICAgcmV0dXJuIC1F UEVSTTsKKwogICAgIGlmICggIXBhZ2luZ19tb2RlX3RyYW5zbGF0ZShkKSAp CiAgICAgICAgIHJldHVybiAtRUlOVkFMOwogCkBAIC0xMTMxLDggKzExMzQs NyBAQCBndWVzdF9waHlzbWFwX21hcmtfcG9wdWxhdGVfb25fZGVtYW5kKHN0 CiAgICAgICAgIG9tZm4gPSBwMm0tPmdldF9lbnRyeShwMm0sIGdmbiArIGks ICZvdCwgJmEsIDAsIE5VTEwpOwogICAgICAgICBpZiAoIHAybV9pc19yYW0o b3QpICkKICAgICAgICAgewotICAgICAgICAgICAgcHJpbnRrKCIlczogZ2Zu X3RvX21mbiByZXR1cm5lZCB0eXBlICVkIVxuIiwKLSAgICAgICAgICAgICAg ICAgICBfX2Z1bmNfXywgb3QpOworICAgICAgICAgICAgUDJNX0RFQlVHKCJn Zm5fdG9fbWZuIHJldHVybmVkIHR5cGUgJWQhXG4iLCBvdCk7CiAgICAgICAg ICAgICByYyA9IC1FQlVTWTsKICAgICAgICAgICAgIGdvdG8gb3V0OwogICAg ICAgICB9CkBAIC0xMTU2LDkgKzExNTgsOSBAQCBndWVzdF9waHlzbWFwX21h cmtfcG9wdWxhdGVfb25fZGVtYW5kKHN0CiAgICAgICAgIHBvZF91bmxvY2so cDJtKTsKICAgICB9CiAKK291dDoKICAgICBnZm5fdW5sb2NrKHAybSwgZ2Zu LCBvcmRlcik7CiAKLW91dDoKICAgICByZXR1cm4gcmM7CiB9CiAK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Dec 03 18:02:50 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 03 Dec 2012 18:02:50 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaKB-0006kl-3K; Mon, 03 Dec 2012 18:00:59 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaBU-0003H8-Qg; Mon, 03 Dec 2012 17:52:01 +0000 Received: from [85.158.138.51:23491] by server-11.bemta-3.messagelabs.com id F5/50-19361-FB6ECB05; Mon, 03 Dec 2012 17:51:59 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-5.tower-174.messagelabs.com!1354557117!32614814!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.6.1.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 21329 invoked from network); 3 Dec 2012 17:51:58 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-5.tower-174.messagelabs.com with AES256-SHA encrypted SMTP; 3 Dec 2012 17:51:58 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaBG-0002NF-9i; Mon, 03 Dec 2012 17:51:46 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TfaBF-00067d-Un; Mon, 03 Dec 2012 17:51:45 +0000 Date: Mon, 03 Dec 2012 17:51:45 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Mon, 03 Dec 2012 18:00:54 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 29 (CVE-2012-5513) - XENMEM_exchange may overwrite hypervisor memory X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5513 / XSA-29 version 3 XENMEM_exchange may overwrite hypervisor memory UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The handler for XENMEM_exchange accesses guest memory without range checking the guest provided addresses, thus allowing these accesses to include the hypervisor reserved range. IMPACT ====== A malicious guest administrator can cause Xen to crash. If the out of address space bounds access does not lead to a crash, a carefully crafted privilege escalation cannot be excluded, even though the guest doesn't itself control the values written. VULNERABLE SYSTEMS ================== All Xen versions are vulnerable. The vulnerability is only exposed to PV guests. MITIGATION ========== Running only HVM guests, or ensuring that PV guests only use trusted kernels, will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa29-4.1.patch Xen 4.1.x xsa29-4.2-unstable.patch Xen 4.2.x, xen-unstable $ sha256sum xsa29*.patch 7246a5534bc1e6a47bb6a860f6eb61c8353ad8b46209310783e823b4f7e2eae8 xsa29-4.1.patch 54dcd3ac5c84903bfb04f8591107a74c27b079815f2c6843212e05f776873c73 xsa29-4.2-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQvOJ3AAoJEIP+FMlX6CvZ7u8IAM01+jNn5fwdGmoo/LIdH885 nWr5aSc+qMqVuSvla0KKh1SOLFaVWFgovLN1Sfu2hAxLgrK3HxN86RqHU/vLo0k0 KTFM+9xQlxhJNQzyQSiDryH/qSrHTQI6ERxUEYgfjtTieK8y30SZqkd6jBmwoir/ nAMMP8oFmVevM2WfYEWjNNsWPaiUlUYP13qxiWGPcGzhcNNKRwcmrIY4N+F6kHID Ipl4l5vhoeSaQ0fKkcJKHa+3QGd+706jHZ5VTCwPdWBCnBJLFuMWbc2UlyIg2EB9 N+3Olwf3jCF0zIzBJkomA+FAg+D7kw31DCjc+y1PdGIyuoMkk+JRwYFVkZcKLi4= =pD8C -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa29-4.1.patch" Content-Disposition: attachment; filename="xsa29-4.1.patch" Content-Transfer-Encoding: base64 eGVuOiBhZGQgbWlzc2luZyBndWVzdCBhZGRyZXNzIHJhbmdlIGNoZWNrcyB0 byBYRU5NRU1fZXhjaGFuZ2UgaGFuZGxlcnMKCkV2ZXIgc2luY2UgaXRzIGV4 aXN0ZW5jZSAoMy4wLjMgaWlyYykgdGhlIGhhbmRsZXIgZm9yIHRoaXMgaGFz IGJlZW4KdXNpbmcgbm9uIGFkZHJlc3MgcmFuZ2UgY2hlY2tpbmcgZ3Vlc3Qg bWVtb3J5IGFjY2Vzc29ycyAoaS5lLgp0aGUgb25lcyBwcmVmaXhlZCB3aXRo IHR3byB1bmRlcnNjb3Jlcykgd2l0aG91dCBmaXJzdCByYW5nZQpjaGVja2lu ZyB0aGUgYWNjZXNzZWQgc3BhY2UgKHZpYSBndWVzdF9oYW5kbGVfb2theSgp KSwgYWxsb3dpbmcKYSBndWVzdCB0byBhY2Nlc3MgYW5kIG92ZXJ3cml0ZSBo eXBlcnZpc29yIG1lbW9yeS4KClRoaXMgaXMgWFNBLTI5IC8gQ1ZFLTIwMTIt NTUxMy4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBz dXNlLmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxs QGNpdHJpeC5jb20+CkFja2VkLWJ5OiBJYW4gSmFja3NvbiA8aWFuLmphY2tz b25AZXUuY2l0cml4LmNvbT4KCmRpZmYgLS1naXQgYS94ZW4vY29tbW9uL2Nv bXBhdC9tZW1vcnkuYyBiL3hlbi9jb21tb24vY29tcGF0L21lbW9yeS5jCmlu ZGV4IDI0MDI5ODQuLjFkODc3ZmMgMTAwNjQ0Ci0tLSBhL3hlbi9jb21tb24v Y29tcGF0L21lbW9yeS5jCisrKyBiL3hlbi9jb21tb24vY29tcGF0L21lbW9y eS5jCkBAIC0xMTQsNiArMTE0LDEyIEBAIGludCBjb21wYXRfbWVtb3J5X29w KHVuc2lnbmVkIGludCBjbWQsIFhFTl9HVUVTVF9IQU5ETEUodm9pZCkgY29t cGF0KQogICAgICAgICAgICAgICAgICAgKGNtcC54Y2hnLm91dC5ucl9leHRl bnRzIDw8IGNtcC54Y2hnLm91dC5leHRlbnRfb3JkZXIpKSApCiAgICAgICAg ICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAKKyAgICAgICAgICAgIGlmICgg IWNvbXBhdF9oYW5kbGVfb2theShjbXAueGNoZy5pbi5leHRlbnRfc3RhcnQs CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgY21wLnhj aGcuaW4ubnJfZXh0ZW50cykgfHwKKyAgICAgICAgICAgICAgICAgIWNvbXBh dF9oYW5kbGVfb2theShjbXAueGNoZy5vdXQuZXh0ZW50X3N0YXJ0LAorICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNtcC54Y2hnLm91 dC5ucl9leHRlbnRzKSApCisgICAgICAgICAgICAgICAgcmV0dXJuIC1FRkFV TFQ7CisKICAgICAgICAgICAgIHN0YXJ0X2V4dGVudCA9IGNtcC54Y2hnLm5y X2V4Y2hhbmdlZDsKICAgICAgICAgICAgIGVuZF9leHRlbnQgPSAoQ09NUEFU X0FSR19YTEFUX1NJWkUgLSBzaXplb2YoKm5hdC54Y2hnKSkgLwogICAgICAg ICAgICAgICAgICAgICAgICAgICgoKDFVIDw8IEFCUyhvcmRlcl9kZWx0YSkp ICsgMSkgKgpkaWZmIC0tZ2l0IGEveGVuL2NvbW1vbi9tZW1vcnkuYyBiL3hl bi9jb21tb24vbWVtb3J5LmMKaW5kZXggNGU3YzIzNC4uNTkzNzlkMyAxMDA2 NDQKLS0tIGEveGVuL2NvbW1vbi9tZW1vcnkuYworKysgYi94ZW4vY29tbW9u L21lbW9yeS5jCkBAIC0yODksNiArMjg5LDEzIEBAIHN0YXRpYyBsb25nIG1l bW9yeV9leGNoYW5nZShYRU5fR1VFU1RfSEFORExFKHhlbl9tZW1vcnlfZXhj aGFuZ2VfdCkgYXJnKQogICAgICAgICBnb3RvIGZhaWxfZWFybHk7CiAgICAg fQogCisgICAgaWYgKCAhZ3Vlc3RfaGFuZGxlX29rYXkoZXhjaC5pbi5leHRl bnRfc3RhcnQsIGV4Y2guaW4ubnJfZXh0ZW50cykgfHwKKyAgICAgICAgICFn dWVzdF9oYW5kbGVfb2theShleGNoLm91dC5leHRlbnRfc3RhcnQsIGV4Y2gu b3V0Lm5yX2V4dGVudHMpICkKKyAgICB7CisgICAgICAgIHJjID0gLUVGQVVM VDsKKyAgICAgICAgZ290byBmYWlsX2Vhcmx5OworICAgIH0KKwogICAgIC8q IE9ubHkgcHJpdmlsZWdlZCBndWVzdHMgY2FuIGFsbG9jYXRlIG11bHRpLXBh Z2UgY29udGlndW91cyBleHRlbnRzLiAqLwogICAgIGlmICggIW11bHRpcGFn ZV9hbGxvY2F0aW9uX3Blcm1pdHRlZChjdXJyZW50LT5kb21haW4sCiAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV4Y2guaW4u ZXh0ZW50X29yZGVyKSB8fAo= --=separator Content-Type: application/octet-stream; name="xsa29-4.2-unstable.patch" Content-Disposition: attachment; filename="xsa29-4.2-unstable.patch" Content-Transfer-Encoding: base64 eGVuOiBhZGQgbWlzc2luZyBndWVzdCBhZGRyZXNzIHJhbmdlIGNoZWNrcyB0 byBYRU5NRU1fZXhjaGFuZ2UgaGFuZGxlcnMKCkV2ZXIgc2luY2UgaXRzIGV4 aXN0ZW5jZSAoMy4wLjMgaWlyYykgdGhlIGhhbmRsZXIgZm9yIHRoaXMgaGFz IGJlZW4KdXNpbmcgbm9uIGFkZHJlc3MgcmFuZ2UgY2hlY2tpbmcgZ3Vlc3Qg bWVtb3J5IGFjY2Vzc29ycyAoaS5lLgp0aGUgb25lcyBwcmVmaXhlZCB3aXRo IHR3byB1bmRlcnNjb3Jlcykgd2l0aG91dCBmaXJzdCByYW5nZQpjaGVja2lu ZyB0aGUgYWNjZXNzZWQgc3BhY2UgKHZpYSBndWVzdF9oYW5kbGVfb2theSgp KSwgYWxsb3dpbmcKYSBndWVzdCB0byBhY2Nlc3MgYW5kIG92ZXJ3cml0ZSBo eXBlcnZpc29yIG1lbW9yeS4KClRoaXMgaXMgWFNBLTI5IC8gQ1ZFLTIwMTIt NTUxMy4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBz dXNlLmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxs QGNpdHJpeC5jb20+CkFja2VkLWJ5OiBJYW4gSmFja3NvbiA8aWFuLmphY2tz b25AZXUuY2l0cml4LmNvbT4KCmRpZmYgLS1naXQgYS94ZW4vY29tbW9uL2Nv bXBhdC9tZW1vcnkuYyBiL3hlbi9jb21tb24vY29tcGF0L21lbW9yeS5jCmlu ZGV4IDk5NjE1MWMuLmE0OWY1MWIgMTAwNjQ0Ci0tLSBhL3hlbi9jb21tb24v Y29tcGF0L21lbW9yeS5jCisrKyBiL3hlbi9jb21tb24vY29tcGF0L21lbW9y eS5jCkBAIC0xMTUsNiArMTE1LDEyIEBAIGludCBjb21wYXRfbWVtb3J5X29w KHVuc2lnbmVkIGludCBjbWQsIFhFTl9HVUVTVF9IQU5ETEVfUEFSQU0odm9p ZCkgY29tcGF0KQogICAgICAgICAgICAgICAgICAgKGNtcC54Y2hnLm91dC5u cl9leHRlbnRzIDw8IGNtcC54Y2hnLm91dC5leHRlbnRfb3JkZXIpKSApCiAg ICAgICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAKKyAgICAgICAgICAg IGlmICggIWNvbXBhdF9oYW5kbGVfb2theShjbXAueGNoZy5pbi5leHRlbnRf c3RhcnQsCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg Y21wLnhjaGcuaW4ubnJfZXh0ZW50cykgfHwKKyAgICAgICAgICAgICAgICAg IWNvbXBhdF9oYW5kbGVfb2theShjbXAueGNoZy5vdXQuZXh0ZW50X3N0YXJ0 LAorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNtcC54 Y2hnLm91dC5ucl9leHRlbnRzKSApCisgICAgICAgICAgICAgICAgcmV0dXJu IC1FRkFVTFQ7CisKICAgICAgICAgICAgIHN0YXJ0X2V4dGVudCA9IGNtcC54 Y2hnLm5yX2V4Y2hhbmdlZDsKICAgICAgICAgICAgIGVuZF9leHRlbnQgPSAo Q09NUEFUX0FSR19YTEFUX1NJWkUgLSBzaXplb2YoKm5hdC54Y2hnKSkgLwog ICAgICAgICAgICAgICAgICAgICAgICAgICgoKDFVIDw8IEFCUyhvcmRlcl9k ZWx0YSkpICsgMSkgKgpkaWZmIC0tZ2l0IGEveGVuL2NvbW1vbi9tZW1vcnku YyBiL3hlbi9jb21tb24vbWVtb3J5LmMKaW5kZXggODNlMjY2Ni4uYmRiNmVk OCAxMDA2NDQKLS0tIGEveGVuL2NvbW1vbi9tZW1vcnkuYworKysgYi94ZW4v Y29tbW9uL21lbW9yeS5jCkBAIC0zMDgsNiArMzA4LDEzIEBAIHN0YXRpYyBs b25nIG1lbW9yeV9leGNoYW5nZShYRU5fR1VFU1RfSEFORExFX1BBUkFNKHhl bl9tZW1vcnlfZXhjaGFuZ2VfdCkgYXJnKQogICAgICAgICBnb3RvIGZhaWxf ZWFybHk7CiAgICAgfQogCisgICAgaWYgKCAhZ3Vlc3RfaGFuZGxlX29rYXko ZXhjaC5pbi5leHRlbnRfc3RhcnQsIGV4Y2guaW4ubnJfZXh0ZW50cykgfHwK KyAgICAgICAgICFndWVzdF9oYW5kbGVfb2theShleGNoLm91dC5leHRlbnRf c3RhcnQsIGV4Y2gub3V0Lm5yX2V4dGVudHMpICkKKyAgICB7CisgICAgICAg IHJjID0gLUVGQVVMVDsKKyAgICAgICAgZ290byBmYWlsX2Vhcmx5OworICAg IH0KKwogICAgIC8qIE9ubHkgcHJpdmlsZWdlZCBndWVzdHMgY2FuIGFsbG9j YXRlIG11bHRpLXBhZ2UgY29udGlndW91cyBleHRlbnRzLiAqLwogICAgIGlm ICggIW11bHRpcGFnZV9hbGxvY2F0aW9uX3Blcm1pdHRlZChjdXJyZW50LT5k b21haW4sCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIGV4Y2guaW4uZXh0ZW50X29yZGVyKSB8fAo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Dec 03 18:02:50 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 03 Dec 2012 18:02:50 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaK7-0006i5-OI; Mon, 03 Dec 2012 18:00:55 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaBO-0003Ez-Jp; Mon, 03 Dec 2012 17:51:55 +0000 Received: from [85.158.139.211:48146] by server-10.bemta-5.messagelabs.com id 5E/BE-09257-9B6ECB05; Mon, 03 Dec 2012 17:51:53 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-5.tower-206.messagelabs.com!1354557111!18824868!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.6.1.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 13587 invoked from network); 3 Dec 2012 17:51:52 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-5.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 3 Dec 2012 17:51:52 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaBD-0002Mr-Qx; Mon, 03 Dec 2012 17:51:43 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TfaBC-00066G-S2; Mon, 03 Dec 2012 17:51:42 +0000 Date: Mon, 03 Dec 2012 17:51:42 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Mon, 03 Dec 2012 18:00:54 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 26 (CVE-2012-5510) - Grant table version switch list corruption vulnerability X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5510 / XSA-26 version 3 Grant table version switch list corruption vulnerability UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Downgrading the grant table version of a guest involves freeing its status pages. This freeing was incomplete - the page(s) are freed back to the allocator, but not removed from the domain's tracking list. This would cause list corruption, eventually leading to a hypervisor crash. IMPACT ====== A malicious guest administrator can cause Xen to crash, leading to a denial of service attack. VULNERABLE SYSTEMS ================== All Xen version from 4.0 on are vulnerable. Version 3.4 and earlier are not vulnerable. MITIGATION ========== Running only guests with trusted kernels will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa26-4.1.patch Xen 4.1.x xsa26-4.2.patch Xen 4.2.x xsa26-unstable.patch xen-unstable $ sha256sum xsa26*.patch b4674ddaf9a9786d5e7e5e4f248f6095e118184df581036e0531b5db5e1d645b xsa26-4.1.patch a6e2ed7bae3e62d4294fdb48e8a5418b1de8e0e690f4fea4bb430d2b7cf758e6 xsa26-4.2.patch ac2d5a82f0dba0f4213607a0e3bb9be586d90173bbadc4b402c2f19fbe4b2cf3 xsa26-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQvOJ1AAoJEIP+FMlX6CvZBHIH/jI42gGLsThzGlgkFg2aqE74 EUKIPZE4DLQNl6oTQ/fp0dfJgsQ8XHldovl4EphWK+oO0osloE2HjAY5mesOraui IIQHRkbosbDshDcSqFDndl+xjAEk1ohlGMMpSdUImIHdFF8ZJneXdK11cqxMtCKR 27ych3lDViqy0OqxFGRZpsBE0hHqU7aiL8Orr+tI4sANnd/qVfZcdqizoTRuAJX3 KOmaq+8VwoRSeppAvVgcnGkDLyCd5udRLNEenjrFo1YkC01bVIdbD59/ZwEIC6eZ iR7bvppV1nuq9WnbCkx+FVkNc9AuGwUZMOdePH2PwLYqIZGMBi9uqUD3Y0HHMoo= =OtT0 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa26-4.1.patch" Content-Disposition: attachment; filename="xsa26-4.1.patch" Content-Transfer-Encoding: base64 Z250dGFiOiBmaXggcmVsZWFzaW5nIG9mIG1lbW9yeSB1cG9uIHN3aXRjaGVz IGJldHdlZW4gdmVyc2lvbnMKCmdudHRhYl91bnBvcHVsYXRlX3N0YXR1c19m cmFtZXMoKSBpbmNvbXBsZXRlbHkgZnJlZWQgdGhlIHBhZ2VzCnByZXZpb3Vz bHkgdXNlZCBhcyBzdGF0dXMgZnJhbWUgaW4gdGhhdCB0aGV5IGRpZCBub3Qg Z2V0IHJlbW92ZWQgZnJvbQp0aGUgZG9tYWluJ3MgeGVucGFnZV9saXN0LCB0 aHVzIGNhdXNpbmcgc3Vic2VxdWVudCBsaXN0IGNvcnJ1cHRpb24Kd2hlbiB0 aG9zZSBwYWdlcyBkaWQgZ2V0IGFsbG9jYXRlZCBhZ2FpbiBmb3IgdGhlIHNh bWUgb3IgYW5vdGhlciBwdXJwb3NlLgoKU2ltaWxhcmx5LCBncmFudF90YWJs ZV9jcmVhdGUoKSBhbmQgZ250dGFiX2dyb3dfdGFibGUoKSBib3RoIGltcHJv cGVybHkKY2xlYW4gdXAgaW4gdGhlIGV2ZW50IG9mIGFuIGVycm9yIC0gcGFn ZXMgYWxyZWFkeSBzaGFyZWQgd2l0aCB0aGUgZ3Vlc3QKY2FuJ3QgYmUgZnJl ZWQgYnkganVzdCBwYXNzaW5nIHRoZW0gdG8gZnJlZV94ZW5oZWFwX3BhZ2Uo KS4gRml4IHRoaXMgYnkKc2hhcmluZyB0aGUgcGFnZXMgb25seSBhZnRlciBh bGwgYWxsb2NhdGlvbnMgc3VjY2VlZGVkLgoKVGhpcyBpcyBDVkUtMjAxMi01 NTEwIC8gWFNBLTI2LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpi ZXVsaWNoQHN1c2UuY29tPgpBY2tlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4u Y2FtcGJlbGxAY2l0cml4LmNvbT4KCmRpZmYgLS1naXQgYS94ZW4vY29tbW9u L2dyYW50X3RhYmxlLmMgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMKaW5k ZXggNmMwYWE2Zi4uYTE4MGFlZiAxMDA2NDQKLS0tIGEveGVuL2NvbW1vbi9n cmFudF90YWJsZS5jCisrKyBiL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwpA QCAtMTEyNiwxMiArMTEyNiwxMyBAQCBmYXVsdDoKIH0KIAogc3RhdGljIGlu dAotZ250dGFiX3BvcHVsYXRlX3N0YXR1c19mcmFtZXMoc3RydWN0IGRvbWFp biAqZCwgc3RydWN0IGdyYW50X3RhYmxlICpndCkKK2dudHRhYl9wb3B1bGF0 ZV9zdGF0dXNfZnJhbWVzKHN0cnVjdCBkb21haW4gKmQsIHN0cnVjdCBncmFu dF90YWJsZSAqZ3QsCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1 bnNpZ25lZCBpbnQgcmVxX25yX2ZyYW1lcykKIHsKICAgICB1bnNpZ25lZCBp OwogICAgIHVuc2lnbmVkIHJlcV9zdGF0dXNfZnJhbWVzOwogCi0gICAgcmVx X3N0YXR1c19mcmFtZXMgPSBncmFudF90b19zdGF0dXNfZnJhbWVzKGd0LT5u cl9ncmFudF9mcmFtZXMpOworICAgIHJlcV9zdGF0dXNfZnJhbWVzID0gZ3Jh bnRfdG9fc3RhdHVzX2ZyYW1lcyhyZXFfbnJfZnJhbWVzKTsKICAgICBmb3Ig KCBpID0gbnJfc3RhdHVzX2ZyYW1lcyhndCk7IGkgPCByZXFfc3RhdHVzX2Zy YW1lczsgaSsrICkKICAgICB7CiAgICAgICAgIGlmICggKGd0LT5zdGF0dXNb aV0gPSBhbGxvY194ZW5oZWFwX3BhZ2UoKSkgPT0gTlVMTCApCkBAIC0xMTYy LDcgKzExNjMsMTIgQEAgZ250dGFiX3VucG9wdWxhdGVfc3RhdHVzX2ZyYW1l cyhzdHJ1Y3QgZG9tYWluICpkLCBzdHJ1Y3QgZ3JhbnRfdGFibGUgKmd0KQog CiAgICAgZm9yICggaSA9IDA7IGkgPCBucl9zdGF0dXNfZnJhbWVzKGd0KTsg aSsrICkKICAgICB7Ci0gICAgICAgIHBhZ2Vfc2V0X293bmVyKHZpcnRfdG9f cGFnZShndC0+c3RhdHVzW2ldKSwgZG9tX3hlbik7CisgICAgICAgIHN0cnVj dCBwYWdlX2luZm8gKnBnID0gdmlydF90b19wYWdlKGd0LT5zdGF0dXNbaV0p OworCisgICAgICAgIEJVR19PTihwYWdlX2dldF9vd25lcihwZykgIT0gZCk7 CisgICAgICAgIGlmICggdGVzdF9hbmRfY2xlYXJfYml0KF9QR0NfYWxsb2Nh dGVkLCAmcGctPmNvdW50X2luZm8pICkKKyAgICAgICAgICAgIHB1dF9wYWdl KHBnKTsKKyAgICAgICAgQlVHX09OKHBnLT5jb3VudF9pbmZvICYgflBHQ194 ZW5faGVhcCk7CiAgICAgICAgIGZyZWVfeGVuaGVhcF9wYWdlKGd0LT5zdGF0 dXNbaV0pOwogICAgICAgICBndC0+c3RhdHVzW2ldID0gTlVMTDsKICAgICB9 CkBAIC0xMjAwLDE5ICsxMjA2LDE4IEBAIGdudHRhYl9ncm93X3RhYmxlKHN0 cnVjdCBkb21haW4gKmQsIHVuc2lnbmVkIGludCByZXFfbnJfZnJhbWVzKQog ICAgICAgICBjbGVhcl9wYWdlKGd0LT5zaGFyZWRfcmF3W2ldKTsKICAgICB9 CiAKLSAgICAvKiBTaGFyZSB0aGUgbmV3IHNoYXJlZCBmcmFtZXMgd2l0aCB0 aGUgcmVjaXBpZW50IGRvbWFpbiAqLwotICAgIGZvciAoIGkgPSBucl9ncmFu dF9mcmFtZXMoZ3QpOyBpIDwgcmVxX25yX2ZyYW1lczsgaSsrICkKLSAgICAg ICAgZ250dGFiX2NyZWF0ZV9zaGFyZWRfcGFnZShkLCBndCwgaSk7Ci0KLSAg ICBndC0+bnJfZ3JhbnRfZnJhbWVzID0gcmVxX25yX2ZyYW1lczsKLQogICAg IC8qIFN0YXR1cyBwYWdlcyAtIHZlcnNpb24gMiAqLwogICAgIGlmIChndC0+ Z3RfdmVyc2lvbiA+IDEpCiAgICAgewotICAgICAgICBpZiAoIGdudHRhYl9w b3B1bGF0ZV9zdGF0dXNfZnJhbWVzKGQsIGd0KSApCisgICAgICAgIGlmICgg Z250dGFiX3BvcHVsYXRlX3N0YXR1c19mcmFtZXMoZCwgZ3QsIHJlcV9ucl9m cmFtZXMpICkKICAgICAgICAgICAgIGdvdG8gc2hhcmVkX2FsbG9jX2ZhaWxl ZDsKICAgICB9CiAKKyAgICAvKiBTaGFyZSB0aGUgbmV3IHNoYXJlZCBmcmFt ZXMgd2l0aCB0aGUgcmVjaXBpZW50IGRvbWFpbiAqLworICAgIGZvciAoIGkg PSBucl9ncmFudF9mcmFtZXMoZ3QpOyBpIDwgcmVxX25yX2ZyYW1lczsgaSsr ICkKKyAgICAgICAgZ250dGFiX2NyZWF0ZV9zaGFyZWRfcGFnZShkLCBndCwg aSk7CisgICAgZ3QtPm5yX2dyYW50X2ZyYW1lcyA9IHJlcV9ucl9mcmFtZXM7 CisKICAgICByZXR1cm4gMTsKIAogc2hhcmVkX2FsbG9jX2ZhaWxlZDoKQEAg LTIxMzQsNyArMjEzOSw3IEBAIGdudHRhYl9zZXRfdmVyc2lvbihYRU5fR1VF U1RfSEFORExFKGdudHRhYl9zZXRfdmVyc2lvbl90IHVvcCkpCiAKICAgICBp ZiAoIG9wLnZlcnNpb24gPT0gMiAmJiBndC0+Z3RfdmVyc2lvbiA8IDIgKQog ICAgIHsKLSAgICAgICAgcmVzID0gZ250dGFiX3BvcHVsYXRlX3N0YXR1c19m cmFtZXMoZCwgZ3QpOworICAgICAgICByZXMgPSBnbnR0YWJfcG9wdWxhdGVf c3RhdHVzX2ZyYW1lcyhkLCBndCwgbnJfZ3JhbnRfZnJhbWVzKGd0KSk7CiAg ICAgICAgIGlmICggcmVzIDwgMCkKICAgICAgICAgICAgIGdvdG8gb3V0X3Vu bG9jazsKICAgICB9CkBAIC0yNDQ5LDkgKzI0NTQsNiBAQCBncmFudF90YWJs ZV9jcmVhdGUoCiAgICAgICAgIGNsZWFyX3BhZ2UodC0+c2hhcmVkX3Jhd1tp XSk7CiAgICAgfQogICAgIAotICAgIGZvciAoIGkgPSAwOyBpIDwgSU5JVElB TF9OUl9HUkFOVF9GUkFNRVM7IGkrKyApCi0gICAgICAgIGdudHRhYl9jcmVh dGVfc2hhcmVkX3BhZ2UoZCwgdCwgaSk7Ci0KICAgICAvKiBTdGF0dXMgcGFn ZXMgZm9yIGdyYW50IHRhYmxlIC0gZm9yIHZlcnNpb24gMiAqLwogICAgIHQt PnN0YXR1cyA9IHhtYWxsb2NfYXJyYXkoZ3JhbnRfc3RhdHVzX3QgKiwKICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdyYW50X3RvX3N0YXR1c19m cmFtZXMobWF4X25yX2dyYW50X2ZyYW1lcykpOwpAQCAtMjQ1OSw2ICsyNDYx LDEwIEBAIGdyYW50X3RhYmxlX2NyZWF0ZSgKICAgICAgICAgZ290byBub19t ZW1fNDsKICAgICBtZW1zZXQodC0+c3RhdHVzLCAwLAogICAgICAgICAgICBn cmFudF90b19zdGF0dXNfZnJhbWVzKG1heF9ucl9ncmFudF9mcmFtZXMpICog c2l6ZW9mKHQtPnN0YXR1c1swXSkpOworCisgICAgZm9yICggaSA9IDA7IGkg PCBJTklUSUFMX05SX0dSQU5UX0ZSQU1FUzsgaSsrICkKKyAgICAgICAgZ250 dGFiX2NyZWF0ZV9zaGFyZWRfcGFnZShkLCB0LCBpKTsKKwogICAgIHQtPm5y X3N0YXR1c19mcmFtZXMgPSAwOwogCiAgICAgLyogT2theSwgaW5zdGFsbCB0 aGUgc3RydWN0dXJlLiAqLwo= --=separator Content-Type: application/octet-stream; name="xsa26-4.2.patch" Content-Disposition: attachment; filename="xsa26-4.2.patch" Content-Transfer-Encoding: base64 Z250dGFiOiBmaXggcmVsZWFzaW5nIG9mIG1lbW9yeSB1cG9uIHN3aXRjaGVz IGJldHdlZW4gdmVyc2lvbnMKCmdudHRhYl91bnBvcHVsYXRlX3N0YXR1c19m cmFtZXMoKSBpbmNvbXBsZXRlbHkgZnJlZWQgdGhlIHBhZ2VzCnByZXZpb3Vz bHkgdXNlZCBhcyBzdGF0dXMgZnJhbWUgaW4gdGhhdCB0aGV5IGRpZCBub3Qg Z2V0IHJlbW92ZWQgZnJvbQp0aGUgZG9tYWluJ3MgeGVucGFnZV9saXN0LCB0 aHVzIGNhdXNpbmcgc3Vic2VxdWVudCBsaXN0IGNvcnJ1cHRpb24Kd2hlbiB0 aG9zZSBwYWdlcyBkaWQgZ2V0IGFsbG9jYXRlZCBhZ2FpbiBmb3IgdGhlIHNh bWUgb3IgYW5vdGhlciBwdXJwb3NlLgoKU2ltaWxhcmx5LCBncmFudF90YWJs ZV9jcmVhdGUoKSBhbmQgZ250dGFiX2dyb3dfdGFibGUoKSBib3RoIGltcHJv cGVybHkKY2xlYW4gdXAgaW4gdGhlIGV2ZW50IG9mIGFuIGVycm9yIC0gcGFn ZXMgYWxyZWFkeSBzaGFyZWQgd2l0aCB0aGUgZ3Vlc3QKY2FuJ3QgYmUgZnJl ZWQgYnkganVzdCBwYXNzaW5nIHRoZW0gdG8gZnJlZV94ZW5oZWFwX3BhZ2Uo KS4gRml4IHRoaXMgYnkKc2hhcmluZyB0aGUgcGFnZXMgb25seSBhZnRlciBh bGwgYWxsb2NhdGlvbnMgc3VjY2VlZGVkLgoKVGhpcyBpcyBDVkUtMjAxMi01 NTEwIC8gWFNBLTI2LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpi ZXVsaWNoQHN1c2UuY29tPgpBY2tlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4u Y2FtcGJlbGxAY2l0cml4LmNvbT4KCmRpZmYgLS1naXQgYS94ZW4vY29tbW9u L2dyYW50X3RhYmxlLmMgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMKaW5k ZXggYzAxYWQwMC4uNmZiMmJlOSAxMDA2NDQKLS0tIGEveGVuL2NvbW1vbi9n cmFudF90YWJsZS5jCisrKyBiL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwpA QCAtMTE3MywxMiArMTE3MywxMyBAQCBmYXVsdDoKIH0KIAogc3RhdGljIGlu dAotZ250dGFiX3BvcHVsYXRlX3N0YXR1c19mcmFtZXMoc3RydWN0IGRvbWFp biAqZCwgc3RydWN0IGdyYW50X3RhYmxlICpndCkKK2dudHRhYl9wb3B1bGF0 ZV9zdGF0dXNfZnJhbWVzKHN0cnVjdCBkb21haW4gKmQsIHN0cnVjdCBncmFu dF90YWJsZSAqZ3QsCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1 bnNpZ25lZCBpbnQgcmVxX25yX2ZyYW1lcykKIHsKICAgICB1bnNpZ25lZCBp OwogICAgIHVuc2lnbmVkIHJlcV9zdGF0dXNfZnJhbWVzOwogCi0gICAgcmVx X3N0YXR1c19mcmFtZXMgPSBncmFudF90b19zdGF0dXNfZnJhbWVzKGd0LT5u cl9ncmFudF9mcmFtZXMpOworICAgIHJlcV9zdGF0dXNfZnJhbWVzID0gZ3Jh bnRfdG9fc3RhdHVzX2ZyYW1lcyhyZXFfbnJfZnJhbWVzKTsKICAgICBmb3Ig KCBpID0gbnJfc3RhdHVzX2ZyYW1lcyhndCk7IGkgPCByZXFfc3RhdHVzX2Zy YW1lczsgaSsrICkKICAgICB7CiAgICAgICAgIGlmICggKGd0LT5zdGF0dXNb aV0gPSBhbGxvY194ZW5oZWFwX3BhZ2UoKSkgPT0gTlVMTCApCkBAIC0xMjA5 LDcgKzEyMTAsMTIgQEAgZ250dGFiX3VucG9wdWxhdGVfc3RhdHVzX2ZyYW1l cyhzdHJ1Y3QgZG9tYWluICpkLCBzdHJ1Y3QgZ3JhbnRfdGFibGUgKmd0KQog CiAgICAgZm9yICggaSA9IDA7IGkgPCBucl9zdGF0dXNfZnJhbWVzKGd0KTsg aSsrICkKICAgICB7Ci0gICAgICAgIHBhZ2Vfc2V0X293bmVyKHZpcnRfdG9f cGFnZShndC0+c3RhdHVzW2ldKSwgZG9tX3hlbik7CisgICAgICAgIHN0cnVj dCBwYWdlX2luZm8gKnBnID0gdmlydF90b19wYWdlKGd0LT5zdGF0dXNbaV0p OworCisgICAgICAgIEJVR19PTihwYWdlX2dldF9vd25lcihwZykgIT0gZCk7 CisgICAgICAgIGlmICggdGVzdF9hbmRfY2xlYXJfYml0KF9QR0NfYWxsb2Nh dGVkLCAmcGctPmNvdW50X2luZm8pICkKKyAgICAgICAgICAgIHB1dF9wYWdl KHBnKTsKKyAgICAgICAgQlVHX09OKHBnLT5jb3VudF9pbmZvICYgflBHQ194 ZW5faGVhcCk7CiAgICAgICAgIGZyZWVfeGVuaGVhcF9wYWdlKGd0LT5zdGF0 dXNbaV0pOwogICAgICAgICBndC0+c3RhdHVzW2ldID0gTlVMTDsKICAgICB9 CkBAIC0xMjQ3LDE5ICsxMjUzLDE4IEBAIGdudHRhYl9ncm93X3RhYmxlKHN0 cnVjdCBkb21haW4gKmQsIHVuc2lnbmVkIGludCByZXFfbnJfZnJhbWVzKQog ICAgICAgICBjbGVhcl9wYWdlKGd0LT5zaGFyZWRfcmF3W2ldKTsKICAgICB9 CiAKLSAgICAvKiBTaGFyZSB0aGUgbmV3IHNoYXJlZCBmcmFtZXMgd2l0aCB0 aGUgcmVjaXBpZW50IGRvbWFpbiAqLwotICAgIGZvciAoIGkgPSBucl9ncmFu dF9mcmFtZXMoZ3QpOyBpIDwgcmVxX25yX2ZyYW1lczsgaSsrICkKLSAgICAg ICAgZ250dGFiX2NyZWF0ZV9zaGFyZWRfcGFnZShkLCBndCwgaSk7Ci0KLSAg ICBndC0+bnJfZ3JhbnRfZnJhbWVzID0gcmVxX25yX2ZyYW1lczsKLQogICAg IC8qIFN0YXR1cyBwYWdlcyAtIHZlcnNpb24gMiAqLwogICAgIGlmIChndC0+ Z3RfdmVyc2lvbiA+IDEpCiAgICAgewotICAgICAgICBpZiAoIGdudHRhYl9w b3B1bGF0ZV9zdGF0dXNfZnJhbWVzKGQsIGd0KSApCisgICAgICAgIGlmICgg Z250dGFiX3BvcHVsYXRlX3N0YXR1c19mcmFtZXMoZCwgZ3QsIHJlcV9ucl9m cmFtZXMpICkKICAgICAgICAgICAgIGdvdG8gc2hhcmVkX2FsbG9jX2ZhaWxl ZDsKICAgICB9CiAKKyAgICAvKiBTaGFyZSB0aGUgbmV3IHNoYXJlZCBmcmFt ZXMgd2l0aCB0aGUgcmVjaXBpZW50IGRvbWFpbiAqLworICAgIGZvciAoIGkg PSBucl9ncmFudF9mcmFtZXMoZ3QpOyBpIDwgcmVxX25yX2ZyYW1lczsgaSsr ICkKKyAgICAgICAgZ250dGFiX2NyZWF0ZV9zaGFyZWRfcGFnZShkLCBndCwg aSk7CisgICAgZ3QtPm5yX2dyYW50X2ZyYW1lcyA9IHJlcV9ucl9mcmFtZXM7 CisKICAgICByZXR1cm4gMTsKIAogc2hhcmVkX2FsbG9jX2ZhaWxlZDoKQEAg LTIxNTcsNyArMjE2Miw3IEBAIGdudHRhYl9zZXRfdmVyc2lvbihYRU5fR1VF U1RfSEFORExFKGdudHRhYl9zZXRfdmVyc2lvbl90IHVvcCkpCiAKICAgICBp ZiAoIG9wLnZlcnNpb24gPT0gMiAmJiBndC0+Z3RfdmVyc2lvbiA8IDIgKQog ICAgIHsKLSAgICAgICAgcmVzID0gZ250dGFiX3BvcHVsYXRlX3N0YXR1c19m cmFtZXMoZCwgZ3QpOworICAgICAgICByZXMgPSBnbnR0YWJfcG9wdWxhdGVf c3RhdHVzX2ZyYW1lcyhkLCBndCwgbnJfZ3JhbnRfZnJhbWVzKGd0KSk7CiAg ICAgICAgIGlmICggcmVzIDwgMCkKICAgICAgICAgICAgIGdvdG8gb3V0X3Vu bG9jazsKICAgICB9CkBAIC0yNjAwLDE0ICsyNjA1LDE1IEBAIGdyYW50X3Rh YmxlX2NyZWF0ZSgKICAgICAgICAgY2xlYXJfcGFnZSh0LT5zaGFyZWRfcmF3 W2ldKTsKICAgICB9CiAgICAgCi0gICAgZm9yICggaSA9IDA7IGkgPCBJTklU SUFMX05SX0dSQU5UX0ZSQU1FUzsgaSsrICkKLSAgICAgICAgZ250dGFiX2Ny ZWF0ZV9zaGFyZWRfcGFnZShkLCB0LCBpKTsKLQogICAgIC8qIFN0YXR1cyBw YWdlcyBmb3IgZ3JhbnQgdGFibGUgLSBmb3IgdmVyc2lvbiAyICovCiAgICAg dC0+c3RhdHVzID0geHphbGxvY19hcnJheShncmFudF9zdGF0dXNfdCAqLAog ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JhbnRfdG9fc3RhdHVz X2ZyYW1lcyhtYXhfbnJfZ3JhbnRfZnJhbWVzKSk7CiAgICAgaWYgKCB0LT5z dGF0dXMgPT0gTlVMTCApCiAgICAgICAgIGdvdG8gbm9fbWVtXzQ7CisKKyAg ICBmb3IgKCBpID0gMDsgaSA8IElOSVRJQUxfTlJfR1JBTlRfRlJBTUVTOyBp KysgKQorICAgICAgICBnbnR0YWJfY3JlYXRlX3NoYXJlZF9wYWdlKGQsIHQs IGkpOworCiAgICAgdC0+bnJfc3RhdHVzX2ZyYW1lcyA9IDA7CiAKICAgICAv KiBPa2F5LCBpbnN0YWxsIHRoZSBzdHJ1Y3R1cmUuICovCg== --=separator Content-Type: application/octet-stream; name="xsa26-unstable.patch" Content-Disposition: attachment; filename="xsa26-unstable.patch" Content-Transfer-Encoding: base64 Z250dGFiOiBmaXggcmVsZWFzaW5nIG9mIG1lbW9yeSB1cG9uIHN3aXRjaGVz IGJldHdlZW4gdmVyc2lvbnMKCmdudHRhYl91bnBvcHVsYXRlX3N0YXR1c19m cmFtZXMoKSBpbmNvbXBsZXRlbHkgZnJlZWQgdGhlIHBhZ2VzCnByZXZpb3Vz bHkgdXNlZCBhcyBzdGF0dXMgZnJhbWUgaW4gdGhhdCB0aGV5IGRpZCBub3Qg Z2V0IHJlbW92ZWQgZnJvbQp0aGUgZG9tYWluJ3MgeGVucGFnZV9saXN0LCB0 aHVzIGNhdXNpbmcgc3Vic2VxdWVudCBsaXN0IGNvcnJ1cHRpb24Kd2hlbiB0 aG9zZSBwYWdlcyBkaWQgZ2V0IGFsbG9jYXRlZCBhZ2FpbiBmb3IgdGhlIHNh bWUgb3IgYW5vdGhlciBwdXJwb3NlLgoKU2ltaWxhcmx5LCBncmFudF90YWJs ZV9jcmVhdGUoKSBhbmQgZ250dGFiX2dyb3dfdGFibGUoKSBib3RoIGltcHJv cGVybHkKY2xlYW4gdXAgaW4gdGhlIGV2ZW50IG9mIGFuIGVycm9yIC0gcGFn ZXMgYWxyZWFkeSBzaGFyZWQgd2l0aCB0aGUgZ3Vlc3QKY2FuJ3QgYmUgZnJl ZWQgYnkganVzdCBwYXNzaW5nIHRoZW0gdG8gZnJlZV94ZW5oZWFwX3BhZ2Uo KS4gRml4IHRoaXMgYnkKc2hhcmluZyB0aGUgcGFnZXMgb25seSBhZnRlciBh bGwgYWxsb2NhdGlvbnMgc3VjY2VlZGVkLgoKVGhpcyBpcyBDVkUtMjAxMi01 NTEwIC8gWFNBLTI2LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpi ZXVsaWNoQHN1c2UuY29tPgpBY2tlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4u Y2FtcGJlbGxAY2l0cml4LmNvbT4KCmRpZmYgLS1naXQgYS94ZW4vY29tbW9u L2dyYW50X3RhYmxlLmMgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMKaW5k ZXggNzkxMjc2OS4uZWM5ZWNmNCAxMDA2NDQKLS0tIGEveGVuL2NvbW1vbi9n cmFudF90YWJsZS5jCisrKyBiL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwpA QCAtMTIwOCwxMiArMTIwOCwxMyBAQCBmYXVsdDoKIH0KIAogc3RhdGljIGlu dAotZ250dGFiX3BvcHVsYXRlX3N0YXR1c19mcmFtZXMoc3RydWN0IGRvbWFp biAqZCwgc3RydWN0IGdyYW50X3RhYmxlICpndCkKK2dudHRhYl9wb3B1bGF0 ZV9zdGF0dXNfZnJhbWVzKHN0cnVjdCBkb21haW4gKmQsIHN0cnVjdCBncmFu dF90YWJsZSAqZ3QsCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1 bnNpZ25lZCBpbnQgcmVxX25yX2ZyYW1lcykKIHsKICAgICB1bnNpZ25lZCBp OwogICAgIHVuc2lnbmVkIHJlcV9zdGF0dXNfZnJhbWVzOwogCi0gICAgcmVx X3N0YXR1c19mcmFtZXMgPSBncmFudF90b19zdGF0dXNfZnJhbWVzKGd0LT5u cl9ncmFudF9mcmFtZXMpOworICAgIHJlcV9zdGF0dXNfZnJhbWVzID0gZ3Jh bnRfdG9fc3RhdHVzX2ZyYW1lcyhyZXFfbnJfZnJhbWVzKTsKICAgICBmb3Ig KCBpID0gbnJfc3RhdHVzX2ZyYW1lcyhndCk7IGkgPCByZXFfc3RhdHVzX2Zy YW1lczsgaSsrICkKICAgICB7CiAgICAgICAgIGlmICggKGd0LT5zdGF0dXNb aV0gPSBhbGxvY194ZW5oZWFwX3BhZ2UoKSkgPT0gTlVMTCApCkBAIC0xMjQ0 LDcgKzEyNDUsMTIgQEAgZ250dGFiX3VucG9wdWxhdGVfc3RhdHVzX2ZyYW1l cyhzdHJ1Y3QgZG9tYWluICpkLCBzdHJ1Y3QgZ3JhbnRfdGFibGUgKmd0KQog CiAgICAgZm9yICggaSA9IDA7IGkgPCBucl9zdGF0dXNfZnJhbWVzKGd0KTsg aSsrICkKICAgICB7Ci0gICAgICAgIHBhZ2Vfc2V0X293bmVyKHZpcnRfdG9f cGFnZShndC0+c3RhdHVzW2ldKSwgZG9tX3hlbik7CisgICAgICAgIHN0cnVj dCBwYWdlX2luZm8gKnBnID0gdmlydF90b19wYWdlKGd0LT5zdGF0dXNbaV0p OworCisgICAgICAgIEJVR19PTihwYWdlX2dldF9vd25lcihwZykgIT0gZCk7 CisgICAgICAgIGlmICggdGVzdF9hbmRfY2xlYXJfYml0KF9QR0NfYWxsb2Nh dGVkLCAmcGctPmNvdW50X2luZm8pICkKKyAgICAgICAgICAgIHB1dF9wYWdl KHBnKTsKKyAgICAgICAgQlVHX09OKHBnLT5jb3VudF9pbmZvICYgflBHQ194 ZW5faGVhcCk7CiAgICAgICAgIGZyZWVfeGVuaGVhcF9wYWdlKGd0LT5zdGF0 dXNbaV0pOwogICAgICAgICBndC0+c3RhdHVzW2ldID0gTlVMTDsKICAgICB9 CkBAIC0xMjgyLDE5ICsxMjg4LDE4IEBAIGdudHRhYl9ncm93X3RhYmxlKHN0 cnVjdCBkb21haW4gKmQsIHVuc2lnbmVkIGludCByZXFfbnJfZnJhbWVzKQog ICAgICAgICBjbGVhcl9wYWdlKGd0LT5zaGFyZWRfcmF3W2ldKTsKICAgICB9 CiAKLSAgICAvKiBTaGFyZSB0aGUgbmV3IHNoYXJlZCBmcmFtZXMgd2l0aCB0 aGUgcmVjaXBpZW50IGRvbWFpbiAqLwotICAgIGZvciAoIGkgPSBucl9ncmFu dF9mcmFtZXMoZ3QpOyBpIDwgcmVxX25yX2ZyYW1lczsgaSsrICkKLSAgICAg ICAgZ250dGFiX2NyZWF0ZV9zaGFyZWRfcGFnZShkLCBndCwgaSk7Ci0KLSAg ICBndC0+bnJfZ3JhbnRfZnJhbWVzID0gcmVxX25yX2ZyYW1lczsKLQogICAg IC8qIFN0YXR1cyBwYWdlcyAtIHZlcnNpb24gMiAqLwogICAgIGlmIChndC0+ Z3RfdmVyc2lvbiA+IDEpCiAgICAgewotICAgICAgICBpZiAoIGdudHRhYl9w b3B1bGF0ZV9zdGF0dXNfZnJhbWVzKGQsIGd0KSApCisgICAgICAgIGlmICgg Z250dGFiX3BvcHVsYXRlX3N0YXR1c19mcmFtZXMoZCwgZ3QsIHJlcV9ucl9m cmFtZXMpICkKICAgICAgICAgICAgIGdvdG8gc2hhcmVkX2FsbG9jX2ZhaWxl ZDsKICAgICB9CiAKKyAgICAvKiBTaGFyZSB0aGUgbmV3IHNoYXJlZCBmcmFt ZXMgd2l0aCB0aGUgcmVjaXBpZW50IGRvbWFpbiAqLworICAgIGZvciAoIGkg PSBucl9ncmFudF9mcmFtZXMoZ3QpOyBpIDwgcmVxX25yX2ZyYW1lczsgaSsr ICkKKyAgICAgICAgZ250dGFiX2NyZWF0ZV9zaGFyZWRfcGFnZShkLCBndCwg aSk7CisgICAgZ3QtPm5yX2dyYW50X2ZyYW1lcyA9IHJlcV9ucl9mcmFtZXM7 CisKICAgICByZXR1cm4gMTsKIAogc2hhcmVkX2FsbG9jX2ZhaWxlZDoKQEAg LTIxOTIsNyArMjE5Nyw3IEBAIGdudHRhYl9zZXRfdmVyc2lvbihYRU5fR1VF U1RfSEFORExFX1BBUkFNKGdudHRhYl9zZXRfdmVyc2lvbl90IHVvcCkpCiAK ICAgICBpZiAoIG9wLnZlcnNpb24gPT0gMiAmJiBndC0+Z3RfdmVyc2lvbiA8 IDIgKQogICAgIHsKLSAgICAgICAgcmVzID0gZ250dGFiX3BvcHVsYXRlX3N0 YXR1c19mcmFtZXMoZCwgZ3QpOworICAgICAgICByZXMgPSBnbnR0YWJfcG9w dWxhdGVfc3RhdHVzX2ZyYW1lcyhkLCBndCwgbnJfZ3JhbnRfZnJhbWVzKGd0 KSk7CiAgICAgICAgIGlmICggcmVzIDwgMCkKICAgICAgICAgICAgIGdvdG8g b3V0X3VubG9jazsKICAgICB9CkBAIC0yNjI4LDE0ICsyNjMzLDE1IEBAIGdy YW50X3RhYmxlX2NyZWF0ZSgKICAgICAgICAgY2xlYXJfcGFnZSh0LT5zaGFy ZWRfcmF3W2ldKTsKICAgICB9CiAgICAgCi0gICAgZm9yICggaSA9IDA7IGkg PCBJTklUSUFMX05SX0dSQU5UX0ZSQU1FUzsgaSsrICkKLSAgICAgICAgZ250 dGFiX2NyZWF0ZV9zaGFyZWRfcGFnZShkLCB0LCBpKTsKLQogICAgIC8qIFN0 YXR1cyBwYWdlcyBmb3IgZ3JhbnQgdGFibGUgLSBmb3IgdmVyc2lvbiAyICov CiAgICAgdC0+c3RhdHVzID0geHphbGxvY19hcnJheShncmFudF9zdGF0dXNf dCAqLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JhbnRfdG9f c3RhdHVzX2ZyYW1lcyhtYXhfbnJfZ3JhbnRfZnJhbWVzKSk7CiAgICAgaWYg KCB0LT5zdGF0dXMgPT0gTlVMTCApCiAgICAgICAgIGdvdG8gbm9fbWVtXzQ7 CisKKyAgICBmb3IgKCBpID0gMDsgaSA8IElOSVRJQUxfTlJfR1JBTlRfRlJB TUVTOyBpKysgKQorICAgICAgICBnbnR0YWJfY3JlYXRlX3NoYXJlZF9wYWdl KGQsIHQsIGkpOworCiAgICAgdC0+bnJfc3RhdHVzX2ZyYW1lcyA9IDA7CiAK ICAgICAvKiBPa2F5LCBpbnN0YWxsIHRoZSBzdHJ1Y3R1cmUuICovCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Dec 03 18:02:51 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 03 Dec 2012 18:02:51 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaKA-0006kA-DV; Mon, 03 Dec 2012 18:00:58 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaBU-0003FH-JP; Mon, 03 Dec 2012 17:52:00 +0000 Received: from [85.158.138.51:39190] by server-7.bemta-3.messagelabs.com id E3/F4-01713-0C6ECB05; Mon, 03 Dec 2012 17:52:00 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-11.tower-174.messagelabs.com!1354557117!32536337!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.6.1.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 24587 invoked from network); 3 Dec 2012 17:51:58 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-11.tower-174.messagelabs.com with AES256-SHA encrypted SMTP; 3 Dec 2012 17:51:58 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaBG-0002NP-Sj; Mon, 03 Dec 2012 17:51:46 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TfaBG-000688-Od; Mon, 03 Dec 2012 17:51:46 +0000 Date: Mon, 03 Dec 2012 17:51:46 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Mon, 03 Dec 2012 18:00:54 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 30 (CVE-2012-5514) - Broken error handling in guest_physmap_mark_populate_on_demand() X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5514 / XSA-30 version 4 Broken error handling in guest_physmap_mark_populate_on_demand() UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= guest_physmap_mark_populate_on_demand(), before carrying out its actual operation, checks that the subject GFNs are not in use. If that check fails, the code prints a message and bypasses the gfn_unlock() matching the gfn_lock() carried out before entering the loop. Further, the function is exposed to the use of guests on their own behalf. While we believe that this does not cause any further issues, we have not conducted a thorough enough review to be sure. Rather, it should be exposed only to privileged domains. IMPACT ====== A malicious guest administrator can cause Xen to hang. VULNERABLE SYSTEMS ================== All Xen version from 3.4 on are vulnerable. The vulnerability is only exposed by HVM guests. MITIGATION ========== Running only PV guests will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa30-4.1.patch Xen 4.1.x xsa30-4.2.patch Xen 4.2.x xsa30-4.unstable.patch xen-unstable $ sha256sum xsa30*.patch 586adda04271e91e42f42bb53636e2aa6fc7379e2c2c4b825e7ec6e34350669e xsa30-4.1.patch c410bffb90a551be30fde5ec4593c361b69e9c261878255fdb4f8447e7177418 xsa30-4.2.patch 2270eed8b89e4e28c4c79e5a284203632a7189474d6f0a6152d6cf56b287497b xsa30-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQvOJ3AAoJEIP+FMlX6CvZjRgIAIF1cvAxVM3nE55HwvIlMWto ldpam6YtFKAIr5XXBD6IQ0NrghJNNXyeZT4bxSdQAqyqUg9tYgkIMgYJx3kxQuVZ uhUIyg+mL5bZ+kN1TkHTVPVF1X1D0WbRDD//3V3MV8q6Dy1OEfTaQVb7ZLaNmwv5 tmZ0+D6nrMe24UEr5RjzupBgX5iMeGdKyh87Zg/OM0CG5y8EQOaxlb9i47K/DLDh l4lc6Jpxz1+tW9B9T/SUDiH37BABturvr1XvDsbencuNZeicLr8y1YKDgf2OyN5L RfCjSNadtJRBV4BcyGTqdboZfnmavGqmYoDdJg3eSRZ+ls9PZ9hyEMETaRsCeOc= =MBWJ -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa30-4.1.patch" Content-Disposition: attachment; filename="xsa30-4.1.patch" Content-Transfer-Encoding: base64 eGVuOiBmaXggZXJyb3IgaGFuZGxpbmcgb2YgZ3Vlc3RfcGh5c21hcF9tYXJr X3BvcHVsYXRlX29uX2RlbWFuZCgpCgpUaGUgb25seSB1c2VyIG9mIHRoZSAi b3V0IiBsYWJlbCBieXBhc3NlcyBhIG5lY2Vzc2FyeSB1bmxvY2ssIHRodXMK ZW5hYmxpbmcgdGhlIGNhbGxlciB0byBsb2NrIHVwIFhlbi4KCkFsc28sIHRo ZSBmdW5jdGlvbiB3YXMgbmV2ZXIgbWVhbnQgdG8gYmUgY2FsbGVkIGJ5IGEg Z3Vlc3QgZm9yIGl0c2VsZiwKc28gcmF0aGVyIHRoYW4gaW5zcGVjdGluZyB0 aGUgY29kZSBwYXRocyBpbiBkZXB0aCBmb3IgcG90ZW50aWFsIG90aGVyCnBy b2JsZW1zIHRoaXMgbWlnaHQgY2F1c2UsIGFuZCBhZGp1c3RpbmcgZS5nLiB0 aGUgbm9uLWd1ZXN0IHByaW50aygpCmluIHRoZSBhYm92ZSBlcnJvciBwYXRo LCBqdXN0IGRpc2FsbG93IHRoZSBndWVzdCBhY2Nlc3MgdG8gaXQuCgpGaW5h bGx5LCB0aGUgcHJpbnRrKCkgKGNvbnNpZGVyaW5nIGl0cyBwb3RlbnRpYWwg b2Ygc3BhbW1pbmcgdGhlIGxvZywKdGhlIG1vcmUgdGhhdCBpdCdzIG5vdCB1 c2luZyBYRU5MT0dfR1VFU1QpLCBpcyBiZWluZyBjb252ZXJ0ZWQgdG8KUDJN X0RFQlVHKCksIGFzIGRlYnVnZ2luZyBpcyB3aGF0IGl0IGFwcGFyZW50bHkg d2FzIGFkZGVkIGZvciBpbiB0aGUKZmlyc3QgcGxhY2UuCgpUaGlzIGlzIFhT QS0zMCAvIENWRS0yMDEyLTU1MTQuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1 bGljaCA8amJldWxpY2hAc3VzZS5jb20+CkFja2VkLWJ5OiBJYW4gQ2FtcGJl bGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgpBY2tlZC1ieTogR2Vvcmdl IER1bmxhcCA8Z2VvcmdlLmR1bmxhcEBldS5jaXRyaXguY29tPgpBY2tlZC1i eTogSWFuIEphY2tzb24gPGlhbi5qYWNrc29uQGV1LmNpdHJpeC5jb20+Cgpk aWZmIC1yIDU2MzkwNDdkNmM5ZiB4ZW4vYXJjaC94ODYvbW0vcDJtLmMKLS0t IGEveGVuL2FyY2gveDg2L21tL3AybS5jCU1vbiBOb3YgMTkgMDk6NDM6NDgg MjAxMiArMDEwMAorKysgYi94ZW4vYXJjaC94ODYvbW0vcDJtLmMJVGh1IE5v diAyMiAxNzowNzozNyAyMDEyICswMDAwCkBAIC0yNDEyLDYgKzI0MTIsOSBA QCBndWVzdF9waHlzbWFwX21hcmtfcG9wdWxhdGVfb25fZGVtYW5kKHN0CiAg ICAgbWZuX3Qgb21mbjsKICAgICBpbnQgcmMgPSAwOwogCisgICAgaWYgKCAh SVNfUFJJVl9GT1IoY3VycmVudC0+ZG9tYWluLCBkKSApCisgICAgICAgIHJl dHVybiAtRVBFUk07CisKICAgICBpZiAoICFwYWdpbmdfbW9kZV90cmFuc2xh dGUoZCkgKQogICAgICAgICByZXR1cm4gLUVJTlZBTDsKIApAQCAtMjQzMCw4 ICsyNDMzLDcgQEAgZ3Vlc3RfcGh5c21hcF9tYXJrX3BvcHVsYXRlX29uX2Rl bWFuZChzdAogICAgICAgICBvbWZuID0gZ2ZuX3RvX21mbl9xdWVyeShwMm0s IGdmbiArIGksICZvdCk7CiAgICAgICAgIGlmICggcDJtX2lzX3JhbShvdCkg KQogICAgICAgICB7Ci0gICAgICAgICAgICBwcmludGsoIiVzOiBnZm5fdG9f bWZuIHJldHVybmVkIHR5cGUgJWQhXG4iLAotICAgICAgICAgICAgICAgICAg IF9fZnVuY19fLCBvdCk7CisgICAgICAgICAgICBQMk1fREVCVUcoImdmbl90 b19tZm4gcmV0dXJuZWQgdHlwZSAlZCFcbiIsIG90KTsKICAgICAgICAgICAg IHJjID0gLUVCVVNZOwogICAgICAgICAgICAgZ290byBvdXQ7CiAgICAgICAg IH0KQEAgLTI0NTMsMTAgKzI0NTUsMTAgQEAgZ3Vlc3RfcGh5c21hcF9tYXJr X3BvcHVsYXRlX29uX2RlbWFuZChzdAogICAgICAgICBCVUdfT04ocDJtLT5w b2QuZW50cnlfY291bnQgPCAwKTsKICAgICB9CiAKK291dDoKICAgICBhdWRp dF9wMm0ocDJtLCAxKTsKICAgICBwMm1fdW5sb2NrKHAybSk7CiAKLW91dDoK ICAgICByZXR1cm4gcmM7CiB9CiAK --=separator Content-Type: application/octet-stream; name="xsa30-4.2.patch" Content-Disposition: attachment; filename="xsa30-4.2.patch" Content-Transfer-Encoding: base64 eGVuOiBmaXggZXJyb3IgaGFuZGxpbmcgb2YgZ3Vlc3RfcGh5c21hcF9tYXJr X3BvcHVsYXRlX29uX2RlbWFuZCgpCgpUaGUgb25seSB1c2VyIG9mIHRoZSAi b3V0IiBsYWJlbCBieXBhc3NlcyBhIG5lY2Vzc2FyeSB1bmxvY2ssIHRodXMK ZW5hYmxpbmcgdGhlIGNhbGxlciB0byBsb2NrIHVwIFhlbi4KCkFsc28sIHRo ZSBmdW5jdGlvbiB3YXMgbmV2ZXIgbWVhbnQgdG8gYmUgY2FsbGVkIGJ5IGEg Z3Vlc3QgZm9yIGl0c2VsZiwKc28gcmF0aGVyIHRoYW4gaW5zcGVjdGluZyB0 aGUgY29kZSBwYXRocyBpbiBkZXB0aCBmb3IgcG90ZW50aWFsIG90aGVyCnBy b2JsZW1zIHRoaXMgbWlnaHQgY2F1c2UsIGFuZCBhZGp1c3RpbmcgZS5nLiB0 aGUgbm9uLWd1ZXN0IHByaW50aygpCmluIHRoZSBhYm92ZSBlcnJvciBwYXRo LCBqdXN0IGRpc2FsbG93IHRoZSBndWVzdCBhY2Nlc3MgdG8gaXQuCgpGaW5h bGx5LCB0aGUgcHJpbnRrKCkgKGNvbnNpZGVyaW5nIGl0cyBwb3RlbnRpYWwg b2Ygc3BhbW1pbmcgdGhlIGxvZywKdGhlIG1vcmUgdGhhdCBpdCdzIG5vdCB1 c2luZyBYRU5MT0dfR1VFU1QpLCBpcyBiZWluZyBjb252ZXJ0ZWQgdG8KUDJN X0RFQlVHKCksIGFzIGRlYnVnZ2luZyBpcyB3aGF0IGl0IGFwcGFyZW50bHkg d2FzIGFkZGVkIGZvciBpbiB0aGUKZmlyc3QgcGxhY2UuCgpUaGlzIGlzIFhT QS0zMCAvIENWRS0yMDEyLTU1MTQuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1 bGljaCA8amJldWxpY2hAc3VzZS5jb20+CkFja2VkLWJ5OiBJYW4gQ2FtcGJl bGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgpBY2tlZC1ieTogR2Vvcmdl IER1bmxhcCA8Z2VvcmdlLmR1bmxhcEBldS5jaXRyaXguY29tPgpBY2tlZC1i eTogSWFuIEphY2tzb24gPGlhbi5qYWNrc29uQGV1LmNpdHJpeC5jb20+Cgpk aWZmIC1yIDdjNGQ4MDZiMzc1MyB4ZW4vYXJjaC94ODYvbW0vcDJtLXBvZC5j Ci0tLSBhL3hlbi9hcmNoL3g4Ni9tbS9wMm0tcG9kLmMJRnJpIE5vdiAxNiAx NTo1NjoxNCAyMDEyICswMDAwCisrKyBiL3hlbi9hcmNoL3g4Ni9tbS9wMm0t cG9kLmMJVGh1IE5vdiAyMiAxNzowMjozMiAyMDEyICswMDAwCkBAIC0xMTE3 LDYgKzExMTcsOSBAQCBndWVzdF9waHlzbWFwX21hcmtfcG9wdWxhdGVfb25f ZGVtYW5kKHN0CiAgICAgbWZuX3Qgb21mbjsKICAgICBpbnQgcmMgPSAwOwog CisgICAgaWYgKCAhSVNfUFJJVl9GT1IoY3VycmVudC0+ZG9tYWluLCBkKSAp CisgICAgICAgIHJldHVybiAtRVBFUk07CisKICAgICBpZiAoICFwYWdpbmdf bW9kZV90cmFuc2xhdGUoZCkgKQogICAgICAgICByZXR1cm4gLUVJTlZBTDsK IApAQCAtMTEzNSw4ICsxMTM4LDcgQEAgZ3Vlc3RfcGh5c21hcF9tYXJrX3Bv cHVsYXRlX29uX2RlbWFuZChzdAogICAgICAgICBvbWZuID0gcDJtLT5nZXRf ZW50cnkocDJtLCBnZm4gKyBpLCAmb3QsICZhLCAwLCBOVUxMKTsKICAgICAg ICAgaWYgKCBwMm1faXNfcmFtKG90KSApCiAgICAgICAgIHsKLSAgICAgICAg ICAgIHByaW50aygiJXM6IGdmbl90b19tZm4gcmV0dXJuZWQgdHlwZSAlZCFc biIsCi0gICAgICAgICAgICAgICAgICAgX19mdW5jX18sIG90KTsKKyAgICAg ICAgICAgIFAyTV9ERUJVRygiZ2ZuX3RvX21mbiByZXR1cm5lZCB0eXBlICVk IVxuIiwgb3QpOwogICAgICAgICAgICAgcmMgPSAtRUJVU1k7CiAgICAgICAg ICAgICBnb3RvIG91dDsKICAgICAgICAgfQpAQCAtMTE2MCw5ICsxMTYyLDkg QEAgZ3Vlc3RfcGh5c21hcF9tYXJrX3BvcHVsYXRlX29uX2RlbWFuZChzdAog ICAgICAgICBwb2RfdW5sb2NrKHAybSk7CiAgICAgfQogCitvdXQ6CiAgICAg Z2ZuX3VubG9jayhwMm0sIGdmbiwgb3JkZXIpOwogCi1vdXQ6CiAgICAgcmV0 dXJuIHJjOwogfQogCg== --=separator Content-Type: application/octet-stream; name="xsa30-unstable.patch" Content-Disposition: attachment; filename="xsa30-unstable.patch" Content-Transfer-Encoding: base64 eGVuOiBmaXggZXJyb3IgaGFuZGxpbmcgb2YgZ3Vlc3RfcGh5c21hcF9tYXJr X3BvcHVsYXRlX29uX2RlbWFuZCgpCgpUaGUgb25seSB1c2VyIG9mIHRoZSAi b3V0IiBsYWJlbCBieXBhc3NlcyBhIG5lY2Vzc2FyeSB1bmxvY2ssIHRodXMK ZW5hYmxpbmcgdGhlIGNhbGxlciB0byBsb2NrIHVwIFhlbi4KCkFsc28sIHRo ZSBmdW5jdGlvbiB3YXMgbmV2ZXIgbWVhbnQgdG8gYmUgY2FsbGVkIGJ5IGEg Z3Vlc3QgZm9yIGl0c2VsZiwKc28gcmF0aGVyIHRoYW4gaW5zcGVjdGluZyB0 aGUgY29kZSBwYXRocyBpbiBkZXB0aCBmb3IgcG90ZW50aWFsIG90aGVyCnBy b2JsZW1zIHRoaXMgbWlnaHQgY2F1c2UsIGFuZCBhZGp1c3RpbmcgZS5nLiB0 aGUgbm9uLWd1ZXN0IHByaW50aygpCmluIHRoZSBhYm92ZSBlcnJvciBwYXRo LCBqdXN0IGRpc2FsbG93IHRoZSBndWVzdCBhY2Nlc3MgdG8gaXQuCgpGaW5h bGx5LCB0aGUgcHJpbnRrKCkgKGNvbnNpZGVyaW5nIGl0cyBwb3RlbnRpYWwg b2Ygc3BhbW1pbmcgdGhlIGxvZywKdGhlIG1vcmUgdGhhdCBpdCdzIG5vdCB1 c2luZyBYRU5MT0dfR1VFU1QpLCBpcyBiZWluZyBjb252ZXJ0ZWQgdG8KUDJN X0RFQlVHKCksIGFzIGRlYnVnZ2luZyBpcyB3aGF0IGl0IGFwcGFyZW50bHkg d2FzIGFkZGVkIGZvciBpbiB0aGUKZmlyc3QgcGxhY2UuCgpUaGlzIGlzIFhT QS0zMCAvIENWRS0yMDEyLTU1MTQuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1 bGljaCA8amJldWxpY2hAc3VzZS5jb20+CkFja2VkLWJ5OiBJYW4gQ2FtcGJl bGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgpBY2tlZC1ieTogR2Vvcmdl IER1bmxhcCA8Z2VvcmdlLmR1bmxhcEBldS5jaXRyaXguY29tPgpBY2tlZC1i eTogSWFuIEphY2tzb24gPGlhbi5qYWNrc29uQGV1LmNpdHJpeC5jb20+Cgot LS0gYS94ZW4vYXJjaC94ODYvbW0vcDJtLXBvZC5jCisrKyBiL3hlbi9hcmNo L3g4Ni9tbS9wMm0tcG9kLmMKQEAgLTExMTcsNiArMTExNyw5IEBAIGd1ZXN0 X3BoeXNtYXBfbWFya19wb3B1bGF0ZV9vbl9kZW1hbmQoc3QKICAgICBtZm5f dCBvbWZuOwogICAgIGludCByYyA9IDA7CiAKKyAgICBpZiAoICFJU19QUklW X0ZPUihjdXJyZW50LT5kb21haW4sIGQpICkKKyAgICAgICAgcmV0dXJuIC1F UEVSTTsKKwogICAgIGlmICggIXBhZ2luZ19tb2RlX3RyYW5zbGF0ZShkKSAp CiAgICAgICAgIHJldHVybiAtRUlOVkFMOwogCkBAIC0xMTMxLDggKzExMzQs NyBAQCBndWVzdF9waHlzbWFwX21hcmtfcG9wdWxhdGVfb25fZGVtYW5kKHN0 CiAgICAgICAgIG9tZm4gPSBwMm0tPmdldF9lbnRyeShwMm0sIGdmbiArIGks ICZvdCwgJmEsIDAsIE5VTEwpOwogICAgICAgICBpZiAoIHAybV9pc19yYW0o b3QpICkKICAgICAgICAgewotICAgICAgICAgICAgcHJpbnRrKCIlczogZ2Zu X3RvX21mbiByZXR1cm5lZCB0eXBlICVkIVxuIiwKLSAgICAgICAgICAgICAg ICAgICBfX2Z1bmNfXywgb3QpOworICAgICAgICAgICAgUDJNX0RFQlVHKCJn Zm5fdG9fbWZuIHJldHVybmVkIHR5cGUgJWQhXG4iLCBvdCk7CiAgICAgICAg ICAgICByYyA9IC1FQlVTWTsKICAgICAgICAgICAgIGdvdG8gb3V0OwogICAg ICAgICB9CkBAIC0xMTU2LDkgKzExNTgsOSBAQCBndWVzdF9waHlzbWFwX21h cmtfcG9wdWxhdGVfb25fZGVtYW5kKHN0CiAgICAgICAgIHBvZF91bmxvY2so cDJtKTsKICAgICB9CiAKK291dDoKICAgICBnZm5fdW5sb2NrKHAybSwgZ2Zu LCBvcmRlcik7CiAKLW91dDoKICAgICByZXR1cm4gcmM7CiB9CiAK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Dec 03 18:02:51 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 03 Dec 2012 18:02:51 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaK8-0006iX-CV; Mon, 03 Dec 2012 18:00:56 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaBS-0003Fe-3x; Mon, 03 Dec 2012 17:51:58 +0000 Received: from [85.158.138.51:23328] by server-3.bemta-3.messagelabs.com id 66/DA-31566-DB6ECB05; Mon, 03 Dec 2012 17:51:57 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-12.tower-174.messagelabs.com!1354557115!24619203!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.6.1.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 26654 invoked from network); 3 Dec 2012 17:51:56 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-12.tower-174.messagelabs.com with AES256-SHA encrypted SMTP; 3 Dec 2012 17:51:56 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaBF-0002N3-DV; Mon, 03 Dec 2012 17:51:45 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TfaBF-000679-B7; Mon, 03 Dec 2012 17:51:45 +0000 Date: Mon, 03 Dec 2012 17:51:45 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Mon, 03 Dec 2012 18:00:54 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 28 (CVE-2012-5512) - HVMOP_get_mem_access crash / HVMOP_set_mem_access information leak X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5512 / XSA-28 version 3 HVMOP_get_mem_access crash / HVMOP_set_mem_access information leak UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The HVMOP_set_mem_access operation handler uses an input as an array index before range checking it. IMPACT ====== A malicious guest administrator can cause Xen to crash. If the out of array bounds access does not crash, the arbitrary value read will be used if the caller reads back the default access through the HVMOP_get_mem_access operation, thus causing an information leak. The caller cannot, however, directly control the address from which to read, since the value read in the first step will be used as an array index again in the second step. VULNERABLE SYSTEMS ================== Only Xen version 4.1 is vulnerable. The vulnerability is only exposed to HVM guests. MITIGATION ========== Running only PV guests, or ensuring that the controlling domain of HVM guests (e.g. dom0 or stubdom) only uses trusted code, will avoid this vulnerability. RESOLUTION ========== The attached patch resolves this issue. $ sha256sum xsa28*.patch 6282314c4ea0d76ac55473e5fc7d863e045c9f566899eb93c60e5d22f38e8319 xsa28-4.1.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQvOJ2AAoJEIP+FMlX6CvZDfEH/jKbLcOY6taduyPubvWjLqUj 5moVGJMcdTUnjEOe4TH6zcax4Ce98J5BptHjCkeIIm4A70bcdfFR7Kb8i1Pr1ZA6 jpo/fbDtn4+YVAJrMlZWhPspJU2lZSSYc+Tu3eVrX78OX4RZ/Ubb+KRGhaSkRn/a r14VFvNBwhSmOXFXqFI0IiCRJBctyLOxF32P3lZB3PXUepxsezjrUeYKKZ6qGkSX kdufkWYgZV4iKpb8WEwDOdWbs/hE7ru6vHCEE798T8I7BscQF+O8B+2ewVK/iCoo AgjGkqWsKhc119lSjdud8LP3A4cXWhhuHSOlmIc+gNz91IsvG3DErzQizc0wtLk= =GkYq -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa28-4.1.patch" Content-Disposition: attachment; filename="xsa28-4.1.patch" Content-Transfer-Encoding: base64 eDg2L0hWTTogcmFuZ2UgY2hlY2sgeGVuX2h2bV9zZXRfbWVtX2FjY2Vzcy5o dm1tZW1fYWNjZXNzIGJlZm9yZSB1c2UKCk90aGVyd2lzZSBhbiBvdXQgb2Yg Ym91bmRzIGFycmF5IGFjY2VzcyBjYW4gaGFwcGVuIGlmIGNoYW5naW5nIHRo ZQpkZWZhdWx0IGFjY2VzcyBpcyBiZWluZyByZXF1ZXN0ZWQsIHdoaWNoIC0g aWYgaXQgZG9lc24ndCBjcmFzaCBYZW4gLQp3b3VsZCBzdWJzZXF1ZW50bHkg YWxsb3cgcmVhZGluZyBhcmJpdHJhcnkgbWVtb3J5IHRocm91Z2gKSFZNT1Bf Z2V0X21lbV9hY2Nlc3MgKGFnYWluLCB1bmxlc3MgdGhhdCBvcGVyYXRpb24g Y3Jhc2hlcyBYZW4pLgoKVGhpcyBpcyBYU0EtMjggLyBDVkUtMjAxMi01NTEy LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2Uu Y29tPgpBY2tlZC1ieTogVGltIERlZWdhbiA8dGltQHhlbi5vcmc+CkFja2Vk LWJ5OiBJYW4gQ2FtcGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgoK ZGlmZiAtLWdpdCBhL3hlbi9hcmNoL3g4Ni9odm0vaHZtLmMgYi94ZW4vYXJj aC94ODYvaHZtL2h2bS5jCmluZGV4IDY2Y2Y4MDUuLjA4YjY0MTggMTAwNjQ0 Ci0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vaHZtLmMKKysrIGIveGVuL2FyY2gv eDg2L2h2bS9odm0uYwpAQCAtMzY5OSw3ICszNjk5LDcgQEAgbG9uZyBkb19o dm1fb3AodW5zaWduZWQgbG9uZyBvcCwgWEVOX0dVRVNUX0hBTkRMRSh2b2lk KSBhcmcpCiAgICAgICAgICAgICByZXR1cm4gcmM7CiAKICAgICAgICAgcmMg PSAtRUlOVkFMOwotICAgICAgICBpZiAoICFpc19odm1fZG9tYWluKGQpICkK KyAgICAgICAgaWYgKCAhaXNfaHZtX2RvbWFpbihkKSB8fCBhLmh2bW1lbV9h Y2Nlc3MgPj0gQVJSQVlfU0laRShtZW1hY2Nlc3MpICkKICAgICAgICAgICAg IGdvdG8gcGFyYW1fZmFpbDU7CiAKICAgICAgICAgcDJtID0gcDJtX2dldF9o b3N0cDJtKGQpOwpAQCAtMzcxOSw5ICszNzE5LDYgQEAgbG9uZyBkb19odm1f b3AodW5zaWduZWQgbG9uZyBvcCwgWEVOX0dVRVNUX0hBTkRMRSh2b2lkKSBh cmcpCiAgICAgICAgICAgICAgKChhLmZpcnN0X3BmbiArIGEubnIgLSAxKSA+ IGRvbWFpbl9nZXRfbWF4aW11bV9ncGZuKGQpKSApCiAgICAgICAgICAgICBn b3RvIHBhcmFtX2ZhaWw1OwogICAgICAgICAgICAgCi0gICAgICAgIGlmICgg YS5odm1tZW1fYWNjZXNzID49IEFSUkFZX1NJWkUobWVtYWNjZXNzKSApCi0g ICAgICAgICAgICBnb3RvIHBhcmFtX2ZhaWw1OwotCiAgICAgICAgIGZvciAo IHBmbiA9IGEuZmlyc3RfcGZuOyBwZm4gPCBhLmZpcnN0X3BmbiArIGEubnI7 IHBmbisrICkKICAgICAgICAgewogICAgICAgICAgICAgcDJtX3R5cGVfdCB0 Owo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Dec 03 18:02:50 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 03 Dec 2012 18:02:50 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaKB-0006kl-3K; Mon, 03 Dec 2012 18:00:59 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaBU-0003H8-Qg; Mon, 03 Dec 2012 17:52:01 +0000 Received: from [85.158.138.51:23491] by server-11.bemta-3.messagelabs.com id F5/50-19361-FB6ECB05; Mon, 03 Dec 2012 17:51:59 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-5.tower-174.messagelabs.com!1354557117!32614814!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.6.1.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 21329 invoked from network); 3 Dec 2012 17:51:58 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-5.tower-174.messagelabs.com with AES256-SHA encrypted SMTP; 3 Dec 2012 17:51:58 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaBG-0002NF-9i; Mon, 03 Dec 2012 17:51:46 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TfaBF-00067d-Un; Mon, 03 Dec 2012 17:51:45 +0000 Date: Mon, 03 Dec 2012 17:51:45 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Mon, 03 Dec 2012 18:00:54 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 29 (CVE-2012-5513) - XENMEM_exchange may overwrite hypervisor memory X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5513 / XSA-29 version 3 XENMEM_exchange may overwrite hypervisor memory UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The handler for XENMEM_exchange accesses guest memory without range checking the guest provided addresses, thus allowing these accesses to include the hypervisor reserved range. IMPACT ====== A malicious guest administrator can cause Xen to crash. If the out of address space bounds access does not lead to a crash, a carefully crafted privilege escalation cannot be excluded, even though the guest doesn't itself control the values written. VULNERABLE SYSTEMS ================== All Xen versions are vulnerable. The vulnerability is only exposed to PV guests. MITIGATION ========== Running only HVM guests, or ensuring that PV guests only use trusted kernels, will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa29-4.1.patch Xen 4.1.x xsa29-4.2-unstable.patch Xen 4.2.x, xen-unstable $ sha256sum xsa29*.patch 7246a5534bc1e6a47bb6a860f6eb61c8353ad8b46209310783e823b4f7e2eae8 xsa29-4.1.patch 54dcd3ac5c84903bfb04f8591107a74c27b079815f2c6843212e05f776873c73 xsa29-4.2-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQvOJ3AAoJEIP+FMlX6CvZ7u8IAM01+jNn5fwdGmoo/LIdH885 nWr5aSc+qMqVuSvla0KKh1SOLFaVWFgovLN1Sfu2hAxLgrK3HxN86RqHU/vLo0k0 KTFM+9xQlxhJNQzyQSiDryH/qSrHTQI6ERxUEYgfjtTieK8y30SZqkd6jBmwoir/ nAMMP8oFmVevM2WfYEWjNNsWPaiUlUYP13qxiWGPcGzhcNNKRwcmrIY4N+F6kHID Ipl4l5vhoeSaQ0fKkcJKHa+3QGd+706jHZ5VTCwPdWBCnBJLFuMWbc2UlyIg2EB9 N+3Olwf3jCF0zIzBJkomA+FAg+D7kw31DCjc+y1PdGIyuoMkk+JRwYFVkZcKLi4= =pD8C -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa29-4.1.patch" Content-Disposition: attachment; filename="xsa29-4.1.patch" Content-Transfer-Encoding: base64 eGVuOiBhZGQgbWlzc2luZyBndWVzdCBhZGRyZXNzIHJhbmdlIGNoZWNrcyB0 byBYRU5NRU1fZXhjaGFuZ2UgaGFuZGxlcnMKCkV2ZXIgc2luY2UgaXRzIGV4 aXN0ZW5jZSAoMy4wLjMgaWlyYykgdGhlIGhhbmRsZXIgZm9yIHRoaXMgaGFz IGJlZW4KdXNpbmcgbm9uIGFkZHJlc3MgcmFuZ2UgY2hlY2tpbmcgZ3Vlc3Qg bWVtb3J5IGFjY2Vzc29ycyAoaS5lLgp0aGUgb25lcyBwcmVmaXhlZCB3aXRo IHR3byB1bmRlcnNjb3Jlcykgd2l0aG91dCBmaXJzdCByYW5nZQpjaGVja2lu ZyB0aGUgYWNjZXNzZWQgc3BhY2UgKHZpYSBndWVzdF9oYW5kbGVfb2theSgp KSwgYWxsb3dpbmcKYSBndWVzdCB0byBhY2Nlc3MgYW5kIG92ZXJ3cml0ZSBo eXBlcnZpc29yIG1lbW9yeS4KClRoaXMgaXMgWFNBLTI5IC8gQ1ZFLTIwMTIt NTUxMy4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBz dXNlLmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxs QGNpdHJpeC5jb20+CkFja2VkLWJ5OiBJYW4gSmFja3NvbiA8aWFuLmphY2tz b25AZXUuY2l0cml4LmNvbT4KCmRpZmYgLS1naXQgYS94ZW4vY29tbW9uL2Nv bXBhdC9tZW1vcnkuYyBiL3hlbi9jb21tb24vY29tcGF0L21lbW9yeS5jCmlu ZGV4IDI0MDI5ODQuLjFkODc3ZmMgMTAwNjQ0Ci0tLSBhL3hlbi9jb21tb24v Y29tcGF0L21lbW9yeS5jCisrKyBiL3hlbi9jb21tb24vY29tcGF0L21lbW9y eS5jCkBAIC0xMTQsNiArMTE0LDEyIEBAIGludCBjb21wYXRfbWVtb3J5X29w KHVuc2lnbmVkIGludCBjbWQsIFhFTl9HVUVTVF9IQU5ETEUodm9pZCkgY29t cGF0KQogICAgICAgICAgICAgICAgICAgKGNtcC54Y2hnLm91dC5ucl9leHRl bnRzIDw8IGNtcC54Y2hnLm91dC5leHRlbnRfb3JkZXIpKSApCiAgICAgICAg ICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAKKyAgICAgICAgICAgIGlmICgg IWNvbXBhdF9oYW5kbGVfb2theShjbXAueGNoZy5pbi5leHRlbnRfc3RhcnQs CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgY21wLnhj aGcuaW4ubnJfZXh0ZW50cykgfHwKKyAgICAgICAgICAgICAgICAgIWNvbXBh dF9oYW5kbGVfb2theShjbXAueGNoZy5vdXQuZXh0ZW50X3N0YXJ0LAorICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNtcC54Y2hnLm91 dC5ucl9leHRlbnRzKSApCisgICAgICAgICAgICAgICAgcmV0dXJuIC1FRkFV TFQ7CisKICAgICAgICAgICAgIHN0YXJ0X2V4dGVudCA9IGNtcC54Y2hnLm5y X2V4Y2hhbmdlZDsKICAgICAgICAgICAgIGVuZF9leHRlbnQgPSAoQ09NUEFU X0FSR19YTEFUX1NJWkUgLSBzaXplb2YoKm5hdC54Y2hnKSkgLwogICAgICAg ICAgICAgICAgICAgICAgICAgICgoKDFVIDw8IEFCUyhvcmRlcl9kZWx0YSkp ICsgMSkgKgpkaWZmIC0tZ2l0IGEveGVuL2NvbW1vbi9tZW1vcnkuYyBiL3hl bi9jb21tb24vbWVtb3J5LmMKaW5kZXggNGU3YzIzNC4uNTkzNzlkMyAxMDA2 NDQKLS0tIGEveGVuL2NvbW1vbi9tZW1vcnkuYworKysgYi94ZW4vY29tbW9u L21lbW9yeS5jCkBAIC0yODksNiArMjg5LDEzIEBAIHN0YXRpYyBsb25nIG1l bW9yeV9leGNoYW5nZShYRU5fR1VFU1RfSEFORExFKHhlbl9tZW1vcnlfZXhj aGFuZ2VfdCkgYXJnKQogICAgICAgICBnb3RvIGZhaWxfZWFybHk7CiAgICAg fQogCisgICAgaWYgKCAhZ3Vlc3RfaGFuZGxlX29rYXkoZXhjaC5pbi5leHRl bnRfc3RhcnQsIGV4Y2guaW4ubnJfZXh0ZW50cykgfHwKKyAgICAgICAgICFn dWVzdF9oYW5kbGVfb2theShleGNoLm91dC5leHRlbnRfc3RhcnQsIGV4Y2gu b3V0Lm5yX2V4dGVudHMpICkKKyAgICB7CisgICAgICAgIHJjID0gLUVGQVVM VDsKKyAgICAgICAgZ290byBmYWlsX2Vhcmx5OworICAgIH0KKwogICAgIC8q IE9ubHkgcHJpdmlsZWdlZCBndWVzdHMgY2FuIGFsbG9jYXRlIG11bHRpLXBh Z2UgY29udGlndW91cyBleHRlbnRzLiAqLwogICAgIGlmICggIW11bHRpcGFn ZV9hbGxvY2F0aW9uX3Blcm1pdHRlZChjdXJyZW50LT5kb21haW4sCiAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV4Y2guaW4u ZXh0ZW50X29yZGVyKSB8fAo= --=separator Content-Type: application/octet-stream; name="xsa29-4.2-unstable.patch" Content-Disposition: attachment; filename="xsa29-4.2-unstable.patch" Content-Transfer-Encoding: base64 eGVuOiBhZGQgbWlzc2luZyBndWVzdCBhZGRyZXNzIHJhbmdlIGNoZWNrcyB0 byBYRU5NRU1fZXhjaGFuZ2UgaGFuZGxlcnMKCkV2ZXIgc2luY2UgaXRzIGV4 aXN0ZW5jZSAoMy4wLjMgaWlyYykgdGhlIGhhbmRsZXIgZm9yIHRoaXMgaGFz IGJlZW4KdXNpbmcgbm9uIGFkZHJlc3MgcmFuZ2UgY2hlY2tpbmcgZ3Vlc3Qg bWVtb3J5IGFjY2Vzc29ycyAoaS5lLgp0aGUgb25lcyBwcmVmaXhlZCB3aXRo IHR3byB1bmRlcnNjb3Jlcykgd2l0aG91dCBmaXJzdCByYW5nZQpjaGVja2lu ZyB0aGUgYWNjZXNzZWQgc3BhY2UgKHZpYSBndWVzdF9oYW5kbGVfb2theSgp KSwgYWxsb3dpbmcKYSBndWVzdCB0byBhY2Nlc3MgYW5kIG92ZXJ3cml0ZSBo eXBlcnZpc29yIG1lbW9yeS4KClRoaXMgaXMgWFNBLTI5IC8gQ1ZFLTIwMTIt NTUxMy4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBz dXNlLmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxs QGNpdHJpeC5jb20+CkFja2VkLWJ5OiBJYW4gSmFja3NvbiA8aWFuLmphY2tz b25AZXUuY2l0cml4LmNvbT4KCmRpZmYgLS1naXQgYS94ZW4vY29tbW9uL2Nv bXBhdC9tZW1vcnkuYyBiL3hlbi9jb21tb24vY29tcGF0L21lbW9yeS5jCmlu ZGV4IDk5NjE1MWMuLmE0OWY1MWIgMTAwNjQ0Ci0tLSBhL3hlbi9jb21tb24v Y29tcGF0L21lbW9yeS5jCisrKyBiL3hlbi9jb21tb24vY29tcGF0L21lbW9y eS5jCkBAIC0xMTUsNiArMTE1LDEyIEBAIGludCBjb21wYXRfbWVtb3J5X29w KHVuc2lnbmVkIGludCBjbWQsIFhFTl9HVUVTVF9IQU5ETEVfUEFSQU0odm9p ZCkgY29tcGF0KQogICAgICAgICAgICAgICAgICAgKGNtcC54Y2hnLm91dC5u cl9leHRlbnRzIDw8IGNtcC54Y2hnLm91dC5leHRlbnRfb3JkZXIpKSApCiAg ICAgICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAKKyAgICAgICAgICAg IGlmICggIWNvbXBhdF9oYW5kbGVfb2theShjbXAueGNoZy5pbi5leHRlbnRf c3RhcnQsCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg Y21wLnhjaGcuaW4ubnJfZXh0ZW50cykgfHwKKyAgICAgICAgICAgICAgICAg IWNvbXBhdF9oYW5kbGVfb2theShjbXAueGNoZy5vdXQuZXh0ZW50X3N0YXJ0 LAorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNtcC54 Y2hnLm91dC5ucl9leHRlbnRzKSApCisgICAgICAgICAgICAgICAgcmV0dXJu IC1FRkFVTFQ7CisKICAgICAgICAgICAgIHN0YXJ0X2V4dGVudCA9IGNtcC54 Y2hnLm5yX2V4Y2hhbmdlZDsKICAgICAgICAgICAgIGVuZF9leHRlbnQgPSAo Q09NUEFUX0FSR19YTEFUX1NJWkUgLSBzaXplb2YoKm5hdC54Y2hnKSkgLwog ICAgICAgICAgICAgICAgICAgICAgICAgICgoKDFVIDw8IEFCUyhvcmRlcl9k ZWx0YSkpICsgMSkgKgpkaWZmIC0tZ2l0IGEveGVuL2NvbW1vbi9tZW1vcnku YyBiL3hlbi9jb21tb24vbWVtb3J5LmMKaW5kZXggODNlMjY2Ni4uYmRiNmVk OCAxMDA2NDQKLS0tIGEveGVuL2NvbW1vbi9tZW1vcnkuYworKysgYi94ZW4v Y29tbW9uL21lbW9yeS5jCkBAIC0zMDgsNiArMzA4LDEzIEBAIHN0YXRpYyBs b25nIG1lbW9yeV9leGNoYW5nZShYRU5fR1VFU1RfSEFORExFX1BBUkFNKHhl bl9tZW1vcnlfZXhjaGFuZ2VfdCkgYXJnKQogICAgICAgICBnb3RvIGZhaWxf ZWFybHk7CiAgICAgfQogCisgICAgaWYgKCAhZ3Vlc3RfaGFuZGxlX29rYXko ZXhjaC5pbi5leHRlbnRfc3RhcnQsIGV4Y2guaW4ubnJfZXh0ZW50cykgfHwK KyAgICAgICAgICFndWVzdF9oYW5kbGVfb2theShleGNoLm91dC5leHRlbnRf c3RhcnQsIGV4Y2gub3V0Lm5yX2V4dGVudHMpICkKKyAgICB7CisgICAgICAg IHJjID0gLUVGQVVMVDsKKyAgICAgICAgZ290byBmYWlsX2Vhcmx5OworICAg IH0KKwogICAgIC8qIE9ubHkgcHJpdmlsZWdlZCBndWVzdHMgY2FuIGFsbG9j YXRlIG11bHRpLXBhZ2UgY29udGlndW91cyBleHRlbnRzLiAqLwogICAgIGlm ICggIW11bHRpcGFnZV9hbGxvY2F0aW9uX3Blcm1pdHRlZChjdXJyZW50LT5k b21haW4sCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIGV4Y2guaW4uZXh0ZW50X29yZGVyKSB8fAo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Dec 03 18:02:50 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 03 Dec 2012 18:02:50 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaK9-0006iq-0J; Mon, 03 Dec 2012 18:00:57 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaBT-0003Ez-2H; Mon, 03 Dec 2012 17:51:59 +0000 Received: from [85.158.139.83:64222] by server-10.bemta-5.messagelabs.com id C0/EE-09257-EB6ECB05; Mon, 03 Dec 2012 17:51:58 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-4.tower-182.messagelabs.com!1354557116!25493258!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.6.1.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 18144 invoked from network); 3 Dec 2012 17:51:57 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-4.tower-182.messagelabs.com with AES256-SHA encrypted SMTP; 3 Dec 2012 17:51:57 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaBH-0002Nb-J6; Mon, 03 Dec 2012 17:51:47 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TfaBH-00068a-7n; Mon, 03 Dec 2012 17:51:47 +0000 Date: Mon, 03 Dec 2012 17:51:47 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Mon, 03 Dec 2012 18:00:54 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 31 (CVE-2012-5515) - Several memory hypercall operations allow invalid extent order values X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5515 / XSA-31 version 3 Several memory hypercall operations allow invalid extent order values UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Allowing arbitrary extent_order input values for XENMEM_decrease_reservation, XENMEM_populate_physmap, and XENMEM_exchange can cause arbitrarily long time being spent in loops without allowing vital other code to get a chance to execute. This may also cause inconsistent state resulting at the completion of these hypercalls. IMPACT ====== A malicious guest administrator can cause Xen to hang. VULNERABLE SYSTEMS ================== All Xen versions are vulnerable. However, older versions (not supporting Populate-on-Demand, i.e. before 3.4) may only be theoretically affected. MITIGATION ========== Running only trusted guest kernels will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa31-4.1.patch Xen 4.1.x xsa31-4.2-unstable.patch Xen 4.2.x, xen-unstable $ sha256sum xsa31*.patch 8e4bb43999d1a72d7f1b6ad3e66d0c173ca711c8145c5804b025eaa63d2c1691 xsa31-4.1.patch 090d0cca3eddaee798e5f06a8d5f469d47f874c657abcd6028248d949d36da81 xsa31-4.2-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQvOJ4AAoJEIP+FMlX6CvZhCgIAIAkB8EpoFU0vwCW26toELFh 3odZ8kji4hBoIaR6vOj4BIrSuTxC+0TZl3JGSwxQ+zo2k15njNqPZM/8m5kztLzZ K79GXhSRb6zo96EmAhxX6wU4qpBdDH7htdAsO74ApHdfw3hw9yXY2h+OkwiYTO6J K0TegvNYoJ+9NJ4ePTgZpHp4B1H4ymtvw84uzNBJQ6ePR95lV4aOq7h1loIvMPzB Mcxy+3LTAZasK7yYZLClyHXR46pN41qbMawKYNMp70+fQvyP58P6cExwZ4ODrbHf dfgEg2yNeI4YXzOx2vbRSDRDAzf4lhGHq9fXhUpNF/denRJJCC9r/E0+nWTzWog= =CUvM -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa31-4.1.patch" Content-Disposition: attachment; filename="xsa31-4.1.patch" Content-Transfer-Encoding: base64 bWVtb3A6IGxpbWl0IGd1ZXN0IHNwZWNpZmllZCBleHRlbnQgb3JkZXIKCkFs bG93aW5nIHVuYm91bmRlZCBvcmRlciB2YWx1ZXMgaGVyZSBjYXVzZXMgYWxt b3N0IHVuYm91bmRlZCBsb29wcwphbmQvb3IgcGFydGlhbGx5IGluY29tcGxl dGUgcmVxdWVzdHMsIHBhcnRpY3VsYXJseSBpbiBQb0QgY29kZS4KClRoZSBh ZGRlZCByYW5nZSBjaGVja3MgaW4gcG9wdWxhdGVfcGh5c21hcCgpLCBkZWNy ZWFzZV9yZXNlcnZhdGlvbigpLAphbmQgdGhlICJpbiIgb25lIGluIG1lbW9y eV9leGNoYW5nZSgpIGFyY2hpdGVjdHVyYWxseSBhbGwgY291bGQgdXNlClBB RERSX0JJVFMgLSBQQUdFX1NISUZULCBhbmQgYXJlIGJlaW5nIGFydGlmaWNp YWxseSBjb25zdHJhaW5lZCB0bwpNQVhfT1JERVIuCgpUaGlzIGlzIFhTQS0z MSAvIENWRS0yMDEyLTU1MTUuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGlj aCA8amJldWxpY2hAc3VzZS5jb20+CkFja2VkLWJ5OiBUaW0gRGVlZ2FuIDx0 aW1AeGVuLm9yZz4KQWNrZWQtYnk6IElhbiBKYWNrc29uIDxpYW4uamFja3Nv bkBldS5jaXRyaXguY29tPgoKZGlmZiAtLWdpdCBhL3hlbi9jb21tb24vbWVt b3J5LmMgYi94ZW4vY29tbW9uL21lbW9yeS5jCmluZGV4IDRlN2MyMzQuLjli OWZiMTggMTAwNjQ0Ci0tLSBhL3hlbi9jb21tb24vbWVtb3J5LmMKKysrIGIv eGVuL2NvbW1vbi9tZW1vcnkuYwpAQCAtMTE3LDcgKzExNyw4IEBAIHN0YXRp YyB2b2lkIHBvcHVsYXRlX3BoeXNtYXAoc3RydWN0IG1lbW9wX2FyZ3MgKmEp CiAKICAgICAgICAgaWYgKCBhLT5tZW1mbGFncyAmIE1FTUZfcG9wdWxhdGVf b25fZGVtYW5kICkKICAgICAgICAgewotICAgICAgICAgICAgaWYgKCBndWVz dF9waHlzbWFwX21hcmtfcG9wdWxhdGVfb25fZGVtYW5kKGQsIGdwZm4sCisg ICAgICAgICAgICBpZiAoIGEtPmV4dGVudF9vcmRlciA+IE1BWF9PUkRFUiB8 fAorICAgICAgICAgICAgICAgICBndWVzdF9waHlzbWFwX21hcmtfcG9wdWxh dGVfb25fZGVtYW5kKGQsIGdwZm4sCiAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYS0+ZXh0ZW50X29y ZGVyKSA8IDAgKQogICAgICAgICAgICAgICAgIGdvdG8gb3V0OwogICAgICAg ICB9CkBAIC0yMTYsNyArMjE3LDggQEAgc3RhdGljIHZvaWQgZGVjcmVhc2Vf cmVzZXJ2YXRpb24oc3RydWN0IG1lbW9wX2FyZ3MgKmEpCiAgICAgeGVuX3Bm bl90IGdtZm47CiAKICAgICBpZiAoICFndWVzdF9oYW5kbGVfc3VicmFuZ2Vf b2theShhLT5leHRlbnRfbGlzdCwgYS0+bnJfZG9uZSwKLSAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICBhLT5ucl9leHRlbnRzLTEpICkK KyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhLT5ucl9l eHRlbnRzLTEpIHx8CisgICAgICAgICBhLT5leHRlbnRfb3JkZXIgPiBNQVhf T1JERVIgKQogICAgICAgICByZXR1cm47CiAKICAgICBmb3IgKCBpID0gYS0+ bnJfZG9uZTsgaSA8IGEtPm5yX2V4dGVudHM7IGkrKyApCkBAIC0yNzgsNiAr MjgwLDkgQEAgc3RhdGljIGxvbmcgbWVtb3J5X2V4Y2hhbmdlKFhFTl9HVUVT VF9IQU5ETEUoeGVuX21lbW9yeV9leGNoYW5nZV90KSBhcmcpCiAgICAgaWYg KCAoZXhjaC5ucl9leGNoYW5nZWQgPiBleGNoLmluLm5yX2V4dGVudHMpIHx8 CiAgICAgICAgICAvKiBJbnB1dCBhbmQgb3V0cHV0IGRvbWFpbiBpZGVudGlm aWVycyBtYXRjaD8gKi8KICAgICAgICAgIChleGNoLmluLmRvbWlkICE9IGV4 Y2gub3V0LmRvbWlkKSB8fAorICAgICAgICAgLyogRXh0ZW50IG9yZGVycyBh cmUgc2Vuc2libGU/ICovCisgICAgICAgICAoZXhjaC5pbi5leHRlbnRfb3Jk ZXIgPiBNQVhfT1JERVIpIHx8CisgICAgICAgICAoZXhjaC5vdXQuZXh0ZW50 X29yZGVyID4gTUFYX09SREVSKSB8fAogICAgICAgICAgLyogU2l6ZXMgb2Yg aW5wdXQgYW5kIG91dHB1dCBsaXN0cyBkbyBub3Qgb3ZlcmZsb3cgYSBsb25n PyAqLwogICAgICAgICAgKCh+MFVMID4+IGV4Y2guaW4uZXh0ZW50X29yZGVy KSA8IGV4Y2guaW4ubnJfZXh0ZW50cykgfHwKICAgICAgICAgICgofjBVTCA+ PiBleGNoLm91dC5leHRlbnRfb3JkZXIpIDwgZXhjaC5vdXQubnJfZXh0ZW50 cykgfHwK --=separator Content-Type: application/octet-stream; name="xsa31-4.2-unstable.patch" Content-Disposition: attachment; filename="xsa31-4.2-unstable.patch" Content-Transfer-Encoding: base64 bWVtb3A6IGxpbWl0IGd1ZXN0IHNwZWNpZmllZCBleHRlbnQgb3JkZXIKCkFs bG93aW5nIHVuYm91bmRlZCBvcmRlciB2YWx1ZXMgaGVyZSBjYXVzZXMgYWxt b3N0IHVuYm91bmRlZCBsb29wcwphbmQvb3IgcGFydGlhbGx5IGluY29tcGxl dGUgcmVxdWVzdHMsIHBhcnRpY3VsYXJseSBpbiBQb0QgY29kZS4KClRoZSBh ZGRlZCByYW5nZSBjaGVja3MgaW4gcG9wdWxhdGVfcGh5c21hcCgpLCBkZWNy ZWFzZV9yZXNlcnZhdGlvbigpLAphbmQgdGhlICJpbiIgb25lIGluIG1lbW9y eV9leGNoYW5nZSgpIGFyY2hpdGVjdHVyYWxseSBhbGwgY291bGQgdXNlClBB RERSX0JJVFMgLSBQQUdFX1NISUZULCBhbmQgYXJlIGJlaW5nIGFydGlmaWNp YWxseSBjb25zdHJhaW5lZCB0bwpNQVhfT1JERVIuCgpUaGlzIGlzIFhTQS0z MSAvIENWRS0yMDEyLTU1MTUuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGlj aCA8amJldWxpY2hAc3VzZS5jb20+CkFja2VkLWJ5OiBUaW0gRGVlZ2FuIDx0 aW1AeGVuLm9yZz4KQWNrZWQtYnk6IElhbiBKYWNrc29uIDxpYW4uamFja3Nv bkBldS5jaXRyaXguY29tPgoKZGlmZiAtLWdpdCBhL3hlbi9jb21tb24vbWVt b3J5LmMgYi94ZW4vY29tbW9uL21lbW9yeS5jCmluZGV4IDgzZTI2NjYuLjJl NTZkNDYgMTAwNjQ0Ci0tLSBhL3hlbi9jb21tb24vbWVtb3J5LmMKKysrIGIv eGVuL2NvbW1vbi9tZW1vcnkuYwpAQCAtMTE1LDcgKzExNSw4IEBAIHN0YXRp YyB2b2lkIHBvcHVsYXRlX3BoeXNtYXAoc3RydWN0IG1lbW9wX2FyZ3MgKmEp CiAKICAgICAgICAgaWYgKCBhLT5tZW1mbGFncyAmIE1FTUZfcG9wdWxhdGVf b25fZGVtYW5kICkKICAgICAgICAgewotICAgICAgICAgICAgaWYgKCBndWVz dF9waHlzbWFwX21hcmtfcG9wdWxhdGVfb25fZGVtYW5kKGQsIGdwZm4sCisg ICAgICAgICAgICBpZiAoIGEtPmV4dGVudF9vcmRlciA+IE1BWF9PUkRFUiB8 fAorICAgICAgICAgICAgICAgICBndWVzdF9waHlzbWFwX21hcmtfcG9wdWxh dGVfb25fZGVtYW5kKGQsIGdwZm4sCiAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYS0+ZXh0ZW50X29y ZGVyKSA8IDAgKQogICAgICAgICAgICAgICAgIGdvdG8gb3V0OwogICAgICAg ICB9CkBAIC0yMzUsNyArMjM2LDggQEAgc3RhdGljIHZvaWQgZGVjcmVhc2Vf cmVzZXJ2YXRpb24oc3RydWN0IG1lbW9wX2FyZ3MgKmEpCiAgICAgeGVuX3Bm bl90IGdtZm47CiAKICAgICBpZiAoICFndWVzdF9oYW5kbGVfc3VicmFuZ2Vf b2theShhLT5leHRlbnRfbGlzdCwgYS0+bnJfZG9uZSwKLSAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICBhLT5ucl9leHRlbnRzLTEpICkK KyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhLT5ucl9l eHRlbnRzLTEpIHx8CisgICAgICAgICBhLT5leHRlbnRfb3JkZXIgPiBNQVhf T1JERVIgKQogICAgICAgICByZXR1cm47CiAKICAgICBmb3IgKCBpID0gYS0+ bnJfZG9uZTsgaSA8IGEtPm5yX2V4dGVudHM7IGkrKyApCkBAIC0yOTcsNiAr Mjk5LDkgQEAgc3RhdGljIGxvbmcgbWVtb3J5X2V4Y2hhbmdlKFhFTl9HVUVT VF9IQU5ETEVfUEFSQU0oeGVuX21lbW9yeV9leGNoYW5nZV90KSBhcmcpCiAg ICAgaWYgKCAoZXhjaC5ucl9leGNoYW5nZWQgPiBleGNoLmluLm5yX2V4dGVu dHMpIHx8CiAgICAgICAgICAvKiBJbnB1dCBhbmQgb3V0cHV0IGRvbWFpbiBp ZGVudGlmaWVycyBtYXRjaD8gKi8KICAgICAgICAgIChleGNoLmluLmRvbWlk ICE9IGV4Y2gub3V0LmRvbWlkKSB8fAorICAgICAgICAgLyogRXh0ZW50IG9y ZGVycyBhcmUgc2Vuc2libGU/ICovCisgICAgICAgICAoZXhjaC5pbi5leHRl bnRfb3JkZXIgPiBNQVhfT1JERVIpIHx8CisgICAgICAgICAoZXhjaC5vdXQu ZXh0ZW50X29yZGVyID4gTUFYX09SREVSKSB8fAogICAgICAgICAgLyogU2l6 ZXMgb2YgaW5wdXQgYW5kIG91dHB1dCBsaXN0cyBkbyBub3Qgb3ZlcmZsb3cg YSBsb25nPyAqLwogICAgICAgICAgKCh+MFVMID4+IGV4Y2guaW4uZXh0ZW50 X29yZGVyKSA8IGV4Y2guaW4ubnJfZXh0ZW50cykgfHwKICAgICAgICAgICgo fjBVTCA+PiBleGNoLm91dC5leHRlbnRfb3JkZXIpIDwgZXhjaC5vdXQubnJf ZXh0ZW50cykgfHwK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Dec 03 18:02:51 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 03 Dec 2012 18:02:51 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaK8-0006iX-CV; Mon, 03 Dec 2012 18:00:56 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaBS-0003Fe-3x; Mon, 03 Dec 2012 17:51:58 +0000 Received: from [85.158.138.51:23328] by server-3.bemta-3.messagelabs.com id 66/DA-31566-DB6ECB05; Mon, 03 Dec 2012 17:51:57 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-12.tower-174.messagelabs.com!1354557115!24619203!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.6.1.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 26654 invoked from network); 3 Dec 2012 17:51:56 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-12.tower-174.messagelabs.com with AES256-SHA encrypted SMTP; 3 Dec 2012 17:51:56 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaBF-0002N3-DV; Mon, 03 Dec 2012 17:51:45 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TfaBF-000679-B7; Mon, 03 Dec 2012 17:51:45 +0000 Date: Mon, 03 Dec 2012 17:51:45 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Mon, 03 Dec 2012 18:00:54 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 28 (CVE-2012-5512) - HVMOP_get_mem_access crash / HVMOP_set_mem_access information leak X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5512 / XSA-28 version 3 HVMOP_get_mem_access crash / HVMOP_set_mem_access information leak UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The HVMOP_set_mem_access operation handler uses an input as an array index before range checking it. IMPACT ====== A malicious guest administrator can cause Xen to crash. If the out of array bounds access does not crash, the arbitrary value read will be used if the caller reads back the default access through the HVMOP_get_mem_access operation, thus causing an information leak. The caller cannot, however, directly control the address from which to read, since the value read in the first step will be used as an array index again in the second step. VULNERABLE SYSTEMS ================== Only Xen version 4.1 is vulnerable. The vulnerability is only exposed to HVM guests. MITIGATION ========== Running only PV guests, or ensuring that the controlling domain of HVM guests (e.g. dom0 or stubdom) only uses trusted code, will avoid this vulnerability. RESOLUTION ========== The attached patch resolves this issue. $ sha256sum xsa28*.patch 6282314c4ea0d76ac55473e5fc7d863e045c9f566899eb93c60e5d22f38e8319 xsa28-4.1.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQvOJ2AAoJEIP+FMlX6CvZDfEH/jKbLcOY6taduyPubvWjLqUj 5moVGJMcdTUnjEOe4TH6zcax4Ce98J5BptHjCkeIIm4A70bcdfFR7Kb8i1Pr1ZA6 jpo/fbDtn4+YVAJrMlZWhPspJU2lZSSYc+Tu3eVrX78OX4RZ/Ubb+KRGhaSkRn/a r14VFvNBwhSmOXFXqFI0IiCRJBctyLOxF32P3lZB3PXUepxsezjrUeYKKZ6qGkSX kdufkWYgZV4iKpb8WEwDOdWbs/hE7ru6vHCEE798T8I7BscQF+O8B+2ewVK/iCoo AgjGkqWsKhc119lSjdud8LP3A4cXWhhuHSOlmIc+gNz91IsvG3DErzQizc0wtLk= =GkYq -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa28-4.1.patch" Content-Disposition: attachment; filename="xsa28-4.1.patch" Content-Transfer-Encoding: base64 eDg2L0hWTTogcmFuZ2UgY2hlY2sgeGVuX2h2bV9zZXRfbWVtX2FjY2Vzcy5o dm1tZW1fYWNjZXNzIGJlZm9yZSB1c2UKCk90aGVyd2lzZSBhbiBvdXQgb2Yg Ym91bmRzIGFycmF5IGFjY2VzcyBjYW4gaGFwcGVuIGlmIGNoYW5naW5nIHRo ZQpkZWZhdWx0IGFjY2VzcyBpcyBiZWluZyByZXF1ZXN0ZWQsIHdoaWNoIC0g aWYgaXQgZG9lc24ndCBjcmFzaCBYZW4gLQp3b3VsZCBzdWJzZXF1ZW50bHkg YWxsb3cgcmVhZGluZyBhcmJpdHJhcnkgbWVtb3J5IHRocm91Z2gKSFZNT1Bf Z2V0X21lbV9hY2Nlc3MgKGFnYWluLCB1bmxlc3MgdGhhdCBvcGVyYXRpb24g Y3Jhc2hlcyBYZW4pLgoKVGhpcyBpcyBYU0EtMjggLyBDVkUtMjAxMi01NTEy LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2Uu Y29tPgpBY2tlZC1ieTogVGltIERlZWdhbiA8dGltQHhlbi5vcmc+CkFja2Vk LWJ5OiBJYW4gQ2FtcGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgoK ZGlmZiAtLWdpdCBhL3hlbi9hcmNoL3g4Ni9odm0vaHZtLmMgYi94ZW4vYXJj aC94ODYvaHZtL2h2bS5jCmluZGV4IDY2Y2Y4MDUuLjA4YjY0MTggMTAwNjQ0 Ci0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vaHZtLmMKKysrIGIveGVuL2FyY2gv eDg2L2h2bS9odm0uYwpAQCAtMzY5OSw3ICszNjk5LDcgQEAgbG9uZyBkb19o dm1fb3AodW5zaWduZWQgbG9uZyBvcCwgWEVOX0dVRVNUX0hBTkRMRSh2b2lk KSBhcmcpCiAgICAgICAgICAgICByZXR1cm4gcmM7CiAKICAgICAgICAgcmMg PSAtRUlOVkFMOwotICAgICAgICBpZiAoICFpc19odm1fZG9tYWluKGQpICkK KyAgICAgICAgaWYgKCAhaXNfaHZtX2RvbWFpbihkKSB8fCBhLmh2bW1lbV9h Y2Nlc3MgPj0gQVJSQVlfU0laRShtZW1hY2Nlc3MpICkKICAgICAgICAgICAg IGdvdG8gcGFyYW1fZmFpbDU7CiAKICAgICAgICAgcDJtID0gcDJtX2dldF9o b3N0cDJtKGQpOwpAQCAtMzcxOSw5ICszNzE5LDYgQEAgbG9uZyBkb19odm1f b3AodW5zaWduZWQgbG9uZyBvcCwgWEVOX0dVRVNUX0hBTkRMRSh2b2lkKSBh cmcpCiAgICAgICAgICAgICAgKChhLmZpcnN0X3BmbiArIGEubnIgLSAxKSA+ IGRvbWFpbl9nZXRfbWF4aW11bV9ncGZuKGQpKSApCiAgICAgICAgICAgICBn b3RvIHBhcmFtX2ZhaWw1OwogICAgICAgICAgICAgCi0gICAgICAgIGlmICgg YS5odm1tZW1fYWNjZXNzID49IEFSUkFZX1NJWkUobWVtYWNjZXNzKSApCi0g ICAgICAgICAgICBnb3RvIHBhcmFtX2ZhaWw1OwotCiAgICAgICAgIGZvciAo IHBmbiA9IGEuZmlyc3RfcGZuOyBwZm4gPCBhLmZpcnN0X3BmbiArIGEubnI7 IHBmbisrICkKICAgICAgICAgewogICAgICAgICAgICAgcDJtX3R5cGVfdCB0 Owo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Dec 03 18:02:51 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 03 Dec 2012 18:02:51 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaK9-0006jl-NV; Mon, 03 Dec 2012 18:00:57 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaBT-0003GY-VZ; Mon, 03 Dec 2012 17:52:00 +0000 Received: from [85.158.138.51:23427] by server-8.bemta-3.messagelabs.com id 3F/D4-07786-EB6ECB05; Mon, 03 Dec 2012 17:51:58 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-16.tower-174.messagelabs.com!1354557116!32440021!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.6.1.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 30664 invoked from network); 3 Dec 2012 17:51:57 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-16.tower-174.messagelabs.com with AES256-SHA encrypted SMTP; 3 Dec 2012 17:51:57 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaBI-0002Np-9g; Mon, 03 Dec 2012 17:51:48 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TfaBI-000691-0m; Mon, 03 Dec 2012 17:51:48 +0000 Date: Mon, 03 Dec 2012 17:51:48 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Mon, 03 Dec 2012 18:00:54 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 32 (CVE-2012-5525) - several hypercalls do not validate input GFNs X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5525 / XSA-32 version 4 several hypercalls do not validate input GFNs UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= The function get_page_from_gfn does not validate its input GFN. An invalid GFN passed to a hypercall which uses this function will cause the hypervisor to read off the end of the frame table and potentially crash. IMPACT ====== A malicious guest administrator of a PV guest can cause Xen to crash. If the out of bounds access does not lead to a crash, a carefully crafted privilege escalation cannot be excluded, even though the guest doesn't itself control the values written. VULNERABLE SYSTEMS ================== Only Xen 4.2 and Xen unstable are vulnerable. Xen 4.1 and earlier are not vulnerable. The vulnerability is exposed only to PV guests. MITIGATION ========== Running only trusted PV guest kernels will avoid this vulnerability. Running only HVM guests will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa32-4.2.patch Xen 4.2.x, xen-unstable xsa32-unstable.patch xen-unstable $ sha256sum xsa32*.patch ad25c9298b543ef7af40e9f09cae232d36efc1932804678355ab724a19e3afd9 xsa32-4.2.patch 734cff82a93f032165ef26633acb30a499cc063141c2b16fccb294703718fcb0 xsa32-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQvOWxAAoJEIP+FMlX6CvZ9uUH/RM5PGHxWTuFv11kAEJAaQK7 m3dB9GZvjRo/zcRTrSQX2JCumM8rwXffNR9oUHQkC3WxRPjyNRdsiI02sSRLSDAh q2tsalK1PpFNX2DRrOezWrkBA2zR7pnGe3sCzgO3sGGpqMMoG5+u6/IcZHu86LGm zk+e0hMHtuurz6+uB0w8TJoLge4XSTw0K3ck70vCL4ysKmyOcEWcAgDmNA+OwnQ8 duw4UGkXLrxCF1X7RbAh31lUWPSLxPvxsytja+78/9ggpQRxZkF5x6T4oABcZ7jg vjzYkNN3MdN41RIbmZps1SECLm/SKoOvsBxfOJArf0DYgVmJloxZrLK4TyquCDk= =oEp3 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa32-4.2.patch" Content-Disposition: attachment; filename="xsa32-4.2.patch" Content-Transfer-Encoding: base64 eDg2OiBnZXRfcGFnZV9mcm9tX2dmbigpIG11c3QgcmV0dXJuIE5VTEwgZm9y IGludmFsaWQgR0ZOcwoKLi4uIGFsc28gaW4gdGhlIG5vbi10cmFuc2xhdGVk IGNhc2UuCgpUaGlzIGlzIFhTQS0zMiAvIENWRS0yMDEyLXh4eHguCgpTaWdu ZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CkFj a2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9yZz4KCmRpZmYgLS1naXQg YS94ZW4vaW5jbHVkZS9hc20teDg2L3AybS5oIGIveGVuL2luY2x1ZGUvYXNt LXg4Ni9wMm0uaAppbmRleCA3YTdjN2ViLi5kNTY2NWI4IDEwMDY0NAotLS0g YS94ZW4vaW5jbHVkZS9hc20teDg2L3AybS5oCisrKyBiL3hlbi9pbmNsdWRl L2FzbS14ODYvcDJtLmgKQEAgLTQwMCw3ICs0MDAsNyBAQCBzdGF0aWMgaW5s aW5lIHN0cnVjdCBwYWdlX2luZm8gKmdldF9wYWdlX2Zyb21fZ2ZuKAogICAg IGlmICh0KQogICAgICAgICAqdCA9IHAybV9yYW1fcnc7CiAgICAgcGFnZSA9 IF9fbWZuX3RvX3BhZ2UoZ2ZuKTsKLSAgICByZXR1cm4gZ2V0X3BhZ2UocGFn ZSwgZCkgPyBwYWdlIDogTlVMTDsKKyAgICByZXR1cm4gbWZuX3ZhbGlkKGdm bikgJiYgZ2V0X3BhZ2UocGFnZSwgZCkgPyBwYWdlIDogTlVMTDsKIH0KIAog Cg== --=separator Content-Type: application/octet-stream; name="xsa32-unstable.patch" Content-Disposition: attachment; filename="xsa32-unstable.patch" Content-Transfer-Encoding: base64 eDg2OiBnZXRfcGFnZV9mcm9tX2dmbigpIG11c3QgcmV0dXJuIE5VTEwgZm9y IGludmFsaWQgR0ZOcwoKLi4uIGFsc28gaW4gdGhlIG5vbi10cmFuc2xhdGVk IGNhc2UuCgpUaGlzIGlzIFhTQS0zMiAvIENWRS0yMDEyLXh4eHguCgpTaWdu ZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CkFj a2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9yZz4KCmRpZmYgLS1naXQg YS94ZW4vaW5jbHVkZS9hc20teDg2L3AybS5oIGIveGVuL2luY2x1ZGUvYXNt LXg4Ni9wMm0uaAppbmRleCAyOGJlNGU4Li45MDdhODE3IDEwMDY0NAotLS0g YS94ZW4vaW5jbHVkZS9hc20teDg2L3AybS5oCisrKyBiL3hlbi9pbmNsdWRl L2FzbS14ODYvcDJtLmgKQEAgLTM4NCw3ICszODQsNyBAQCBzdGF0aWMgaW5s aW5lIHN0cnVjdCBwYWdlX2luZm8gKmdldF9wYWdlX2Zyb21fZ2ZuKAogICAg IGlmICh0KQogICAgICAgICAqdCA9IHAybV9yYW1fcnc7CiAgICAgcGFnZSA9 IF9fbWZuX3RvX3BhZ2UoZ2ZuKTsKLSAgICByZXR1cm4gZ2V0X3BhZ2UocGFn ZSwgZCkgPyBwYWdlIDogTlVMTDsKKyAgICByZXR1cm4gbWZuX3ZhbGlkKGdm bikgJiYgZ2V0X3BhZ2UocGFnZSwgZCkgPyBwYWdlIDogTlVMTDsKIH0KIAog Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Dec 05 10:32:39 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 05 Dec 2012 10:32:39 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TgCFA-00074m-QK; Wed, 05 Dec 2012 10:30:20 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaUE-0001tp-VK; Mon, 03 Dec 2012 18:11:23 +0000 Received: from [85.158.139.83:44299] by server-7.bemta-5.messagelabs.com id D3/51-23096-94BECB05; Mon, 03 Dec 2012 18:11:21 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-5.tower-182.messagelabs.com!1354558279!28244673!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.6.1.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 31739 invoked from network); 3 Dec 2012 18:11:20 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-5.tower-182.messagelabs.com with AES256-SHA encrypted SMTP; 3 Dec 2012 18:11:20 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaBE-0002Mv-OI; Mon, 03 Dec 2012 17:51:44 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TfaBE-00066j-ID; Mon, 03 Dec 2012 17:51:44 +0000 Date: Mon, 03 Dec 2012 17:51:44 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Wed, 05 Dec 2012 10:30:20 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 27 (CVE-2012-5511) - several HVM operations do not validate the range of their inputs X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5511 / XSA-27 version 4 several HVM operations do not validate the range of their inputs UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= Several HVM control operations do not check the size of their inputs and can tie up a physical CPU for extended periods of time. In addition dirty video RAM tracking involves clearing the bitmap provided by the domain controlling the guest (e.g. dom0 or a stubdom). If the size of that bitmap is overly large, an intermediate variable on the hypervisor stack may overflow that stack. IMPACT ====== A malicious guest administrator can cause Xen to become unresponsive or to crash leading in either case to a Denial of Service. VULNERABLE SYSTEMS ================== All Xen versions from 3.4 onwards are vulnerable. However Xen 4.2 and unstable are not vulnerable to the stack overflow. Systems running either of these are not vulnerable to the crash. Version 3.4, 4.0 and 4.1 are vulnerable to both the stack overflow and the physical CPU hang. The vulnerability is only exposed to HVM guests. MITIGATION ========== Running only PV guests will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa27-4.1.patch Xen 4.1.x xsa27-4.2.patch Xen 4.2.x xsa27-4.unstable.patch xen-unstable $ sha256sum xsa27*.patch 7443da829a7b2dd4b5e0b8db97a8b569e7c10d908ee7c34fa60bc2ddd781be57 xsa27-4.1.patch 462eae827944d1d337a6ebf13a36ea952d7fb76b993b9c29946e1d9cfb5ea2a3 xsa27-4.2.patch fcb07c6bd78a0d9513a68e2eb3bf0c21ef4d8ff0e6ebf6fdce04a3170303cab6 xsa27-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQvOJ2AAoJEIP+FMlX6CvZzqwIAJwIUGfXDA0KvJ/zZWAJm49Q c5Sn5xK1wZdGdJTlCqAGZSMOmaUP6tofqEWanb6nOg2vRAk7HlDz1JbUw5P8E3H9 mTT9Ro8rOhAIhgD0joT4i2XE77OTuLF85JK0M0fn2XPdUNFraChYUGthXj9+irlc FOhrLnXBlo34h7V7nY9XGIKAwcYUQnR7RcPasKOCO1OGEYofWKJOSKR9wrIhXiMN Q2svs4J1+PxNdKpErS+mMwEbnYHBcmxxEZXWktB9plzSqf5FMP4yQ3C5wTu/zrYH nu8Jj2JNV3NTnZgcviUBysTR+1s+JgVjLU3gtxebh2caqjSKyenPU2yYna5rlfY= =tfAP -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa27-4.1.patch" Content-Disposition: attachment; filename="xsa27-4.1.patch" Content-Transfer-Encoding: base64 aHZtOiBMaW1pdCB0aGUgc2l6ZSBvZiBsYXJnZSBIVk0gb3AgYmF0Y2hlcwoK RG9pbmcgbGFyZ2UgcDJtIHVwZGF0ZXMgZm9yIEhWTU9QX3RyYWNrX2RpcnR5 X3ZyYW0gd2l0aG91dCBwcmVlbXB0aW9uCnRpZXMgdXAgdGhlIHBoeXNpY2Fs IHByb2Nlc3Nvci4gSW50ZWdyYXRpbmcgcHJlZW1wdGlvbiBpbnRvIHRoZSBw Mm0KdXBkYXRlcyBpcyBoYXJkIHNvIHNpbXBseSBsaW1pdCB0byAxR0Igd2hp Y2ggaXMgc3VmZmljaWVudCBmb3IgYSAxNTAwMAoqIDE1MDAwICogMzJicHAg ZnJhbWVidWZmZXIuCgpGb3IgSFZNT1BfbW9kaWZpZWRfbWVtb3J5IGFuZCBI Vk1PUF9zZXRfbWVtX3R5cGUgcHJlZW1wdGlibGUgYWRkIHRoZQpuZWNlc3Nh cnkgbWFjaGluZXJ5IHRvIGhhbmRsZSBwcmVlbXB0aW9uLgoKVGhpcyBpcyBD VkUtMjAxMi01NTExIC8gWFNBLTI3LgoKU2lnbmVkLW9mZi1ieTogVGltIERl ZWdhbiA8dGltQHhlbi5vcmc+ClNpZ25lZC1vZmYtYnk6IElhbiBDYW1wYmVs bCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBJYW4gSmFj a3NvbiA8aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4KCng4Ni9wYWdpbmc6 IERvbid0IGFsbG9jYXRlIHVzZXItY29udHJvbGxlZCBhbW91bnRzIG9mIHN0 YWNrIG1lbW9yeS4KClRoaXMgaXMgWFNBLTI3IC8gQ1ZFLTIwMTItNTUxMS4K ClNpZ25lZC1vZmYtYnk6IFRpbSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgpBY2tl ZC1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgp2MjogUHJv dmlkZSBkZWZpbml0aW9uIG9mIEdCIHRvIGZpeCB4ODYtMzIgY29tcGlsZS4K ClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxKQmV1bGljaEBzdXNlLmNv bT4KQWNrZWQtYnk6IElhbiBKYWNrc29uIDxpYW4uamFja3NvbkBldS5jaXRy aXguY29tPgoKCmRpZmYgLXIgNTYzOTA0N2Q2YzlmIHhlbi9hcmNoL3g4Ni9o dm0vaHZtLmMKLS0tIGEveGVuL2FyY2gveDg2L2h2bS9odm0uYwlNb24gTm92 IDE5IDA5OjQzOjQ4IDIwMTIgKzAxMDAKKysrIGIveGVuL2FyY2gveDg2L2h2 bS9odm0uYwlNb24gTm92IDE5IDE2OjAwOjMzIDIwMTIgKzAwMDAKQEAgLTM0 NzEsNiArMzQ3MSw5IEBAIGxvbmcgZG9faHZtX29wKHVuc2lnbmVkIGxvbmcg b3AsIFhFTl9HVUUKICAgICAgICAgaWYgKCAhaXNfaHZtX2RvbWFpbihkKSAp CiAgICAgICAgICAgICBnb3RvIHBhcmFtX2ZhaWwyOwogCisgICAgICAgIGlm ICggYS5uciA+IEdCKDEpID4+IFBBR0VfU0hJRlQgKQorICAgICAgICAgICAg Z290byBwYXJhbV9mYWlsMjsKKwogICAgICAgICByYyA9IHhzbV9odm1fcGFy YW0oZCwgb3ApOwogICAgICAgICBpZiAoIHJjICkKICAgICAgICAgICAgIGdv dG8gcGFyYW1fZmFpbDI7CkBAIC0zNDk4LDcgKzM1MDEsNiBAQCBsb25nIGRv X2h2bV9vcCh1bnNpZ25lZCBsb25nIG9wLCBYRU5fR1VFCiAgICAgICAgIHN0 cnVjdCB4ZW5faHZtX21vZGlmaWVkX21lbW9yeSBhOwogICAgICAgICBzdHJ1 Y3QgZG9tYWluICpkOwogICAgICAgICBzdHJ1Y3QgcDJtX2RvbWFpbiAqcDJt OwotICAgICAgICB1bnNpZ25lZCBsb25nIHBmbjsKIAogICAgICAgICBpZiAo IGNvcHlfZnJvbV9ndWVzdCgmYSwgYXJnLCAxKSApCiAgICAgICAgICAgICBy ZXR1cm4gLUVGQVVMVDsKQEAgLTM1MjYsOCArMzUyOCw5IEBAIGxvbmcgZG9f aHZtX29wKHVuc2lnbmVkIGxvbmcgb3AsIFhFTl9HVUUKICAgICAgICAgICAg IGdvdG8gcGFyYW1fZmFpbDM7CiAKICAgICAgICAgcDJtID0gcDJtX2dldF9o b3N0cDJtKGQpOwotICAgICAgICBmb3IgKCBwZm4gPSBhLmZpcnN0X3Bmbjsg cGZuIDwgYS5maXJzdF9wZm4gKyBhLm5yOyBwZm4rKyApCisgICAgICAgIHdo aWxlICggYS5uciA+IDAgKQogICAgICAgICB7CisgICAgICAgICAgICB1bnNp Z25lZCBsb25nIHBmbiA9IGEuZmlyc3RfcGZuOwogICAgICAgICAgICAgcDJt X3R5cGVfdCB0OwogICAgICAgICAgICAgbWZuX3QgbWZuID0gZ2ZuX3RvX21m bihwMm0sIHBmbiwgJnQpOwogICAgICAgICAgICAgaWYgKCBwMm1faXNfcGFn aW5nKHQpICkKQEAgLTM1NDgsNiArMzU1MSwxOSBAQCBsb25nIGRvX2h2bV9v cCh1bnNpZ25lZCBsb25nIG9wLCBYRU5fR1VFCiAgICAgICAgICAgICAgICAg LyogZG9uJ3QgdGFrZSBhIGxvbmcgdGltZSBhbmQgZG9uJ3QgZGllIGVpdGhl ciAqLwogICAgICAgICAgICAgICAgIHNoX3JlbW92ZV9zaGFkb3dzKGQtPnZj cHVbMF0sIG1mbiwgMSwgMCk7CiAgICAgICAgICAgICB9CisKKyAgICAgICAg ICAgIGEuZmlyc3RfcGZuKys7CisgICAgICAgICAgICBhLm5yLS07CisKKyAg ICAgICAgICAgIC8qIENoZWNrIGZvciBjb250aW51YXRpb24gaWYgaXQncyBu b3QgdGhlIGxhc3QgaW50ZXJhdGlvbiAqLworICAgICAgICAgICAgaWYgKCBh Lm5yID4gMCAmJiBoeXBlcmNhbGxfcHJlZW1wdF9jaGVjaygpICkKKyAgICAg ICAgICAgIHsKKyAgICAgICAgICAgICAgICBpZiAoIGNvcHlfdG9fZ3Vlc3Qo YXJnLCAmYSwgMSkgKQorICAgICAgICAgICAgICAgICAgICByYyA9IC1FRkFV TFQ7CisgICAgICAgICAgICAgICAgZWxzZQorICAgICAgICAgICAgICAgICAg ICByYyA9IC1FQUdBSU47CisgICAgICAgICAgICAgICAgYnJlYWs7CisgICAg ICAgICAgICB9CiAgICAgICAgIH0KIAogICAgIHBhcmFtX2ZhaWwzOgpAQCAt MzU5NSw3ICszNjExLDYgQEAgbG9uZyBkb19odm1fb3AodW5zaWduZWQgbG9u ZyBvcCwgWEVOX0dVRQogICAgICAgICBzdHJ1Y3QgeGVuX2h2bV9zZXRfbWVt X3R5cGUgYTsKICAgICAgICAgc3RydWN0IGRvbWFpbiAqZDsKICAgICAgICAg c3RydWN0IHAybV9kb21haW4gKnAybTsKLSAgICAgICAgdW5zaWduZWQgbG9u ZyBwZm47CiAgICAgICAgIAogICAgICAgICAvKiBJbnRlcmZhY2UgdHlwZXMg dG8gaW50ZXJuYWwgcDJtIHR5cGVzICovCiAgICAgICAgIHAybV90eXBlX3Qg bWVtdHlwZVtdID0gewpAQCAtMzYyNSw4ICszNjQwLDkgQEAgbG9uZyBkb19o dm1fb3AodW5zaWduZWQgbG9uZyBvcCwgWEVOX0dVRQogICAgICAgICAgICAg Z290byBwYXJhbV9mYWlsNDsKIAogICAgICAgICBwMm0gPSBwMm1fZ2V0X2hv c3RwMm0oZCk7Ci0gICAgICAgIGZvciAoIHBmbiA9IGEuZmlyc3RfcGZuOyBw Zm4gPCBhLmZpcnN0X3BmbiArIGEubnI7IHBmbisrICkKKyAgICAgICAgd2hp bGUgKCBhLm5yID4gMCApCiAgICAgICAgIHsKKyAgICAgICAgICAgIHVuc2ln bmVkIGxvbmcgcGZuID0gYS5maXJzdF9wZm47CiAgICAgICAgICAgICBwMm1f dHlwZV90IHQ7CiAgICAgICAgICAgICBwMm1fdHlwZV90IG50OwogICAgICAg ICAgICAgbWZuX3QgbWZuOwpAQCAtMzY2Miw2ICszNjc4LDE5IEBAIGxvbmcg ZG9faHZtX29wKHVuc2lnbmVkIGxvbmcgb3AsIFhFTl9HVUUKICAgICAgICAg ICAgICAgICAgICAgZ290byBwYXJhbV9mYWlsNDsKICAgICAgICAgICAgICAg ICB9CiAgICAgICAgICAgICB9CisKKyAgICAgICAgICAgIGEuZmlyc3RfcGZu Kys7CisgICAgICAgICAgICBhLm5yLS07CisKKyAgICAgICAgICAgIC8qIENo ZWNrIGZvciBjb250aW51YXRpb24gaWYgaXQncyBub3QgdGhlIGxhc3QgaW50 ZXJhdGlvbiAqLworICAgICAgICAgICAgaWYgKCBhLm5yID4gMCAmJiBoeXBl cmNhbGxfcHJlZW1wdF9jaGVjaygpICkKKyAgICAgICAgICAgIHsKKyAgICAg ICAgICAgICAgICBpZiAoIGNvcHlfdG9fZ3Vlc3QoYXJnLCAmYSwgMSkgKQor ICAgICAgICAgICAgICAgICAgICByYyA9IC1FRkFVTFQ7CisgICAgICAgICAg ICAgICAgZWxzZQorICAgICAgICAgICAgICAgICAgICByYyA9IC1FQUdBSU47 CisgICAgICAgICAgICAgICAgZ290byBwYXJhbV9mYWlsNDsKKyAgICAgICAg ICAgIH0KICAgICAgICAgfQogCiAgICAgICAgIHJjID0gMDsKZGlmZiAtciA1 NjM5MDQ3ZDZjOWYgeGVuL2FyY2gveDg2L21tL3BhZ2luZy5jCi0tLSBhL3hl bi9hcmNoL3g4Ni9tbS9wYWdpbmcuYwlNb24gTm92IDE5IDA5OjQzOjQ4IDIw MTIgKzAxMDAKKysrIGIveGVuL2FyY2gveDg2L21tL3BhZ2luZy5jCU1vbiBO b3YgMTkgMTY6MDA6MzMgMjAxMiArMDAwMApAQCAtNTI5LDEzICs1MjksMTgg QEAgaW50IHBhZ2luZ19sb2dfZGlydHlfcmFuZ2Uoc3RydWN0IGRvbWFpbgog CiAgICAgaWYgKCAhZC0+YXJjaC5wYWdpbmcubG9nX2RpcnR5LmZhdWx0X2Nv dW50ICYmCiAgICAgICAgICAhZC0+YXJjaC5wYWdpbmcubG9nX2RpcnR5LmRp cnR5X2NvdW50ICkgewotICAgICAgICBpbnQgc2l6ZSA9IChuciArIEJJVFNf UEVSX0xPTkcgLSAxKSAvIEJJVFNfUEVSX0xPTkc7Ci0gICAgICAgIHVuc2ln bmVkIGxvbmcgemVyb2VzW3NpemVdOwotICAgICAgICBtZW1zZXQoemVyb2Vz LCAweDAwLCBzaXplICogQllURVNfUEVSX0xPTkcpOworICAgICAgICBzdGF0 aWMgdWludDhfdCB6ZXJvZXNbUEFHRV9TSVpFXTsKKyAgICAgICAgaW50IG9m Ziwgc2l6ZTsKKworICAgICAgICBzaXplID0gKChuciArIEJJVFNfUEVSX0xP TkcgLSAxKSAvIEJJVFNfUEVSX0xPTkcpICogc2l6ZW9mIChsb25nKTsKICAg ICAgICAgcnYgPSAwOwotICAgICAgICBpZiAoIGNvcHlfdG9fZ3Vlc3Rfb2Zm c2V0KGRpcnR5X2JpdG1hcCwgMCwgKHVpbnQ4X3QgKikgemVyb2VzLAotICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNpemUgKiBCWVRFU19Q RVJfTE9ORykgIT0gMCApCi0gICAgICAgICAgICBydiA9IC1FRkFVTFQ7Cisg ICAgICAgIGZvciAoIG9mZiA9IDA7ICFydiAmJiBvZmYgPCBzaXplOyBvZmYg Kz0gc2l6ZW9mIHplcm9lcyApCisgICAgICAgIHsKKyAgICAgICAgICAgIGlu dCB0b2RvID0gbWluKHNpemUgLSBvZmYsIChpbnQpIFBBR0VfU0laRSk7Cisg ICAgICAgICAgICBpZiAoIGNvcHlfdG9fZ3Vlc3Rfb2Zmc2V0KGRpcnR5X2Jp dG1hcCwgb2ZmLCB6ZXJvZXMsIHRvZG8pICkKKyAgICAgICAgICAgICAgICBy diA9IC1FRkFVTFQ7CisgICAgICAgICAgICBvZmYgKz0gdG9kbzsKKyAgICAg ICAgfQogICAgICAgICBnb3RvIG91dDsKICAgICB9CiAgICAgZC0+YXJjaC5w YWdpbmcubG9nX2RpcnR5LmZhdWx0X2NvdW50ID0gMDsKZGlmZiAtciA1NjM5 MDQ3ZDZjOWYgeGVuL2luY2x1ZGUvYXNtLXg4Ni9jb25maWcuaAotLS0gYS94 ZW4vaW5jbHVkZS9hc20teDg2L2NvbmZpZy5oCU1vbiBOb3YgMTkgMDk6NDM6 NDggMjAxMiArMDEwMAorKysgYi94ZW4vaW5jbHVkZS9hc20teDg2L2NvbmZp Zy5oCU1vbiBOb3YgMTkgMTY6MDA6MzMgMjAxMiArMDAwMApAQCAtMTA4LDYg KzEwOCw5IEBAIGV4dGVybiB1bnNpZ25lZCBpbnQgdHJhbXBvbGluZV94ZW5f cGh5c18KIGV4dGVybiB1bnNpZ25lZCBjaGFyIHRyYW1wb2xpbmVfY3B1X3N0 YXJ0ZWQ7CiBleHRlcm4gY2hhciB3YWtldXBfc3RhcnRbXTsKIGV4dGVybiB1 bnNpZ25lZCBpbnQgdmlkZW9fbW9kZSwgdmlkZW9fZmxhZ3M7CisKKyNkZWZp bmUgR0IoX2diKSAoX2diICMjIFVMIDw8IDMwKQorCiAjZW5kaWYKIAogI2Rl ZmluZSBhc21saW5rYWdlCkBAIC0xMjMsNyArMTI2LDYgQEAgZXh0ZXJuIHVu c2lnbmVkIGludCB2aWRlb19tb2RlLCB2aWRlb19mbAogI2RlZmluZSBQTUw0 X0FERFIoX3Nsb3QpICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcCiAg ICAgKCgoKF9zbG90ICMjIFVMKSA+PiA4KSAqIDB4ZmZmZjAwMDAwMDAwMDAw MFVMKSB8IFwKICAgICAgKF9zbG90ICMjIFVMIDw8IFBNTDRfRU5UUllfQklU UykpCi0jZGVmaW5lIEdCKF9nYikgKF9nYiAjIyBVTCA8PCAzMCkKICNlbHNl CiAjZGVmaW5lIFBNTDRfRU5UUllfQllURVMgKDEgPDwgUE1MNF9FTlRSWV9C SVRTKQogI2RlZmluZSBQTUw0X0FERFIoX3Nsb3QpICAgICAgICAgICAgICAg ICAgICAgICAgICAgICBcCg== --=separator Content-Type: application/octet-stream; name="xsa27-4.2.patch" Content-Disposition: attachment; filename="xsa27-4.2.patch" Content-Transfer-Encoding: base64 aHZtOiBMaW1pdCB0aGUgc2l6ZSBvZiBsYXJnZSBIVk0gb3AgYmF0Y2hlcwoK RG9pbmcgbGFyZ2UgcDJtIHVwZGF0ZXMgZm9yIEhWTU9QX3RyYWNrX2RpcnR5 X3ZyYW0gd2l0aG91dCBwcmVlbXB0aW9uCnRpZXMgdXAgdGhlIHBoeXNpY2Fs IHByb2Nlc3Nvci4gSW50ZWdyYXRpbmcgcHJlZW1wdGlvbiBpbnRvIHRoZSBw Mm0KdXBkYXRlcyBpcyBoYXJkIHNvIHNpbXBseSBsaW1pdCB0byAxR0Igd2hp Y2ggaXMgc3VmZmljaWVudCBmb3IgYSAxNTAwMAoqIDE1MDAwICogMzJicHAg ZnJhbWVidWZmZXIuCgpGb3IgSFZNT1BfbW9kaWZpZWRfbWVtb3J5IGFuZCBI Vk1PUF9zZXRfbWVtX3R5cGUgcHJlZW1wdGlibGUgYWRkIHRoZQpuZWNlc3Nh cnkgbWFjaGluZXJ5IHRvIGhhbmRsZSBwcmVlbXB0aW9uLgoKVGhpcyBpcyBD VkUtMjAxMi01NTExIC8gWFNBLTI3LgoKU2lnbmVkLW9mZi1ieTogVGltIERl ZWdhbiA8dGltQHhlbi5vcmc+ClNpZ25lZC1vZmYtYnk6IElhbiBDYW1wYmVs bCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBJYW4gSmFj a3NvbiA8aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4KCnYyOiBQcm92aWRl IGRlZmluaXRpb24gb2YgR0IgdG8gZml4IHg4Ni0zMiBjb21waWxlLgoKU2ln bmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPEpCZXVsaWNoQHN1c2UuY29tPgpB Y2tlZC1ieTogSWFuIEphY2tzb24gPGlhbi5qYWNrc29uQGV1LmNpdHJpeC5j b20+CgoKZGlmZiAtciA3YzRkODA2YjM3NTMgeGVuL2FyY2gveDg2L2h2bS9o dm0uYwotLS0gYS94ZW4vYXJjaC94ODYvaHZtL2h2bS5jCUZyaSBOb3YgMTYg MTU6NTY6MTQgMjAxMiArMDAwMAorKysgYi94ZW4vYXJjaC94ODYvaHZtL2h2 bS5jCU1vbiBOb3YgMTkgMTQ6NDI6MTAgMjAxMiArMDAwMApAQCAtMzk2OSw2 ICszOTY5LDkgQEAgbG9uZyBkb19odm1fb3AodW5zaWduZWQgbG9uZyBvcCwg WEVOX0dVRQogICAgICAgICBpZiAoICFpc19odm1fZG9tYWluKGQpICkKICAg ICAgICAgICAgIGdvdG8gcGFyYW1fZmFpbDI7CiAKKyAgICAgICAgaWYgKCBh Lm5yID4gR0IoMSkgPj4gUEFHRV9TSElGVCApCisgICAgICAgICAgICBnb3Rv IHBhcmFtX2ZhaWwyOworCiAgICAgICAgIHJjID0geHNtX2h2bV9wYXJhbShk LCBvcCk7CiAgICAgICAgIGlmICggcmMgKQogICAgICAgICAgICAgZ290byBw YXJhbV9mYWlsMjsKQEAgLTM5OTUsNyArMzk5OCw2IEBAIGxvbmcgZG9faHZt X29wKHVuc2lnbmVkIGxvbmcgb3AsIFhFTl9HVUUKICAgICB7CiAgICAgICAg IHN0cnVjdCB4ZW5faHZtX21vZGlmaWVkX21lbW9yeSBhOwogICAgICAgICBz dHJ1Y3QgZG9tYWluICpkOwotICAgICAgICB1bnNpZ25lZCBsb25nIHBmbjsK IAogICAgICAgICBpZiAoIGNvcHlfZnJvbV9ndWVzdCgmYSwgYXJnLCAxKSAp CiAgICAgICAgICAgICByZXR1cm4gLUVGQVVMVDsKQEAgLTQwMjIsOSArNDAy NCwxMSBAQCBsb25nIGRvX2h2bV9vcCh1bnNpZ25lZCBsb25nIG9wLCBYRU5f R1VFCiAgICAgICAgIGlmICggIXBhZ2luZ19tb2RlX2xvZ19kaXJ0eShkKSAp CiAgICAgICAgICAgICBnb3RvIHBhcmFtX2ZhaWwzOwogCi0gICAgICAgIGZv ciAoIHBmbiA9IGEuZmlyc3RfcGZuOyBwZm4gPCBhLmZpcnN0X3BmbiArIGEu bnI7IHBmbisrICkKKyAgICAgICAgd2hpbGUgKCBhLm5yID4gMCApCiAgICAg ICAgIHsKKyAgICAgICAgICAgIHVuc2lnbmVkIGxvbmcgcGZuID0gYS5maXJz dF9wZm47CiAgICAgICAgICAgICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwor CiAgICAgICAgICAgICBwYWdlID0gZ2V0X3BhZ2VfZnJvbV9nZm4oZCwgcGZu LCBOVUxMLCBQMk1fVU5TSEFSRSk7CiAgICAgICAgICAgICBpZiAoIHBhZ2Ug KQogICAgICAgICAgICAgewpAQCAtNDAzNCw2ICs0MDM4LDE5IEBAIGxvbmcg ZG9faHZtX29wKHVuc2lnbmVkIGxvbmcgb3AsIFhFTl9HVUUKICAgICAgICAg ICAgICAgICBzaF9yZW1vdmVfc2hhZG93cyhkLT52Y3B1WzBdLCBfbWZuKHBh Z2VfdG9fbWZuKHBhZ2UpKSwgMSwgMCk7CiAgICAgICAgICAgICAgICAgcHV0 X3BhZ2UocGFnZSk7CiAgICAgICAgICAgICB9CisKKyAgICAgICAgICAgIGEu Zmlyc3RfcGZuKys7CisgICAgICAgICAgICBhLm5yLS07CisKKyAgICAgICAg ICAgIC8qIENoZWNrIGZvciBjb250aW51YXRpb24gaWYgaXQncyBub3QgdGhl IGxhc3QgaW50ZXJhdGlvbiAqLworICAgICAgICAgICAgaWYgKCBhLm5yID4g MCAmJiBoeXBlcmNhbGxfcHJlZW1wdF9jaGVjaygpICkKKyAgICAgICAgICAg IHsKKyAgICAgICAgICAgICAgICBpZiAoIGNvcHlfdG9fZ3Vlc3QoYXJnLCAm YSwgMSkgKQorICAgICAgICAgICAgICAgICAgICByYyA9IC1FRkFVTFQ7Cisg ICAgICAgICAgICAgICAgZWxzZQorICAgICAgICAgICAgICAgICAgICByYyA9 IC1FQUdBSU47CisgICAgICAgICAgICAgICAgYnJlYWs7CisgICAgICAgICAg ICB9CiAgICAgICAgIH0KIAogICAgIHBhcmFtX2ZhaWwzOgpAQCAtNDA4OSw3 ICs0MTA2LDYgQEAgbG9uZyBkb19odm1fb3AodW5zaWduZWQgbG9uZyBvcCwg WEVOX0dVRQogICAgIHsKICAgICAgICAgc3RydWN0IHhlbl9odm1fc2V0X21l bV90eXBlIGE7CiAgICAgICAgIHN0cnVjdCBkb21haW4gKmQ7Ci0gICAgICAg IHVuc2lnbmVkIGxvbmcgcGZuOwogICAgICAgICAKICAgICAgICAgLyogSW50 ZXJmYWNlIHR5cGVzIHRvIGludGVybmFsIHAybSB0eXBlcyAqLwogICAgICAg ICBwMm1fdHlwZV90IG1lbXR5cGVbXSA9IHsKQEAgLTQxMjIsOCArNDEzOCw5 IEBAIGxvbmcgZG9faHZtX29wKHVuc2lnbmVkIGxvbmcgb3AsIFhFTl9HVUUK ICAgICAgICAgaWYgKCBhLmh2bW1lbV90eXBlID49IEFSUkFZX1NJWkUobWVt dHlwZSkgKQogICAgICAgICAgICAgZ290byBwYXJhbV9mYWlsNDsKIAotICAg ICAgICBmb3IgKCBwZm4gPSBhLmZpcnN0X3BmbjsgcGZuIDwgYS5maXJzdF9w Zm4gKyBhLm5yOyBwZm4rKyApCisgICAgICAgIHdoaWxlICggYS5uciApCiAg ICAgICAgIHsKKyAgICAgICAgICAgIHVuc2lnbmVkIGxvbmcgcGZuID0gYS5m aXJzdF9wZm47CiAgICAgICAgICAgICBwMm1fdHlwZV90IHQ7CiAgICAgICAg ICAgICBwMm1fdHlwZV90IG50OwogICAgICAgICAgICAgbWZuX3QgbWZuOwpA QCAtNDE2Myw2ICs0MTgwLDE5IEBAIGxvbmcgZG9faHZtX29wKHVuc2lnbmVk IGxvbmcgb3AsIFhFTl9HVUUKICAgICAgICAgICAgICAgICB9CiAgICAgICAg ICAgICB9CiAgICAgICAgICAgICBwdXRfZ2ZuKGQsIHBmbik7CisKKyAgICAg ICAgICAgIGEuZmlyc3RfcGZuKys7CisgICAgICAgICAgICBhLm5yLS07CisK KyAgICAgICAgICAgIC8qIENoZWNrIGZvciBjb250aW51YXRpb24gaWYgaXQn cyBub3QgdGhlIGxhc3QgaW50ZXJhdGlvbiAqLworICAgICAgICAgICAgaWYg KCBhLm5yID4gMCAmJiBoeXBlcmNhbGxfcHJlZW1wdF9jaGVjaygpICkKKyAg ICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBpZiAoIGNvcHlfdG9fZ3Vl c3QoYXJnLCAmYSwgMSkgKQorICAgICAgICAgICAgICAgICAgICByYyA9IC1F RkFVTFQ7CisgICAgICAgICAgICAgICAgZWxzZQorICAgICAgICAgICAgICAg ICAgICByYyA9IC1FQUdBSU47CisgICAgICAgICAgICAgICAgZ290byBwYXJh bV9mYWlsNDsKKyAgICAgICAgICAgIH0KICAgICAgICAgfQogCiAgICAgICAg IHJjID0gMDsKZGlmZiAtciA3YzRkODA2YjM3NTMgeGVuL2luY2x1ZGUvYXNt LXg4Ni9jb25maWcuaAotLS0gYS94ZW4vaW5jbHVkZS9hc20teDg2L2NvbmZp Zy5oCUZyaSBOb3YgMTYgMTU6NTY6MTQgMjAxMiArMDAwMAorKysgYi94ZW4v aW5jbHVkZS9hc20teDg2L2NvbmZpZy5oCU1vbiBOb3YgMTkgMTQ6NDI6MTAg MjAxMiArMDAwMApAQCAtMTE5LDYgKzExOSw5IEBAIGV4dGVybiBjaGFyIHdh a2V1cF9zdGFydFtdOwogZXh0ZXJuIHVuc2lnbmVkIGludCB2aWRlb19tb2Rl LCB2aWRlb19mbGFnczsKIGV4dGVybiB1bnNpZ25lZCBzaG9ydCBib290X2Vk aWRfY2FwczsKIGV4dGVybiB1bnNpZ25lZCBjaGFyIGJvb3RfZWRpZF9pbmZv WzEyOF07CisKKyNkZWZpbmUgR0IoX2diKSAoX2diICMjIFVMIDw8IDMwKQor CiAjZW5kaWYKIAogI2RlZmluZSBhc21saW5rYWdlCkBAIC0xMzQsNyArMTM3 LDYgQEAgZXh0ZXJuIHVuc2lnbmVkIGNoYXIgYm9vdF9lZGlkX2luZm9bMTI4 XQogI2RlZmluZSBQTUw0X0FERFIoX3Nsb3QpICAgICAgICAgICAgICAgICAg ICAgICAgICAgICBcCiAgICAgKCgoKF9zbG90ICMjIFVMKSA+PiA4KSAqIDB4 ZmZmZjAwMDAwMDAwMDAwMFVMKSB8IFwKICAgICAgKF9zbG90ICMjIFVMIDw8 IFBNTDRfRU5UUllfQklUUykpCi0jZGVmaW5lIEdCKF9nYikgKF9nYiAjIyBV TCA8PCAzMCkKICNlbHNlCiAjZGVmaW5lIFBNTDRfRU5UUllfQllURVMgKDEg PDwgUE1MNF9FTlRSWV9CSVRTKQogI2RlZmluZSBQTUw0X0FERFIoX3Nsb3Qp ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcCg== --=separator Content-Type: application/octet-stream; name="xsa27-unstable.patch" Content-Disposition: attachment; filename="xsa27-unstable.patch" Content-Transfer-Encoding: base64 aHZtOiBMaW1pdCB0aGUgc2l6ZSBvZiBsYXJnZSBIVk0gb3AgYmF0Y2hlcwoK RG9pbmcgbGFyZ2UgcDJtIHVwZGF0ZXMgZm9yIEhWTU9QX3RyYWNrX2RpcnR5 X3ZyYW0gd2l0aG91dCBwcmVlbXB0aW9uCnRpZXMgdXAgdGhlIHBoeXNpY2Fs IHByb2Nlc3Nvci4gSW50ZWdyYXRpbmcgcHJlZW1wdGlvbiBpbnRvIHRoZSBw Mm0KdXBkYXRlcyBpcyBoYXJkIHNvIHNpbXBseSBsaW1pdCB0byAxR0Igd2hp Y2ggaXMgc3VmZmljaWVudCBmb3IgYSAxNTAwMAoqIDE1MDAwICogMzJicHAg ZnJhbWVidWZmZXIuCgpGb3IgSFZNT1BfbW9kaWZpZWRfbWVtb3J5IGFuZCBI Vk1PUF9zZXRfbWVtX3R5cGUgcHJlZW1wdGlibGUgYWRkIHRoZQpuZWNlc3Nh cnkgbWFjaGluZXJ5IHRvIGhhbmRsZSBwcmVlbXB0aW9uLgoKVGhpcyBpcyBD VkUtMjAxMi01NTExIC8gWFNBLTI3LgoKU2lnbmVkLW9mZi1ieTogVGltIERl ZWdhbiA8dGltQHhlbi5vcmc+ClNpZ25lZC1vZmYtYnk6IElhbiBDYW1wYmVs bCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBJYW4gSmFj a3NvbiA8aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4KCmRpZmYgLS1naXQg YS94ZW4vYXJjaC94ODYvaHZtL2h2bS5jIGIveGVuL2FyY2gveDg2L2h2bS9o dm0uYwppbmRleCAzNGRhMmY1Li4yZDQ2ZDk4IDEwMDY0NAotLS0gYS94ZW4v YXJjaC94ODYvaHZtL2h2bS5jCisrKyBiL3hlbi9hcmNoL3g4Ni9odm0vaHZt LmMKQEAgLTM5ODQsNiArMzk4NCw5IEBAIGxvbmcgZG9faHZtX29wKHVuc2ln bmVkIGxvbmcgb3AsIFhFTl9HVUVTVF9IQU5ETEVfUEFSQU0odm9pZCkgYXJn KQogICAgICAgICBpZiAoICFpc19odm1fZG9tYWluKGQpICkKICAgICAgICAg ICAgIGdvdG8gcGFyYW1fZmFpbDI7CiAKKyAgICAgICAgaWYgKCBhLm5yID4g R0IoMSkgPj4gUEFHRV9TSElGVCApCisgICAgICAgICAgICBnb3RvIHBhcmFt X2ZhaWwyOworCiAgICAgICAgIHJjID0geHNtX2h2bV9wYXJhbShkLCBvcCk7 CiAgICAgICAgIGlmICggcmMgKQogICAgICAgICAgICAgZ290byBwYXJhbV9m YWlsMjsKQEAgLTQwMTAsNyArNDAxMyw2IEBAIGxvbmcgZG9faHZtX29wKHVu c2lnbmVkIGxvbmcgb3AsIFhFTl9HVUVTVF9IQU5ETEVfUEFSQU0odm9pZCkg YXJnKQogICAgIHsKICAgICAgICAgc3RydWN0IHhlbl9odm1fbW9kaWZpZWRf bWVtb3J5IGE7CiAgICAgICAgIHN0cnVjdCBkb21haW4gKmQ7Ci0gICAgICAg IHVuc2lnbmVkIGxvbmcgcGZuOwogCiAgICAgICAgIGlmICggY29weV9mcm9t X2d1ZXN0KCZhLCBhcmcsIDEpICkKICAgICAgICAgICAgIHJldHVybiAtRUZB VUxUOwpAQCAtNDAzNyw5ICs0MDM5LDExIEBAIGxvbmcgZG9faHZtX29wKHVu c2lnbmVkIGxvbmcgb3AsIFhFTl9HVUVTVF9IQU5ETEVfUEFSQU0odm9pZCkg YXJnKQogICAgICAgICBpZiAoICFwYWdpbmdfbW9kZV9sb2dfZGlydHkoZCkg KQogICAgICAgICAgICAgZ290byBwYXJhbV9mYWlsMzsKIAotICAgICAgICBm b3IgKCBwZm4gPSBhLmZpcnN0X3BmbjsgcGZuIDwgYS5maXJzdF9wZm4gKyBh Lm5yOyBwZm4rKyApCisgICAgICAgIHdoaWxlICggYS5uciA+IDAgKQogICAg ICAgICB7CisgICAgICAgICAgICB1bnNpZ25lZCBsb25nIHBmbiA9IGEuZmly c3RfcGZuOwogICAgICAgICAgICAgc3RydWN0IHBhZ2VfaW5mbyAqcGFnZTsK KwogICAgICAgICAgICAgcGFnZSA9IGdldF9wYWdlX2Zyb21fZ2ZuKGQsIHBm biwgTlVMTCwgUDJNX1VOU0hBUkUpOwogICAgICAgICAgICAgaWYgKCBwYWdl ICkKICAgICAgICAgICAgIHsKQEAgLTQwNDksNiArNDA1MywxOSBAQCBsb25n IGRvX2h2bV9vcCh1bnNpZ25lZCBsb25nIG9wLCBYRU5fR1VFU1RfSEFORExF X1BBUkFNKHZvaWQpIGFyZykKICAgICAgICAgICAgICAgICBzaF9yZW1vdmVf c2hhZG93cyhkLT52Y3B1WzBdLCBfbWZuKHBhZ2VfdG9fbWZuKHBhZ2UpKSwg MSwgMCk7CiAgICAgICAgICAgICAgICAgcHV0X3BhZ2UocGFnZSk7CiAgICAg ICAgICAgICB9CisKKyAgICAgICAgICAgIGEuZmlyc3RfcGZuKys7CisgICAg ICAgICAgICBhLm5yLS07CisKKyAgICAgICAgICAgIC8qIENoZWNrIGZvciBj b250aW51YXRpb24gaWYgaXQncyBub3QgdGhlIGxhc3QgaW50ZXJhdGlvbiAq LworICAgICAgICAgICAgaWYgKCBhLm5yID4gMCAmJiBoeXBlcmNhbGxfcHJl ZW1wdF9jaGVjaygpICkKKyAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAg ICBpZiAoIGNvcHlfdG9fZ3Vlc3QoYXJnLCAmYSwgMSkgKQorICAgICAgICAg ICAgICAgICAgICByYyA9IC1FRkFVTFQ7CisgICAgICAgICAgICAgICAgZWxz ZQorICAgICAgICAgICAgICAgICAgICByYyA9IC1FQUdBSU47CisgICAgICAg ICAgICAgICAgYnJlYWs7CisgICAgICAgICAgICB9CiAgICAgICAgIH0KIAog ICAgIHBhcmFtX2ZhaWwzOgpAQCAtNDEwNCw3ICs0MTIxLDYgQEAgbG9uZyBk b19odm1fb3AodW5zaWduZWQgbG9uZyBvcCwgWEVOX0dVRVNUX0hBTkRMRV9Q QVJBTSh2b2lkKSBhcmcpCiAgICAgewogICAgICAgICBzdHJ1Y3QgeGVuX2h2 bV9zZXRfbWVtX3R5cGUgYTsKICAgICAgICAgc3RydWN0IGRvbWFpbiAqZDsK LSAgICAgICAgdW5zaWduZWQgbG9uZyBwZm47CiAgICAgICAgIAogICAgICAg ICAvKiBJbnRlcmZhY2UgdHlwZXMgdG8gaW50ZXJuYWwgcDJtIHR5cGVzICov CiAgICAgICAgIHAybV90eXBlX3QgbWVtdHlwZVtdID0gewpAQCAtNDEzNyw4 ICs0MTUzLDkgQEAgbG9uZyBkb19odm1fb3AodW5zaWduZWQgbG9uZyBvcCwg WEVOX0dVRVNUX0hBTkRMRV9QQVJBTSh2b2lkKSBhcmcpCiAgICAgICAgIGlm ICggYS5odm1tZW1fdHlwZSA+PSBBUlJBWV9TSVpFKG1lbXR5cGUpICkKICAg ICAgICAgICAgIGdvdG8gcGFyYW1fZmFpbDQ7CiAKLSAgICAgICAgZm9yICgg cGZuID0gYS5maXJzdF9wZm47IHBmbiA8IGEuZmlyc3RfcGZuICsgYS5ucjsg cGZuKysgKQorICAgICAgICB3aGlsZSAoIGEubnIgKQogICAgICAgICB7Cisg ICAgICAgICAgICB1bnNpZ25lZCBsb25nIHBmbiA9IGEuZmlyc3RfcGZuOwog ICAgICAgICAgICAgcDJtX3R5cGVfdCB0OwogICAgICAgICAgICAgcDJtX3R5 cGVfdCBudDsKICAgICAgICAgICAgIG1mbl90IG1mbjsKQEAgLTQxNzgsNiAr NDE5NSwxOSBAQCBsb25nIGRvX2h2bV9vcCh1bnNpZ25lZCBsb25nIG9wLCBY RU5fR1VFU1RfSEFORExFX1BBUkFNKHZvaWQpIGFyZykKICAgICAgICAgICAg ICAgICB9CiAgICAgICAgICAgICB9CiAgICAgICAgICAgICBwdXRfZ2ZuKGQs IHBmbik7CisKKyAgICAgICAgICAgIGEuZmlyc3RfcGZuKys7CisgICAgICAg ICAgICBhLm5yLS07CisKKyAgICAgICAgICAgIC8qIENoZWNrIGZvciBjb250 aW51YXRpb24gaWYgaXQncyBub3QgdGhlIGxhc3QgaW50ZXJhdGlvbiAqLwor ICAgICAgICAgICAgaWYgKCBhLm5yID4gMCAmJiBoeXBlcmNhbGxfcHJlZW1w dF9jaGVjaygpICkKKyAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBp ZiAoIGNvcHlfdG9fZ3Vlc3QoYXJnLCAmYSwgMSkgKQorICAgICAgICAgICAg ICAgICAgICByYyA9IC1FRkFVTFQ7CisgICAgICAgICAgICAgICAgZWxzZQor ICAgICAgICAgICAgICAgICAgICByYyA9IC1FQUdBSU47CisgICAgICAgICAg ICAgICAgZ290byBwYXJhbV9mYWlsNDsKKyAgICAgICAgICAgIH0KICAgICAg ICAgfQogCiAgICAgICAgIHJjID0gMDsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Dec 05 10:32:39 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 05 Dec 2012 10:32:39 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TgCFA-00074m-QK; Wed, 05 Dec 2012 10:30:20 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaUE-0001tp-VK; Mon, 03 Dec 2012 18:11:23 +0000 Received: from [85.158.139.83:44299] by server-7.bemta-5.messagelabs.com id D3/51-23096-94BECB05; Mon, 03 Dec 2012 18:11:21 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-5.tower-182.messagelabs.com!1354558279!28244673!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.6.1.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 31739 invoked from network); 3 Dec 2012 18:11:20 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-5.tower-182.messagelabs.com with AES256-SHA encrypted SMTP; 3 Dec 2012 18:11:20 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TfaBE-0002Mv-OI; Mon, 03 Dec 2012 17:51:44 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TfaBE-00066j-ID; Mon, 03 Dec 2012 17:51:44 +0000 Date: Mon, 03 Dec 2012 17:51:44 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Wed, 05 Dec 2012 10:30:20 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 27 (CVE-2012-5511) - several HVM operations do not validate the range of their inputs X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5511 / XSA-27 version 4 several HVM operations do not validate the range of their inputs UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= Several HVM control operations do not check the size of their inputs and can tie up a physical CPU for extended periods of time. In addition dirty video RAM tracking involves clearing the bitmap provided by the domain controlling the guest (e.g. dom0 or a stubdom). If the size of that bitmap is overly large, an intermediate variable on the hypervisor stack may overflow that stack. IMPACT ====== A malicious guest administrator can cause Xen to become unresponsive or to crash leading in either case to a Denial of Service. VULNERABLE SYSTEMS ================== All Xen versions from 3.4 onwards are vulnerable. However Xen 4.2 and unstable are not vulnerable to the stack overflow. Systems running either of these are not vulnerable to the crash. Version 3.4, 4.0 and 4.1 are vulnerable to both the stack overflow and the physical CPU hang. The vulnerability is only exposed to HVM guests. MITIGATION ========== Running only PV guests will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa27-4.1.patch Xen 4.1.x xsa27-4.2.patch Xen 4.2.x xsa27-4.unstable.patch xen-unstable $ sha256sum xsa27*.patch 7443da829a7b2dd4b5e0b8db97a8b569e7c10d908ee7c34fa60bc2ddd781be57 xsa27-4.1.patch 462eae827944d1d337a6ebf13a36ea952d7fb76b993b9c29946e1d9cfb5ea2a3 xsa27-4.2.patch fcb07c6bd78a0d9513a68e2eb3bf0c21ef4d8ff0e6ebf6fdce04a3170303cab6 xsa27-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQvOJ2AAoJEIP+FMlX6CvZzqwIAJwIUGfXDA0KvJ/zZWAJm49Q c5Sn5xK1wZdGdJTlCqAGZSMOmaUP6tofqEWanb6nOg2vRAk7HlDz1JbUw5P8E3H9 mTT9Ro8rOhAIhgD0joT4i2XE77OTuLF85JK0M0fn2XPdUNFraChYUGthXj9+irlc FOhrLnXBlo34h7V7nY9XGIKAwcYUQnR7RcPasKOCO1OGEYofWKJOSKR9wrIhXiMN Q2svs4J1+PxNdKpErS+mMwEbnYHBcmxxEZXWktB9plzSqf5FMP4yQ3C5wTu/zrYH nu8Jj2JNV3NTnZgcviUBysTR+1s+JgVjLU3gtxebh2caqjSKyenPU2yYna5rlfY= =tfAP -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa27-4.1.patch" Content-Disposition: attachment; filename="xsa27-4.1.patch" Content-Transfer-Encoding: base64 aHZtOiBMaW1pdCB0aGUgc2l6ZSBvZiBsYXJnZSBIVk0gb3AgYmF0Y2hlcwoK RG9pbmcgbGFyZ2UgcDJtIHVwZGF0ZXMgZm9yIEhWTU9QX3RyYWNrX2RpcnR5 X3ZyYW0gd2l0aG91dCBwcmVlbXB0aW9uCnRpZXMgdXAgdGhlIHBoeXNpY2Fs IHByb2Nlc3Nvci4gSW50ZWdyYXRpbmcgcHJlZW1wdGlvbiBpbnRvIHRoZSBw Mm0KdXBkYXRlcyBpcyBoYXJkIHNvIHNpbXBseSBsaW1pdCB0byAxR0Igd2hp Y2ggaXMgc3VmZmljaWVudCBmb3IgYSAxNTAwMAoqIDE1MDAwICogMzJicHAg ZnJhbWVidWZmZXIuCgpGb3IgSFZNT1BfbW9kaWZpZWRfbWVtb3J5IGFuZCBI Vk1PUF9zZXRfbWVtX3R5cGUgcHJlZW1wdGlibGUgYWRkIHRoZQpuZWNlc3Nh cnkgbWFjaGluZXJ5IHRvIGhhbmRsZSBwcmVlbXB0aW9uLgoKVGhpcyBpcyBD VkUtMjAxMi01NTExIC8gWFNBLTI3LgoKU2lnbmVkLW9mZi1ieTogVGltIERl ZWdhbiA8dGltQHhlbi5vcmc+ClNpZ25lZC1vZmYtYnk6IElhbiBDYW1wYmVs bCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBJYW4gSmFj a3NvbiA8aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4KCng4Ni9wYWdpbmc6 IERvbid0IGFsbG9jYXRlIHVzZXItY29udHJvbGxlZCBhbW91bnRzIG9mIHN0 YWNrIG1lbW9yeS4KClRoaXMgaXMgWFNBLTI3IC8gQ1ZFLTIwMTItNTUxMS4K ClNpZ25lZC1vZmYtYnk6IFRpbSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgpBY2tl ZC1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgp2MjogUHJv dmlkZSBkZWZpbml0aW9uIG9mIEdCIHRvIGZpeCB4ODYtMzIgY29tcGlsZS4K ClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxKQmV1bGljaEBzdXNlLmNv bT4KQWNrZWQtYnk6IElhbiBKYWNrc29uIDxpYW4uamFja3NvbkBldS5jaXRy aXguY29tPgoKCmRpZmYgLXIgNTYzOTA0N2Q2YzlmIHhlbi9hcmNoL3g4Ni9o dm0vaHZtLmMKLS0tIGEveGVuL2FyY2gveDg2L2h2bS9odm0uYwlNb24gTm92 IDE5IDA5OjQzOjQ4IDIwMTIgKzAxMDAKKysrIGIveGVuL2FyY2gveDg2L2h2 bS9odm0uYwlNb24gTm92IDE5IDE2OjAwOjMzIDIwMTIgKzAwMDAKQEAgLTM0 NzEsNiArMzQ3MSw5IEBAIGxvbmcgZG9faHZtX29wKHVuc2lnbmVkIGxvbmcg b3AsIFhFTl9HVUUKICAgICAgICAgaWYgKCAhaXNfaHZtX2RvbWFpbihkKSAp CiAgICAgICAgICAgICBnb3RvIHBhcmFtX2ZhaWwyOwogCisgICAgICAgIGlm ICggYS5uciA+IEdCKDEpID4+IFBBR0VfU0hJRlQgKQorICAgICAgICAgICAg Z290byBwYXJhbV9mYWlsMjsKKwogICAgICAgICByYyA9IHhzbV9odm1fcGFy YW0oZCwgb3ApOwogICAgICAgICBpZiAoIHJjICkKICAgICAgICAgICAgIGdv dG8gcGFyYW1fZmFpbDI7CkBAIC0zNDk4LDcgKzM1MDEsNiBAQCBsb25nIGRv X2h2bV9vcCh1bnNpZ25lZCBsb25nIG9wLCBYRU5fR1VFCiAgICAgICAgIHN0 cnVjdCB4ZW5faHZtX21vZGlmaWVkX21lbW9yeSBhOwogICAgICAgICBzdHJ1 Y3QgZG9tYWluICpkOwogICAgICAgICBzdHJ1Y3QgcDJtX2RvbWFpbiAqcDJt OwotICAgICAgICB1bnNpZ25lZCBsb25nIHBmbjsKIAogICAgICAgICBpZiAo IGNvcHlfZnJvbV9ndWVzdCgmYSwgYXJnLCAxKSApCiAgICAgICAgICAgICBy ZXR1cm4gLUVGQVVMVDsKQEAgLTM1MjYsOCArMzUyOCw5IEBAIGxvbmcgZG9f aHZtX29wKHVuc2lnbmVkIGxvbmcgb3AsIFhFTl9HVUUKICAgICAgICAgICAg IGdvdG8gcGFyYW1fZmFpbDM7CiAKICAgICAgICAgcDJtID0gcDJtX2dldF9o b3N0cDJtKGQpOwotICAgICAgICBmb3IgKCBwZm4gPSBhLmZpcnN0X3Bmbjsg cGZuIDwgYS5maXJzdF9wZm4gKyBhLm5yOyBwZm4rKyApCisgICAgICAgIHdo aWxlICggYS5uciA+IDAgKQogICAgICAgICB7CisgICAgICAgICAgICB1bnNp Z25lZCBsb25nIHBmbiA9IGEuZmlyc3RfcGZuOwogICAgICAgICAgICAgcDJt X3R5cGVfdCB0OwogICAgICAgICAgICAgbWZuX3QgbWZuID0gZ2ZuX3RvX21m bihwMm0sIHBmbiwgJnQpOwogICAgICAgICAgICAgaWYgKCBwMm1faXNfcGFn aW5nKHQpICkKQEAgLTM1NDgsNiArMzU1MSwxOSBAQCBsb25nIGRvX2h2bV9v cCh1bnNpZ25lZCBsb25nIG9wLCBYRU5fR1VFCiAgICAgICAgICAgICAgICAg LyogZG9uJ3QgdGFrZSBhIGxvbmcgdGltZSBhbmQgZG9uJ3QgZGllIGVpdGhl ciAqLwogICAgICAgICAgICAgICAgIHNoX3JlbW92ZV9zaGFkb3dzKGQtPnZj cHVbMF0sIG1mbiwgMSwgMCk7CiAgICAgICAgICAgICB9CisKKyAgICAgICAg ICAgIGEuZmlyc3RfcGZuKys7CisgICAgICAgICAgICBhLm5yLS07CisKKyAg ICAgICAgICAgIC8qIENoZWNrIGZvciBjb250aW51YXRpb24gaWYgaXQncyBu b3QgdGhlIGxhc3QgaW50ZXJhdGlvbiAqLworICAgICAgICAgICAgaWYgKCBh Lm5yID4gMCAmJiBoeXBlcmNhbGxfcHJlZW1wdF9jaGVjaygpICkKKyAgICAg ICAgICAgIHsKKyAgICAgICAgICAgICAgICBpZiAoIGNvcHlfdG9fZ3Vlc3Qo YXJnLCAmYSwgMSkgKQorICAgICAgICAgICAgICAgICAgICByYyA9IC1FRkFV TFQ7CisgICAgICAgICAgICAgICAgZWxzZQorICAgICAgICAgICAgICAgICAg ICByYyA9IC1FQUdBSU47CisgICAgICAgICAgICAgICAgYnJlYWs7CisgICAg ICAgICAgICB9CiAgICAgICAgIH0KIAogICAgIHBhcmFtX2ZhaWwzOgpAQCAt MzU5NSw3ICszNjExLDYgQEAgbG9uZyBkb19odm1fb3AodW5zaWduZWQgbG9u ZyBvcCwgWEVOX0dVRQogICAgICAgICBzdHJ1Y3QgeGVuX2h2bV9zZXRfbWVt X3R5cGUgYTsKICAgICAgICAgc3RydWN0IGRvbWFpbiAqZDsKICAgICAgICAg c3RydWN0IHAybV9kb21haW4gKnAybTsKLSAgICAgICAgdW5zaWduZWQgbG9u ZyBwZm47CiAgICAgICAgIAogICAgICAgICAvKiBJbnRlcmZhY2UgdHlwZXMg dG8gaW50ZXJuYWwgcDJtIHR5cGVzICovCiAgICAgICAgIHAybV90eXBlX3Qg bWVtdHlwZVtdID0gewpAQCAtMzYyNSw4ICszNjQwLDkgQEAgbG9uZyBkb19o dm1fb3AodW5zaWduZWQgbG9uZyBvcCwgWEVOX0dVRQogICAgICAgICAgICAg Z290byBwYXJhbV9mYWlsNDsKIAogICAgICAgICBwMm0gPSBwMm1fZ2V0X2hv c3RwMm0oZCk7Ci0gICAgICAgIGZvciAoIHBmbiA9IGEuZmlyc3RfcGZuOyBw Zm4gPCBhLmZpcnN0X3BmbiArIGEubnI7IHBmbisrICkKKyAgICAgICAgd2hp bGUgKCBhLm5yID4gMCApCiAgICAgICAgIHsKKyAgICAgICAgICAgIHVuc2ln bmVkIGxvbmcgcGZuID0gYS5maXJzdF9wZm47CiAgICAgICAgICAgICBwMm1f dHlwZV90IHQ7CiAgICAgICAgICAgICBwMm1fdHlwZV90IG50OwogICAgICAg ICAgICAgbWZuX3QgbWZuOwpAQCAtMzY2Miw2ICszNjc4LDE5IEBAIGxvbmcg ZG9faHZtX29wKHVuc2lnbmVkIGxvbmcgb3AsIFhFTl9HVUUKICAgICAgICAg ICAgICAgICAgICAgZ290byBwYXJhbV9mYWlsNDsKICAgICAgICAgICAgICAg ICB9CiAgICAgICAgICAgICB9CisKKyAgICAgICAgICAgIGEuZmlyc3RfcGZu Kys7CisgICAgICAgICAgICBhLm5yLS07CisKKyAgICAgICAgICAgIC8qIENo ZWNrIGZvciBjb250aW51YXRpb24gaWYgaXQncyBub3QgdGhlIGxhc3QgaW50 ZXJhdGlvbiAqLworICAgICAgICAgICAgaWYgKCBhLm5yID4gMCAmJiBoeXBl cmNhbGxfcHJlZW1wdF9jaGVjaygpICkKKyAgICAgICAgICAgIHsKKyAgICAg ICAgICAgICAgICBpZiAoIGNvcHlfdG9fZ3Vlc3QoYXJnLCAmYSwgMSkgKQor ICAgICAgICAgICAgICAgICAgICByYyA9IC1FRkFVTFQ7CisgICAgICAgICAg ICAgICAgZWxzZQorICAgICAgICAgICAgICAgICAgICByYyA9IC1FQUdBSU47 CisgICAgICAgICAgICAgICAgZ290byBwYXJhbV9mYWlsNDsKKyAgICAgICAg ICAgIH0KICAgICAgICAgfQogCiAgICAgICAgIHJjID0gMDsKZGlmZiAtciA1 NjM5MDQ3ZDZjOWYgeGVuL2FyY2gveDg2L21tL3BhZ2luZy5jCi0tLSBhL3hl bi9hcmNoL3g4Ni9tbS9wYWdpbmcuYwlNb24gTm92IDE5IDA5OjQzOjQ4IDIw MTIgKzAxMDAKKysrIGIveGVuL2FyY2gveDg2L21tL3BhZ2luZy5jCU1vbiBO b3YgMTkgMTY6MDA6MzMgMjAxMiArMDAwMApAQCAtNTI5LDEzICs1MjksMTgg QEAgaW50IHBhZ2luZ19sb2dfZGlydHlfcmFuZ2Uoc3RydWN0IGRvbWFpbgog CiAgICAgaWYgKCAhZC0+YXJjaC5wYWdpbmcubG9nX2RpcnR5LmZhdWx0X2Nv dW50ICYmCiAgICAgICAgICAhZC0+YXJjaC5wYWdpbmcubG9nX2RpcnR5LmRp cnR5X2NvdW50ICkgewotICAgICAgICBpbnQgc2l6ZSA9IChuciArIEJJVFNf UEVSX0xPTkcgLSAxKSAvIEJJVFNfUEVSX0xPTkc7Ci0gICAgICAgIHVuc2ln bmVkIGxvbmcgemVyb2VzW3NpemVdOwotICAgICAgICBtZW1zZXQoemVyb2Vz LCAweDAwLCBzaXplICogQllURVNfUEVSX0xPTkcpOworICAgICAgICBzdGF0 aWMgdWludDhfdCB6ZXJvZXNbUEFHRV9TSVpFXTsKKyAgICAgICAgaW50IG9m Ziwgc2l6ZTsKKworICAgICAgICBzaXplID0gKChuciArIEJJVFNfUEVSX0xP TkcgLSAxKSAvIEJJVFNfUEVSX0xPTkcpICogc2l6ZW9mIChsb25nKTsKICAg ICAgICAgcnYgPSAwOwotICAgICAgICBpZiAoIGNvcHlfdG9fZ3Vlc3Rfb2Zm c2V0KGRpcnR5X2JpdG1hcCwgMCwgKHVpbnQ4X3QgKikgemVyb2VzLAotICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNpemUgKiBCWVRFU19Q RVJfTE9ORykgIT0gMCApCi0gICAgICAgICAgICBydiA9IC1FRkFVTFQ7Cisg ICAgICAgIGZvciAoIG9mZiA9IDA7ICFydiAmJiBvZmYgPCBzaXplOyBvZmYg Kz0gc2l6ZW9mIHplcm9lcyApCisgICAgICAgIHsKKyAgICAgICAgICAgIGlu dCB0b2RvID0gbWluKHNpemUgLSBvZmYsIChpbnQpIFBBR0VfU0laRSk7Cisg ICAgICAgICAgICBpZiAoIGNvcHlfdG9fZ3Vlc3Rfb2Zmc2V0KGRpcnR5X2Jp dG1hcCwgb2ZmLCB6ZXJvZXMsIHRvZG8pICkKKyAgICAgICAgICAgICAgICBy diA9IC1FRkFVTFQ7CisgICAgICAgICAgICBvZmYgKz0gdG9kbzsKKyAgICAg ICAgfQogICAgICAgICBnb3RvIG91dDsKICAgICB9CiAgICAgZC0+YXJjaC5w YWdpbmcubG9nX2RpcnR5LmZhdWx0X2NvdW50ID0gMDsKZGlmZiAtciA1NjM5 MDQ3ZDZjOWYgeGVuL2luY2x1ZGUvYXNtLXg4Ni9jb25maWcuaAotLS0gYS94 ZW4vaW5jbHVkZS9hc20teDg2L2NvbmZpZy5oCU1vbiBOb3YgMTkgMDk6NDM6 NDggMjAxMiArMDEwMAorKysgYi94ZW4vaW5jbHVkZS9hc20teDg2L2NvbmZp Zy5oCU1vbiBOb3YgMTkgMTY6MDA6MzMgMjAxMiArMDAwMApAQCAtMTA4LDYg KzEwOCw5IEBAIGV4dGVybiB1bnNpZ25lZCBpbnQgdHJhbXBvbGluZV94ZW5f cGh5c18KIGV4dGVybiB1bnNpZ25lZCBjaGFyIHRyYW1wb2xpbmVfY3B1X3N0 YXJ0ZWQ7CiBleHRlcm4gY2hhciB3YWtldXBfc3RhcnRbXTsKIGV4dGVybiB1 bnNpZ25lZCBpbnQgdmlkZW9fbW9kZSwgdmlkZW9fZmxhZ3M7CisKKyNkZWZp bmUgR0IoX2diKSAoX2diICMjIFVMIDw8IDMwKQorCiAjZW5kaWYKIAogI2Rl ZmluZSBhc21saW5rYWdlCkBAIC0xMjMsNyArMTI2LDYgQEAgZXh0ZXJuIHVu c2lnbmVkIGludCB2aWRlb19tb2RlLCB2aWRlb19mbAogI2RlZmluZSBQTUw0 X0FERFIoX3Nsb3QpICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcCiAg ICAgKCgoKF9zbG90ICMjIFVMKSA+PiA4KSAqIDB4ZmZmZjAwMDAwMDAwMDAw MFVMKSB8IFwKICAgICAgKF9zbG90ICMjIFVMIDw8IFBNTDRfRU5UUllfQklU UykpCi0jZGVmaW5lIEdCKF9nYikgKF9nYiAjIyBVTCA8PCAzMCkKICNlbHNl CiAjZGVmaW5lIFBNTDRfRU5UUllfQllURVMgKDEgPDwgUE1MNF9FTlRSWV9C SVRTKQogI2RlZmluZSBQTUw0X0FERFIoX3Nsb3QpICAgICAgICAgICAgICAg ICAgICAgICAgICAgICBcCg== --=separator Content-Type: application/octet-stream; name="xsa27-4.2.patch" Content-Disposition: attachment; filename="xsa27-4.2.patch" Content-Transfer-Encoding: base64 aHZtOiBMaW1pdCB0aGUgc2l6ZSBvZiBsYXJnZSBIVk0gb3AgYmF0Y2hlcwoK RG9pbmcgbGFyZ2UgcDJtIHVwZGF0ZXMgZm9yIEhWTU9QX3RyYWNrX2RpcnR5 X3ZyYW0gd2l0aG91dCBwcmVlbXB0aW9uCnRpZXMgdXAgdGhlIHBoeXNpY2Fs IHByb2Nlc3Nvci4gSW50ZWdyYXRpbmcgcHJlZW1wdGlvbiBpbnRvIHRoZSBw Mm0KdXBkYXRlcyBpcyBoYXJkIHNvIHNpbXBseSBsaW1pdCB0byAxR0Igd2hp Y2ggaXMgc3VmZmljaWVudCBmb3IgYSAxNTAwMAoqIDE1MDAwICogMzJicHAg ZnJhbWVidWZmZXIuCgpGb3IgSFZNT1BfbW9kaWZpZWRfbWVtb3J5IGFuZCBI Vk1PUF9zZXRfbWVtX3R5cGUgcHJlZW1wdGlibGUgYWRkIHRoZQpuZWNlc3Nh cnkgbWFjaGluZXJ5IHRvIGhhbmRsZSBwcmVlbXB0aW9uLgoKVGhpcyBpcyBD VkUtMjAxMi01NTExIC8gWFNBLTI3LgoKU2lnbmVkLW9mZi1ieTogVGltIERl ZWdhbiA8dGltQHhlbi5vcmc+ClNpZ25lZC1vZmYtYnk6IElhbiBDYW1wYmVs bCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBJYW4gSmFj a3NvbiA8aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4KCnYyOiBQcm92aWRl IGRlZmluaXRpb24gb2YgR0IgdG8gZml4IHg4Ni0zMiBjb21waWxlLgoKU2ln bmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPEpCZXVsaWNoQHN1c2UuY29tPgpB Y2tlZC1ieTogSWFuIEphY2tzb24gPGlhbi5qYWNrc29uQGV1LmNpdHJpeC5j b20+CgoKZGlmZiAtciA3YzRkODA2YjM3NTMgeGVuL2FyY2gveDg2L2h2bS9o dm0uYwotLS0gYS94ZW4vYXJjaC94ODYvaHZtL2h2bS5jCUZyaSBOb3YgMTYg MTU6NTY6MTQgMjAxMiArMDAwMAorKysgYi94ZW4vYXJjaC94ODYvaHZtL2h2 bS5jCU1vbiBOb3YgMTkgMTQ6NDI6MTAgMjAxMiArMDAwMApAQCAtMzk2OSw2 ICszOTY5LDkgQEAgbG9uZyBkb19odm1fb3AodW5zaWduZWQgbG9uZyBvcCwg WEVOX0dVRQogICAgICAgICBpZiAoICFpc19odm1fZG9tYWluKGQpICkKICAg ICAgICAgICAgIGdvdG8gcGFyYW1fZmFpbDI7CiAKKyAgICAgICAgaWYgKCBh Lm5yID4gR0IoMSkgPj4gUEFHRV9TSElGVCApCisgICAgICAgICAgICBnb3Rv IHBhcmFtX2ZhaWwyOworCiAgICAgICAgIHJjID0geHNtX2h2bV9wYXJhbShk LCBvcCk7CiAgICAgICAgIGlmICggcmMgKQogICAgICAgICAgICAgZ290byBw YXJhbV9mYWlsMjsKQEAgLTM5OTUsNyArMzk5OCw2IEBAIGxvbmcgZG9faHZt X29wKHVuc2lnbmVkIGxvbmcgb3AsIFhFTl9HVUUKICAgICB7CiAgICAgICAg IHN0cnVjdCB4ZW5faHZtX21vZGlmaWVkX21lbW9yeSBhOwogICAgICAgICBz dHJ1Y3QgZG9tYWluICpkOwotICAgICAgICB1bnNpZ25lZCBsb25nIHBmbjsK IAogICAgICAgICBpZiAoIGNvcHlfZnJvbV9ndWVzdCgmYSwgYXJnLCAxKSAp CiAgICAgICAgICAgICByZXR1cm4gLUVGQVVMVDsKQEAgLTQwMjIsOSArNDAy NCwxMSBAQCBsb25nIGRvX2h2bV9vcCh1bnNpZ25lZCBsb25nIG9wLCBYRU5f R1VFCiAgICAgICAgIGlmICggIXBhZ2luZ19tb2RlX2xvZ19kaXJ0eShkKSAp CiAgICAgICAgICAgICBnb3RvIHBhcmFtX2ZhaWwzOwogCi0gICAgICAgIGZv ciAoIHBmbiA9IGEuZmlyc3RfcGZuOyBwZm4gPCBhLmZpcnN0X3BmbiArIGEu bnI7IHBmbisrICkKKyAgICAgICAgd2hpbGUgKCBhLm5yID4gMCApCiAgICAg ICAgIHsKKyAgICAgICAgICAgIHVuc2lnbmVkIGxvbmcgcGZuID0gYS5maXJz dF9wZm47CiAgICAgICAgICAgICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwor CiAgICAgICAgICAgICBwYWdlID0gZ2V0X3BhZ2VfZnJvbV9nZm4oZCwgcGZu LCBOVUxMLCBQMk1fVU5TSEFSRSk7CiAgICAgICAgICAgICBpZiAoIHBhZ2Ug KQogICAgICAgICAgICAgewpAQCAtNDAzNCw2ICs0MDM4LDE5IEBAIGxvbmcg ZG9faHZtX29wKHVuc2lnbmVkIGxvbmcgb3AsIFhFTl9HVUUKICAgICAgICAg ICAgICAgICBzaF9yZW1vdmVfc2hhZG93cyhkLT52Y3B1WzBdLCBfbWZuKHBh Z2VfdG9fbWZuKHBhZ2UpKSwgMSwgMCk7CiAgICAgICAgICAgICAgICAgcHV0 X3BhZ2UocGFnZSk7CiAgICAgICAgICAgICB9CisKKyAgICAgICAgICAgIGEu Zmlyc3RfcGZuKys7CisgICAgICAgICAgICBhLm5yLS07CisKKyAgICAgICAg ICAgIC8qIENoZWNrIGZvciBjb250aW51YXRpb24gaWYgaXQncyBub3QgdGhl IGxhc3QgaW50ZXJhdGlvbiAqLworICAgICAgICAgICAgaWYgKCBhLm5yID4g MCAmJiBoeXBlcmNhbGxfcHJlZW1wdF9jaGVjaygpICkKKyAgICAgICAgICAg IHsKKyAgICAgICAgICAgICAgICBpZiAoIGNvcHlfdG9fZ3Vlc3QoYXJnLCAm YSwgMSkgKQorICAgICAgICAgICAgICAgICAgICByYyA9IC1FRkFVTFQ7Cisg ICAgICAgICAgICAgICAgZWxzZQorICAgICAgICAgICAgICAgICAgICByYyA9 IC1FQUdBSU47CisgICAgICAgICAgICAgICAgYnJlYWs7CisgICAgICAgICAg ICB9CiAgICAgICAgIH0KIAogICAgIHBhcmFtX2ZhaWwzOgpAQCAtNDA4OSw3 ICs0MTA2LDYgQEAgbG9uZyBkb19odm1fb3AodW5zaWduZWQgbG9uZyBvcCwg WEVOX0dVRQogICAgIHsKICAgICAgICAgc3RydWN0IHhlbl9odm1fc2V0X21l bV90eXBlIGE7CiAgICAgICAgIHN0cnVjdCBkb21haW4gKmQ7Ci0gICAgICAg IHVuc2lnbmVkIGxvbmcgcGZuOwogICAgICAgICAKICAgICAgICAgLyogSW50 ZXJmYWNlIHR5cGVzIHRvIGludGVybmFsIHAybSB0eXBlcyAqLwogICAgICAg ICBwMm1fdHlwZV90IG1lbXR5cGVbXSA9IHsKQEAgLTQxMjIsOCArNDEzOCw5 IEBAIGxvbmcgZG9faHZtX29wKHVuc2lnbmVkIGxvbmcgb3AsIFhFTl9HVUUK ICAgICAgICAgaWYgKCBhLmh2bW1lbV90eXBlID49IEFSUkFZX1NJWkUobWVt dHlwZSkgKQogICAgICAgICAgICAgZ290byBwYXJhbV9mYWlsNDsKIAotICAg ICAgICBmb3IgKCBwZm4gPSBhLmZpcnN0X3BmbjsgcGZuIDwgYS5maXJzdF9w Zm4gKyBhLm5yOyBwZm4rKyApCisgICAgICAgIHdoaWxlICggYS5uciApCiAg ICAgICAgIHsKKyAgICAgICAgICAgIHVuc2lnbmVkIGxvbmcgcGZuID0gYS5m aXJzdF9wZm47CiAgICAgICAgICAgICBwMm1fdHlwZV90IHQ7CiAgICAgICAg ICAgICBwMm1fdHlwZV90IG50OwogICAgICAgICAgICAgbWZuX3QgbWZuOwpA QCAtNDE2Myw2ICs0MTgwLDE5IEBAIGxvbmcgZG9faHZtX29wKHVuc2lnbmVk IGxvbmcgb3AsIFhFTl9HVUUKICAgICAgICAgICAgICAgICB9CiAgICAgICAg ICAgICB9CiAgICAgICAgICAgICBwdXRfZ2ZuKGQsIHBmbik7CisKKyAgICAg ICAgICAgIGEuZmlyc3RfcGZuKys7CisgICAgICAgICAgICBhLm5yLS07CisK KyAgICAgICAgICAgIC8qIENoZWNrIGZvciBjb250aW51YXRpb24gaWYgaXQn cyBub3QgdGhlIGxhc3QgaW50ZXJhdGlvbiAqLworICAgICAgICAgICAgaWYg KCBhLm5yID4gMCAmJiBoeXBlcmNhbGxfcHJlZW1wdF9jaGVjaygpICkKKyAg ICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBpZiAoIGNvcHlfdG9fZ3Vl c3QoYXJnLCAmYSwgMSkgKQorICAgICAgICAgICAgICAgICAgICByYyA9IC1F RkFVTFQ7CisgICAgICAgICAgICAgICAgZWxzZQorICAgICAgICAgICAgICAg ICAgICByYyA9IC1FQUdBSU47CisgICAgICAgICAgICAgICAgZ290byBwYXJh bV9mYWlsNDsKKyAgICAgICAgICAgIH0KICAgICAgICAgfQogCiAgICAgICAg IHJjID0gMDsKZGlmZiAtciA3YzRkODA2YjM3NTMgeGVuL2luY2x1ZGUvYXNt LXg4Ni9jb25maWcuaAotLS0gYS94ZW4vaW5jbHVkZS9hc20teDg2L2NvbmZp Zy5oCUZyaSBOb3YgMTYgMTU6NTY6MTQgMjAxMiArMDAwMAorKysgYi94ZW4v aW5jbHVkZS9hc20teDg2L2NvbmZpZy5oCU1vbiBOb3YgMTkgMTQ6NDI6MTAg MjAxMiArMDAwMApAQCAtMTE5LDYgKzExOSw5IEBAIGV4dGVybiBjaGFyIHdh a2V1cF9zdGFydFtdOwogZXh0ZXJuIHVuc2lnbmVkIGludCB2aWRlb19tb2Rl LCB2aWRlb19mbGFnczsKIGV4dGVybiB1bnNpZ25lZCBzaG9ydCBib290X2Vk aWRfY2FwczsKIGV4dGVybiB1bnNpZ25lZCBjaGFyIGJvb3RfZWRpZF9pbmZv WzEyOF07CisKKyNkZWZpbmUgR0IoX2diKSAoX2diICMjIFVMIDw8IDMwKQor CiAjZW5kaWYKIAogI2RlZmluZSBhc21saW5rYWdlCkBAIC0xMzQsNyArMTM3 LDYgQEAgZXh0ZXJuIHVuc2lnbmVkIGNoYXIgYm9vdF9lZGlkX2luZm9bMTI4 XQogI2RlZmluZSBQTUw0X0FERFIoX3Nsb3QpICAgICAgICAgICAgICAgICAg ICAgICAgICAgICBcCiAgICAgKCgoKF9zbG90ICMjIFVMKSA+PiA4KSAqIDB4 ZmZmZjAwMDAwMDAwMDAwMFVMKSB8IFwKICAgICAgKF9zbG90ICMjIFVMIDw8 IFBNTDRfRU5UUllfQklUUykpCi0jZGVmaW5lIEdCKF9nYikgKF9nYiAjIyBV TCA8PCAzMCkKICNlbHNlCiAjZGVmaW5lIFBNTDRfRU5UUllfQllURVMgKDEg PDwgUE1MNF9FTlRSWV9CSVRTKQogI2RlZmluZSBQTUw0X0FERFIoX3Nsb3Qp ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcCg== --=separator Content-Type: application/octet-stream; name="xsa27-unstable.patch" Content-Disposition: attachment; filename="xsa27-unstable.patch" Content-Transfer-Encoding: base64 aHZtOiBMaW1pdCB0aGUgc2l6ZSBvZiBsYXJnZSBIVk0gb3AgYmF0Y2hlcwoK RG9pbmcgbGFyZ2UgcDJtIHVwZGF0ZXMgZm9yIEhWTU9QX3RyYWNrX2RpcnR5 X3ZyYW0gd2l0aG91dCBwcmVlbXB0aW9uCnRpZXMgdXAgdGhlIHBoeXNpY2Fs IHByb2Nlc3Nvci4gSW50ZWdyYXRpbmcgcHJlZW1wdGlvbiBpbnRvIHRoZSBw Mm0KdXBkYXRlcyBpcyBoYXJkIHNvIHNpbXBseSBsaW1pdCB0byAxR0Igd2hp Y2ggaXMgc3VmZmljaWVudCBmb3IgYSAxNTAwMAoqIDE1MDAwICogMzJicHAg ZnJhbWVidWZmZXIuCgpGb3IgSFZNT1BfbW9kaWZpZWRfbWVtb3J5IGFuZCBI Vk1PUF9zZXRfbWVtX3R5cGUgcHJlZW1wdGlibGUgYWRkIHRoZQpuZWNlc3Nh cnkgbWFjaGluZXJ5IHRvIGhhbmRsZSBwcmVlbXB0aW9uLgoKVGhpcyBpcyBD VkUtMjAxMi01NTExIC8gWFNBLTI3LgoKU2lnbmVkLW9mZi1ieTogVGltIERl ZWdhbiA8dGltQHhlbi5vcmc+ClNpZ25lZC1vZmYtYnk6IElhbiBDYW1wYmVs bCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBJYW4gSmFj a3NvbiA8aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4KCmRpZmYgLS1naXQg YS94ZW4vYXJjaC94ODYvaHZtL2h2bS5jIGIveGVuL2FyY2gveDg2L2h2bS9o dm0uYwppbmRleCAzNGRhMmY1Li4yZDQ2ZDk4IDEwMDY0NAotLS0gYS94ZW4v YXJjaC94ODYvaHZtL2h2bS5jCisrKyBiL3hlbi9hcmNoL3g4Ni9odm0vaHZt LmMKQEAgLTM5ODQsNiArMzk4NCw5IEBAIGxvbmcgZG9faHZtX29wKHVuc2ln bmVkIGxvbmcgb3AsIFhFTl9HVUVTVF9IQU5ETEVfUEFSQU0odm9pZCkgYXJn KQogICAgICAgICBpZiAoICFpc19odm1fZG9tYWluKGQpICkKICAgICAgICAg ICAgIGdvdG8gcGFyYW1fZmFpbDI7CiAKKyAgICAgICAgaWYgKCBhLm5yID4g R0IoMSkgPj4gUEFHRV9TSElGVCApCisgICAgICAgICAgICBnb3RvIHBhcmFt X2ZhaWwyOworCiAgICAgICAgIHJjID0geHNtX2h2bV9wYXJhbShkLCBvcCk7 CiAgICAgICAgIGlmICggcmMgKQogICAgICAgICAgICAgZ290byBwYXJhbV9m YWlsMjsKQEAgLTQwMTAsNyArNDAxMyw2IEBAIGxvbmcgZG9faHZtX29wKHVu c2lnbmVkIGxvbmcgb3AsIFhFTl9HVUVTVF9IQU5ETEVfUEFSQU0odm9pZCkg YXJnKQogICAgIHsKICAgICAgICAgc3RydWN0IHhlbl9odm1fbW9kaWZpZWRf bWVtb3J5IGE7CiAgICAgICAgIHN0cnVjdCBkb21haW4gKmQ7Ci0gICAgICAg IHVuc2lnbmVkIGxvbmcgcGZuOwogCiAgICAgICAgIGlmICggY29weV9mcm9t X2d1ZXN0KCZhLCBhcmcsIDEpICkKICAgICAgICAgICAgIHJldHVybiAtRUZB VUxUOwpAQCAtNDAzNyw5ICs0MDM5LDExIEBAIGxvbmcgZG9faHZtX29wKHVu c2lnbmVkIGxvbmcgb3AsIFhFTl9HVUVTVF9IQU5ETEVfUEFSQU0odm9pZCkg YXJnKQogICAgICAgICBpZiAoICFwYWdpbmdfbW9kZV9sb2dfZGlydHkoZCkg KQogICAgICAgICAgICAgZ290byBwYXJhbV9mYWlsMzsKIAotICAgICAgICBm b3IgKCBwZm4gPSBhLmZpcnN0X3BmbjsgcGZuIDwgYS5maXJzdF9wZm4gKyBh Lm5yOyBwZm4rKyApCisgICAgICAgIHdoaWxlICggYS5uciA+IDAgKQogICAg ICAgICB7CisgICAgICAgICAgICB1bnNpZ25lZCBsb25nIHBmbiA9IGEuZmly c3RfcGZuOwogICAgICAgICAgICAgc3RydWN0IHBhZ2VfaW5mbyAqcGFnZTsK KwogICAgICAgICAgICAgcGFnZSA9IGdldF9wYWdlX2Zyb21fZ2ZuKGQsIHBm biwgTlVMTCwgUDJNX1VOU0hBUkUpOwogICAgICAgICAgICAgaWYgKCBwYWdl ICkKICAgICAgICAgICAgIHsKQEAgLTQwNDksNiArNDA1MywxOSBAQCBsb25n IGRvX2h2bV9vcCh1bnNpZ25lZCBsb25nIG9wLCBYRU5fR1VFU1RfSEFORExF X1BBUkFNKHZvaWQpIGFyZykKICAgICAgICAgICAgICAgICBzaF9yZW1vdmVf c2hhZG93cyhkLT52Y3B1WzBdLCBfbWZuKHBhZ2VfdG9fbWZuKHBhZ2UpKSwg MSwgMCk7CiAgICAgICAgICAgICAgICAgcHV0X3BhZ2UocGFnZSk7CiAgICAg ICAgICAgICB9CisKKyAgICAgICAgICAgIGEuZmlyc3RfcGZuKys7CisgICAg ICAgICAgICBhLm5yLS07CisKKyAgICAgICAgICAgIC8qIENoZWNrIGZvciBj b250aW51YXRpb24gaWYgaXQncyBub3QgdGhlIGxhc3QgaW50ZXJhdGlvbiAq LworICAgICAgICAgICAgaWYgKCBhLm5yID4gMCAmJiBoeXBlcmNhbGxfcHJl ZW1wdF9jaGVjaygpICkKKyAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAg ICBpZiAoIGNvcHlfdG9fZ3Vlc3QoYXJnLCAmYSwgMSkgKQorICAgICAgICAg ICAgICAgICAgICByYyA9IC1FRkFVTFQ7CisgICAgICAgICAgICAgICAgZWxz ZQorICAgICAgICAgICAgICAgICAgICByYyA9IC1FQUdBSU47CisgICAgICAg ICAgICAgICAgYnJlYWs7CisgICAgICAgICAgICB9CiAgICAgICAgIH0KIAog ICAgIHBhcmFtX2ZhaWwzOgpAQCAtNDEwNCw3ICs0MTIxLDYgQEAgbG9uZyBk b19odm1fb3AodW5zaWduZWQgbG9uZyBvcCwgWEVOX0dVRVNUX0hBTkRMRV9Q QVJBTSh2b2lkKSBhcmcpCiAgICAgewogICAgICAgICBzdHJ1Y3QgeGVuX2h2 bV9zZXRfbWVtX3R5cGUgYTsKICAgICAgICAgc3RydWN0IGRvbWFpbiAqZDsK LSAgICAgICAgdW5zaWduZWQgbG9uZyBwZm47CiAgICAgICAgIAogICAgICAg ICAvKiBJbnRlcmZhY2UgdHlwZXMgdG8gaW50ZXJuYWwgcDJtIHR5cGVzICov CiAgICAgICAgIHAybV90eXBlX3QgbWVtdHlwZVtdID0gewpAQCAtNDEzNyw4 ICs0MTUzLDkgQEAgbG9uZyBkb19odm1fb3AodW5zaWduZWQgbG9uZyBvcCwg WEVOX0dVRVNUX0hBTkRMRV9QQVJBTSh2b2lkKSBhcmcpCiAgICAgICAgIGlm ICggYS5odm1tZW1fdHlwZSA+PSBBUlJBWV9TSVpFKG1lbXR5cGUpICkKICAg ICAgICAgICAgIGdvdG8gcGFyYW1fZmFpbDQ7CiAKLSAgICAgICAgZm9yICgg cGZuID0gYS5maXJzdF9wZm47IHBmbiA8IGEuZmlyc3RfcGZuICsgYS5ucjsg cGZuKysgKQorICAgICAgICB3aGlsZSAoIGEubnIgKQogICAgICAgICB7Cisg ICAgICAgICAgICB1bnNpZ25lZCBsb25nIHBmbiA9IGEuZmlyc3RfcGZuOwog ICAgICAgICAgICAgcDJtX3R5cGVfdCB0OwogICAgICAgICAgICAgcDJtX3R5 cGVfdCBudDsKICAgICAgICAgICAgIG1mbl90IG1mbjsKQEAgLTQxNzgsNiAr NDE5NSwxOSBAQCBsb25nIGRvX2h2bV9vcCh1bnNpZ25lZCBsb25nIG9wLCBY RU5fR1VFU1RfSEFORExFX1BBUkFNKHZvaWQpIGFyZykKICAgICAgICAgICAg ICAgICB9CiAgICAgICAgICAgICB9CiAgICAgICAgICAgICBwdXRfZ2ZuKGQs IHBmbik7CisKKyAgICAgICAgICAgIGEuZmlyc3RfcGZuKys7CisgICAgICAg ICAgICBhLm5yLS07CisKKyAgICAgICAgICAgIC8qIENoZWNrIGZvciBjb250 aW51YXRpb24gaWYgaXQncyBub3QgdGhlIGxhc3QgaW50ZXJhdGlvbiAqLwor ICAgICAgICAgICAgaWYgKCBhLm5yID4gMCAmJiBoeXBlcmNhbGxfcHJlZW1w dF9jaGVjaygpICkKKyAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBp ZiAoIGNvcHlfdG9fZ3Vlc3QoYXJnLCAmYSwgMSkgKQorICAgICAgICAgICAg ICAgICAgICByYyA9IC1FRkFVTFQ7CisgICAgICAgICAgICAgICAgZWxzZQor ICAgICAgICAgICAgICAgICAgICByYyA9IC1FQUdBSU47CisgICAgICAgICAg ICAgICAgZ290byBwYXJhbV9mYWlsNDsKKyAgICAgICAgICAgIH0KICAgICAg ICAgfQogCiAgICAgICAgIHJjID0gMDsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Dec 18 15:14:31 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 18 Dec 2012 15:14:31 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Tkypy-0004yh-1d; Tue, 18 Dec 2012 15:12:06 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Tkygr-0004nj-NQ for xen-announce@lists.xen.org; Tue, 18 Dec 2012 15:02:42 +0000 Received: from [85.158.143.99:35806] by server-2.bemta-4.messagelabs.com id 50/56-30861-19580D05; Tue, 18 Dec 2012 15:02:41 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-11.tower-216.messagelabs.com!1355842936!22504059!1 X-Originating-IP: [209.85.215.50] X-SpamReason: No, hits=2.8 required=7.0 tests=BODY_RANDOM_LONG, HTML_30_40,HTML_MESSAGE,MIME_HTML_ONLY,RATWARE_GECKO_BUILD X-StarScan-Received: X-StarScan-Version: 6.6.1.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 10976 invoked from network); 18 Dec 2012 15:02:17 -0000 Received: from mail-la0-f50.google.com (HELO mail-la0-f50.google.com) (209.85.215.50) by server-11.tower-216.messagelabs.com with RC4-SHA encrypted SMTP; 18 Dec 2012 15:02:17 -0000 Received: by mail-la0-f50.google.com with SMTP id c1so624756lah.37 for ; Tue, 18 Dec 2012 07:02:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:sender:message-id:date:from:reply-to:user-agent :mime-version:to:subject:content-type:content-transfer-encoding; bh=GHiZN2JRUl/otpFl8bf0kLnWJkJ5XrSsYEaDdBR6OdQ=; b=cFWWPoNnDkxf/DuJ4snRt4yUVlWgeM2GHnDByArJ64w0FwK+9dtzRSFJTUGt5g1w1X wTz+Oh4c7INEXo0xMoIiJkyxlhiYn0K/FCsTyfoJ1XPAMGo9BesFRy8Bd0f/Yi7TjH8i h3ww2daE2L/YBy5c/wzLTvrW40Dn70MsCpbitXihUirkQ9zve4gfTRt/tbFsvpEPdo/J BedByRmi8SX/snWH6LDHF1xFisbsBps6MMg/P+/j2HQrdXZcTYokutndcTklJPYYESSz xzwAQ6d16Orzbfey9pZvT1FhUHQRzT0u09yrJh4dzQ2u/pz9EzlHeuRSUI2BCxI02eU7 D4tg== X-Received: by 10.152.111.68 with SMTP id ig4mr2122406lab.50.1355842936185; Tue, 18 Dec 2012 07:02:16 -0800 (PST) Received: from [172.16.26.11] (b01bedf7.bb.sky.com. [176.27.237.247]) by mx.google.com with ESMTPS id s9sm950189lbc.12.2012.12.18.07.02.13 (version=SSLv3 cipher=OTHER); Tue, 18 Dec 2012 07:02:14 -0800 (PST) Message-ID: <50D08573.7020303@xen.org> Date: Tue, 18 Dec 2012 15:02:11 +0000 From: Lars Kurth User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: xen-announce@lists.xen.org X-Mailman-Approved-At: Tue, 18 Dec 2012 15:12:04 +0000 Subject: [Xen-announce] Xen 4.2.1 and 4.1.4 released, Security Disclosure Process Discussion Update X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list Reply-To: lars.kurth@xen.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============5100712662788891745==" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --===============5100712662788891745== Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit

Xen 4.2.1 and 4.1.4 released

The original article, by Jan Beulich can be found here

I am pleased to announce the release of Xen 4.2.1 and Xen 4.1.4. These are available immediately from the following locations
We recommend that all users of Xen 4.2.0 upgrade to Xen 4.2.1 and that users of the 4.0 and 4.1 stable series upgrade to Xen 4.1.4.

Xen 4.2.1

The Xen 4.2.1 release fixes the following critical vulnerabilities: We recommend to all users of Xen 4.2.0 to upgrade to Xen 4.2.1.
  •     CVE-2012-4535 / XSA-20: Timer overflow DoS vulnerability
  •     CVE-2012-4537 / XSA-22: Memory mapping failure DoS vulnerability
  •     CVE-2012-4538 / XSA-23: Unhooking empty PAE entries DoS vulnerability
  •     CVE-2012-4539 / XSA-24: Grant table hypercall infinite loop DoS vulnerability
  •     CVE-2012-4544, CVE-2012-2625 / XSA-25: Xen domain builder Out-of-memory due to malicious kernel/ramdisk
  •     CVE-2012-5510 / XSA-26: Grant table version switch list corruption vulnerability
  •     CVE-2012-5511 / XSA-27: Several HVM operations do not validate the range of their inputs
  •     CVE-2012-5513 / XSA-29: XENMEM_exchange may overwrite hypervisor memory
  •     CVE-2012-5514 / XSA-30: Broken error handling in guest_physmap_mark_populate_on_demand()
  •     CVE-2012-5515 / XSA-31: Several memory hypercall operations allow invalid extent order values
  •     CVE-2012-5525 / XSA-32: several hypercalls do not validate input GFNs
Among many bug fixes and improvements (around 100 since Xen 4.2.0):
  •     A fix for a long standing time management issue
  •     Bug fixes for S3 (suspend to RAM) handling
  •     Bug fixes for other low level system state handling
  •     Bug fixes and improvements to the libxl tool stack
  •     Bug fixes to nested virtualization

Xen 4.1.4

The Xen 4.1.4 release contains fixes for the following critical vulnerabilities: We recommend to all users of the 4.0 and 4.1 stable series to upgrade to Xen 4.1.4.
  •     CVE-2012-3494 / XSA-12: hypercall set_debugreg vulnerability
  •     CVE-2012-3495 / XSA-13: hypercall physdev_get_free_pirq vulnerability
  •     CVE-2012-3496 / XSA-14: XENMEM_populate_physmap DoS vulnerability
  •     CVE-2012-3498 / XSA-16: PHYSDEVOP_map_pirq index vulnerability
  •     CVE-2012-3515 / XSA-17: Qemu VT100 emulation vulnerability
  •     CVE-2012-4411 / XSA-19: guest administrator can access qemu monitor console
  •     CVE-2012-4535 / XSA-20: Timer overflow DoS vulnerability
  •     CVE-2012-4536 / XSA-21: pirq range check DoS vulnerability
  •     CVE-2012-4537 / XSA-22: Memory mapping failure DoS vulnerability
  •     CVE-2012-4538 / XSA-23: Unhooking empty PAE entries DoS vulnerability
  •     CVE-2012-4539 / XSA-24: Grant table hypercall infinite loop DoS vulnerability
  •     CVE-2012-4544,CVE-2012-2625 / XSA-25: Xen domain builder Out-of-memory due to malicious kernel/ramdisk
  •     CVE-2012-5510 / XSA-26: Grant table version switch list corruption vulnerability
  •     CVE-2012-5511 / XSA-27: several HVM operations do not validate the range of their inputs
  •     CVE-2012-5512 / XSA-28: HVMOP_get_mem_access crash / HVMOP_set_mem_access information leak
  •     CVE-2012-5513 / XSA-29: XENMEM_exchange may overwrite hypervisor memory
  •     CVE-2012-5514 / XSA-30: Broken error handling in guest_physmap_mark_populate_on_demand()
  •     CVE-2012-5515 / XSA-31: Several memory hypercall operations allow invalid extent order values
Among many bug fixes and improvements (almost 100 since Xen 4.1.3). Highlights are:
  •     A fix for a long standing time management issue
  •     Bug fixes for S3 (suspend to RAM) handling
  •     Bug fixes for other low level system state handling

Security disclosure process discussion update

You can find the original article by Goorge Dunlap, here

After concluding our poll about changes to the security discussion, we determined that “Pre-disclosure to software vendors and a wide set of users” was probably the best fit for the community. A set of concrete changes to the policy have now been discussed on xen-devel (here and here), and we seem to have converged on something everyone finds acceptable.

We are now presenting these changes for public review. The purpose of this review process is to allow feedback on the text which will be voted on, in accordance to the Xen.org governance procedure. Our plan is to leave this up for review until the third week in January. Any substantial updates will be mentioned on the blog and will extend the review time.

All feedback and discussion should happen in public on the xen-devel mailing list. If you have any suggestions for how to improve the proposal, please e-mail the list, and cc George Dunlap (george dot dunlap at citrix.com).

Read on for a summary of the updates, as well as links to the full text of the original and proposed new policies.

Summary of the updates

As discussed on the xen-devel mailing list, expand eligibility of the pre-disclosure list to include any public hosting provider, as well as software project:
  • Change “Large hosting providers” to “Public hosting providers”
  • Remove “widely-deployed” from vendors and distributors
  • Add rules of thumb for what constitutes “genuine”
  • Add an itemized list of information to be included in the application, to make expectations clear and (hopefully) applications more streamlined.
The first will allow hosting providers of any size to join. The second will allow software projects and vendors of any size to join. The third and fourth will help describe exactly what criteria will be used to determine eligibility for 1 and 2.

Additionally, this proposal adds the following requirements:
  • Applicants and current members must use an e-mail alias, not an individual’s e-mail
  • Applicants and current members must submit a statement saying that they have read, understand, and will abide by this process document.
The new policy in its entirety can be found here:
http://wiki.xen.org/wiki/Security_vulnerability_process_draft
For comparison, the current policy can be found here:
http://www.xen.org/projects/security_vulnerability_process.html
--===============5100712662788891745== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --===============5100712662788891745==-- From xen-announce-bounces@lists.xen.org Tue Dec 18 15:14:31 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 18 Dec 2012 15:14:31 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Tkypy-0004yh-1d; Tue, 18 Dec 2012 15:12:06 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Tkygr-0004nj-NQ for xen-announce@lists.xen.org; Tue, 18 Dec 2012 15:02:42 +0000 Received: from [85.158.143.99:35806] by server-2.bemta-4.messagelabs.com id 50/56-30861-19580D05; Tue, 18 Dec 2012 15:02:41 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-11.tower-216.messagelabs.com!1355842936!22504059!1 X-Originating-IP: [209.85.215.50] X-SpamReason: No, hits=2.8 required=7.0 tests=BODY_RANDOM_LONG, HTML_30_40,HTML_MESSAGE,MIME_HTML_ONLY,RATWARE_GECKO_BUILD X-StarScan-Received: X-StarScan-Version: 6.6.1.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 10976 invoked from network); 18 Dec 2012 15:02:17 -0000 Received: from mail-la0-f50.google.com (HELO mail-la0-f50.google.com) (209.85.215.50) by server-11.tower-216.messagelabs.com with RC4-SHA encrypted SMTP; 18 Dec 2012 15:02:17 -0000 Received: by mail-la0-f50.google.com with SMTP id c1so624756lah.37 for ; Tue, 18 Dec 2012 07:02:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:sender:message-id:date:from:reply-to:user-agent :mime-version:to:subject:content-type:content-transfer-encoding; bh=GHiZN2JRUl/otpFl8bf0kLnWJkJ5XrSsYEaDdBR6OdQ=; b=cFWWPoNnDkxf/DuJ4snRt4yUVlWgeM2GHnDByArJ64w0FwK+9dtzRSFJTUGt5g1w1X wTz+Oh4c7INEXo0xMoIiJkyxlhiYn0K/FCsTyfoJ1XPAMGo9BesFRy8Bd0f/Yi7TjH8i h3ww2daE2L/YBy5c/wzLTvrW40Dn70MsCpbitXihUirkQ9zve4gfTRt/tbFsvpEPdo/J BedByRmi8SX/snWH6LDHF1xFisbsBps6MMg/P+/j2HQrdXZcTYokutndcTklJPYYESSz xzwAQ6d16Orzbfey9pZvT1FhUHQRzT0u09yrJh4dzQ2u/pz9EzlHeuRSUI2BCxI02eU7 D4tg== X-Received: by 10.152.111.68 with SMTP id ig4mr2122406lab.50.1355842936185; Tue, 18 Dec 2012 07:02:16 -0800 (PST) Received: from [172.16.26.11] (b01bedf7.bb.sky.com. [176.27.237.247]) by mx.google.com with ESMTPS id s9sm950189lbc.12.2012.12.18.07.02.13 (version=SSLv3 cipher=OTHER); Tue, 18 Dec 2012 07:02:14 -0800 (PST) Message-ID: <50D08573.7020303@xen.org> Date: Tue, 18 Dec 2012 15:02:11 +0000 From: Lars Kurth User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: xen-announce@lists.xen.org X-Mailman-Approved-At: Tue, 18 Dec 2012 15:12:04 +0000 Subject: [Xen-announce] Xen 4.2.1 and 4.1.4 released, Security Disclosure Process Discussion Update X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list Reply-To: lars.kurth@xen.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============5100712662788891745==" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --===============5100712662788891745== Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit

Xen 4.2.1 and 4.1.4 released

The original article, by Jan Beulich can be found here

I am pleased to announce the release of Xen 4.2.1 and Xen 4.1.4. These are available immediately from the following locations
We recommend that all users of Xen 4.2.0 upgrade to Xen 4.2.1 and that users of the 4.0 and 4.1 stable series upgrade to Xen 4.1.4.

Xen 4.2.1

The Xen 4.2.1 release fixes the following critical vulnerabilities: We recommend to all users of Xen 4.2.0 to upgrade to Xen 4.2.1.
  •     CVE-2012-4535 / XSA-20: Timer overflow DoS vulnerability
  •     CVE-2012-4537 / XSA-22: Memory mapping failure DoS vulnerability
  •     CVE-2012-4538 / XSA-23: Unhooking empty PAE entries DoS vulnerability
  •     CVE-2012-4539 / XSA-24: Grant table hypercall infinite loop DoS vulnerability
  •     CVE-2012-4544, CVE-2012-2625 / XSA-25: Xen domain builder Out-of-memory due to malicious kernel/ramdisk
  •     CVE-2012-5510 / XSA-26: Grant table version switch list corruption vulnerability
  •     CVE-2012-5511 / XSA-27: Several HVM operations do not validate the range of their inputs
  •     CVE-2012-5513 / XSA-29: XENMEM_exchange may overwrite hypervisor memory
  •     CVE-2012-5514 / XSA-30: Broken error handling in guest_physmap_mark_populate_on_demand()
  •     CVE-2012-5515 / XSA-31: Several memory hypercall operations allow invalid extent order values
  •     CVE-2012-5525 / XSA-32: several hypercalls do not validate input GFNs
Among many bug fixes and improvements (around 100 since Xen 4.2.0):
  •     A fix for a long standing time management issue
  •     Bug fixes for S3 (suspend to RAM) handling
  •     Bug fixes for other low level system state handling
  •     Bug fixes and improvements to the libxl tool stack
  •     Bug fixes to nested virtualization

Xen 4.1.4

The Xen 4.1.4 release contains fixes for the following critical vulnerabilities: We recommend to all users of the 4.0 and 4.1 stable series to upgrade to Xen 4.1.4.
  •     CVE-2012-3494 / XSA-12: hypercall set_debugreg vulnerability
  •     CVE-2012-3495 / XSA-13: hypercall physdev_get_free_pirq vulnerability
  •     CVE-2012-3496 / XSA-14: XENMEM_populate_physmap DoS vulnerability
  •     CVE-2012-3498 / XSA-16: PHYSDEVOP_map_pirq index vulnerability
  •     CVE-2012-3515 / XSA-17: Qemu VT100 emulation vulnerability
  •     CVE-2012-4411 / XSA-19: guest administrator can access qemu monitor console
  •     CVE-2012-4535 / XSA-20: Timer overflow DoS vulnerability
  •     CVE-2012-4536 / XSA-21: pirq range check DoS vulnerability
  •     CVE-2012-4537 / XSA-22: Memory mapping failure DoS vulnerability
  •     CVE-2012-4538 / XSA-23: Unhooking empty PAE entries DoS vulnerability
  •     CVE-2012-4539 / XSA-24: Grant table hypercall infinite loop DoS vulnerability
  •     CVE-2012-4544,CVE-2012-2625 / XSA-25: Xen domain builder Out-of-memory due to malicious kernel/ramdisk
  •     CVE-2012-5510 / XSA-26: Grant table version switch list corruption vulnerability
  •     CVE-2012-5511 / XSA-27: several HVM operations do not validate the range of their inputs
  •     CVE-2012-5512 / XSA-28: HVMOP_get_mem_access crash / HVMOP_set_mem_access information leak
  •     CVE-2012-5513 / XSA-29: XENMEM_exchange may overwrite hypervisor memory
  •     CVE-2012-5514 / XSA-30: Broken error handling in guest_physmap_mark_populate_on_demand()
  •     CVE-2012-5515 / XSA-31: Several memory hypercall operations allow invalid extent order values
Among many bug fixes and improvements (almost 100 since Xen 4.1.3). Highlights are:
  •     A fix for a long standing time management issue
  •     Bug fixes for S3 (suspend to RAM) handling
  •     Bug fixes for other low level system state handling

Security disclosure process discussion update

You can find the original article by Goorge Dunlap, here

After concluding our poll about changes to the security discussion, we determined that “Pre-disclosure to software vendors and a wide set of users” was probably the best fit for the community. A set of concrete changes to the policy have now been discussed on xen-devel (here and here), and we seem to have converged on something everyone finds acceptable.

We are now presenting these changes for public review. The purpose of this review process is to allow feedback on the text which will be voted on, in accordance to the Xen.org governance procedure. Our plan is to leave this up for review until the third week in January. Any substantial updates will be mentioned on the blog and will extend the review time.

All feedback and discussion should happen in public on the xen-devel mailing list. If you have any suggestions for how to improve the proposal, please e-mail the list, and cc George Dunlap (george dot dunlap at citrix.com).

Read on for a summary of the updates, as well as links to the full text of the original and proposed new policies.

Summary of the updates

As discussed on the xen-devel mailing list, expand eligibility of the pre-disclosure list to include any public hosting provider, as well as software project:
  • Change “Large hosting providers” to “Public hosting providers”
  • Remove “widely-deployed” from vendors and distributors
  • Add rules of thumb for what constitutes “genuine”
  • Add an itemized list of information to be included in the application, to make expectations clear and (hopefully) applications more streamlined.
The first will allow hosting providers of any size to join. The second will allow software projects and vendors of any size to join. The third and fourth will help describe exactly what criteria will be used to determine eligibility for 1 and 2.

Additionally, this proposal adds the following requirements:
  • Applicants and current members must use an e-mail alias, not an individual’s e-mail
  • Applicants and current members must submit a statement saying that they have read, understand, and will abide by this process document.
The new policy in its entirety can be found here:
http://wiki.xen.org/wiki/Security_vulnerability_process_draft
For comparison, the current policy can be found here:
http://www.xen.org/projects/security_vulnerability_process.html
--===============5100712662788891745== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --===============5100712662788891745==--