From xen-announce-bounces@lists.xen.org Fri Jan 04 16:07:33 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 04 Jan 2013 16:07:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Tr9lK-0007fZ-FQ; Fri, 04 Jan 2013 16:04:50 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Tr9j6-0007LN-1G; Fri, 04 Jan 2013 16:02:32 +0000 Received: from [85.158.139.83:57336] by server-2.bemta-5.messagelabs.com id 8B/34-16162-71DF6E05; Fri, 04 Jan 2013 16:02:31 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-12.tower-182.messagelabs.com!1357315335!30149366!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.6.1.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 23198 invoked from network); 4 Jan 2013 16:02:16 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-12.tower-182.messagelabs.com with AES256-SHA encrypted SMTP; 4 Jan 2013 16:02:16 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Tr9ih-0004WW-2Q; Fri, 04 Jan 2013 16:02:07 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1Tr9he-0007fM-NC; Fri, 04 Jan 2013 16:02:05 +0000 Date: Fri, 04 Jan 2013 16:01:03 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Fri, 04 Jan 2013 16:04:49 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 37 (CVE-2013-0154) - Hypervisor crash due to incorrect ASSERT (debug build only) X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-0154 / XSA-37 Hypervisor crash due to incorrect ASSERT (debug build only) ISSUE DESCRIPTION ================= A change to an internal interface within the hypervisor invalidated an ASSERT in a caller of that API. This code path is exposed to PV guests via a hypercall allowing administrators of PV guests to crash the hypervisor if it is built with debugging enabled. IMPACT ====== Malicious administrators of PV guests running on hypervisors built with the non-default debug=y option can crash the host. VULNERABLE SYSTEMS ================== Systems running Xen 4.2 and unstable are vulnerable to this issue. Xen 4.1 and earlier are not vulnerable. Only systems built with debugging enabled are vulnerable. Debugging is not enabled by default. Systems running PV guests or HVM guests using stubdomains are vulnerable. Guests which run only HVM guests without stubdomains are not vulnerable. MITIGATION ========== Building the hypervisor without debugging enabled will completely avoid this issue. Note that debugging is not enabled by default. Avoiding running PV guests with untrusted administrators will also avoid this issue NOTE REGARDING LACK OF EMBARGO ============================== This issue was disclosed publicly on xen-devel; the person reporting it did not appreciate that it was a security issue. Under the circumstances the Xen.org security team do not consider that this advisory should be embargoed. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa37-4.2.patch Xen 4.2.x xsa37-unstable.patch xen-unstable $ sha256sum xsa37*.patch beb9406e2d2de7a9768034af443b2eb30f69cd6e4688ceb63305595d2221194d xsa37-4.2.patch 161f41f95bd679cdb19e37df4da6a75386af4689118377ec501a9e3d4f66c873 xsa37-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ5vyNAAoJEIP+FMlX6CvZkGUH/38HiKMfj+95DCgRzQI8dGpu 6bvyhnHOY1WyGPGmDYuaMfLhOdBIoOdR46qMkC7R4kgaNqRIrev2KmzXSF//UuRq w/8eUwby1jGmZ4NnrxjBQfHQMUywkZGO0IdSzK573nCsOBDMH42Ec/vtEpnJsNK/ vxWibmsPmNvDuZ0l/fhuc78iGcpF1D2T9D5ndujfJQ02cYFKeXVzBLuMtA/+YAPF JszVIknZnXYKoVjcXMOf5qokRxZehsI4BsbI6A4AxxZboSBzV1lX+fkPqGZnUury oiGTSIzdnTq4UbgrgV3JJGcfsCpB2xm5pDLsmXiggd8Zjo2oW25dWrpmTo5B8dU= =bPx0 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa37-4.2.patch" Content-Disposition: attachment; filename="xsa37-4.2.patch" Content-Transfer-Encoding: base64 eDg2OiBmaXggYXNzZXJ0aW9uIGluIGdldF9wYWdlX3R5cGUoKQoKYy9zIDIy OTk4OmU5ZmFiNTBkN2I2MSAoYW5kIGltbWVkaWF0ZWx5IGZvbGxvd2luZyBv bmVzKSBtYWRlIGl0CnBvc3NpYmxlIHRoYXQgX19nZXRfcGFnZV90eXBlKCkg cmV0dXJucyBvdGhlciB0aGFuIC1FSU5WQUwsIGluCnBhcnRpY3VsYXIgLUVC VVNZLiBDb25zZXF1ZW50bHksIHRoZSBhc3NlcnRpb24gaW4gZ2V0X3BhZ2Vf dHlwZSgpCnNob3VsZCBjaGVjayBmb3Igb25seSB0aGUgcmV0dXJuIHZhbHVl cyB3ZSBhYnNvbHV0ZWx5IGRvbid0IGV4cGVjdCB0bwpzZWUgdGhlcmUuCgpU aGlzIGlzIFhTQS0zNyAvIENWRS0yMDEzLTAxNTQuCgpTaWduZWQtb2ZmLWJ5 OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgotLS0gYS94ZW4v YXJjaC94ODYvbW0uYworKysgYi94ZW4vYXJjaC94ODYvbW0uYwpAQCAtMjU4 Niw3ICsyNTg2LDcgQEAgaW50IGdldF9wYWdlX3R5cGUoc3RydWN0IHBhZ2Vf aW5mbyAqcGFnZQogICAgIGludCByYyA9IF9fZ2V0X3BhZ2VfdHlwZShwYWdl LCB0eXBlLCAwKTsKICAgICBpZiAoIGxpa2VseShyYyA9PSAwKSApCiAgICAg ICAgIHJldHVybiAxOwotICAgIEFTU0VSVChyYyA9PSAtRUlOVkFMKTsKKyAg ICBBU1NFUlQocmMgIT0gLUVJTlRSICYmIHJjICE9IC1FQUdBSU4pOwogICAg IHJldHVybiAwOwogfQogCg== --=separator Content-Type: application/octet-stream; name="xsa37-unstable.patch" Content-Disposition: attachment; filename="xsa37-unstable.patch" Content-Transfer-Encoding: base64 eDg2OiBmaXggYXNzZXJ0aW9uIGluIGdldF9wYWdlX3R5cGUoKQoKYy9zIDIy OTk4OmU5ZmFiNTBkN2I2MSAoYW5kIGltbWVkaWF0ZWx5IGZvbGxvd2luZyBv bmVzKSBtYWRlIGl0CnBvc3NpYmxlIHRoYXQgX19nZXRfcGFnZV90eXBlKCkg cmV0dXJucyBvdGhlciB0aGFuIC1FSU5WQUwsIGluCnBhcnRpY3VsYXIgLUVC VVNZLiBDb25zZXF1ZW50bHksIHRoZSBhc3NlcnRpb24gaW4gZ2V0X3BhZ2Vf dHlwZSgpCnNob3VsZCBjaGVjayBmb3Igb25seSB0aGUgcmV0dXJuIHZhbHVl cyB3ZSBhYnNvbHV0ZWx5IGRvbid0IGV4cGVjdCB0bwpzZWUgdGhlcmUuCgpU aGlzIGlzIFhTQS0zNyAvIENWRS0yMDEzLTAxNTQuCgpTaWduZWQtb2ZmLWJ5 OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgotLS0gYS94ZW4v YXJjaC94ODYvbW0uYworKysgYi94ZW4vYXJjaC94ODYvbW0uYwpAQCAtMjMx OCw3ICsyMzE4LDcgQEAgaW50IGdldF9wYWdlX3R5cGUoc3RydWN0IHBhZ2Vf aW5mbyAqcGFnZQogICAgIGludCByYyA9IF9fZ2V0X3BhZ2VfdHlwZShwYWdl LCB0eXBlLCAwKTsKICAgICBpZiAoIGxpa2VseShyYyA9PSAwKSApCiAgICAg ICAgIHJldHVybiAxOwotICAgIEFTU0VSVChyYyA9PSAtRUlOVkFMKTsKKyAg ICBBU1NFUlQocmMgIT0gLUVJTlRSICYmIHJjICE9IC1FQUdBSU4pOwogICAg IHJldHVybiAwOwogfQogCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Fri Jan 04 16:07:33 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 04 Jan 2013 16:07:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Tr9lK-0007fZ-FQ; Fri, 04 Jan 2013 16:04:50 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Tr9j6-0007LN-1G; Fri, 04 Jan 2013 16:02:32 +0000 Received: from [85.158.139.83:57336] by server-2.bemta-5.messagelabs.com id 8B/34-16162-71DF6E05; Fri, 04 Jan 2013 16:02:31 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-12.tower-182.messagelabs.com!1357315335!30149366!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.6.1.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 23198 invoked from network); 4 Jan 2013 16:02:16 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-12.tower-182.messagelabs.com with AES256-SHA encrypted SMTP; 4 Jan 2013 16:02:16 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Tr9ih-0004WW-2Q; Fri, 04 Jan 2013 16:02:07 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1Tr9he-0007fM-NC; Fri, 04 Jan 2013 16:02:05 +0000 Date: Fri, 04 Jan 2013 16:01:03 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Fri, 04 Jan 2013 16:04:49 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 37 (CVE-2013-0154) - Hypervisor crash due to incorrect ASSERT (debug build only) X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-0154 / XSA-37 Hypervisor crash due to incorrect ASSERT (debug build only) ISSUE DESCRIPTION ================= A change to an internal interface within the hypervisor invalidated an ASSERT in a caller of that API. This code path is exposed to PV guests via a hypercall allowing administrators of PV guests to crash the hypervisor if it is built with debugging enabled. IMPACT ====== Malicious administrators of PV guests running on hypervisors built with the non-default debug=y option can crash the host. VULNERABLE SYSTEMS ================== Systems running Xen 4.2 and unstable are vulnerable to this issue. Xen 4.1 and earlier are not vulnerable. Only systems built with debugging enabled are vulnerable. Debugging is not enabled by default. Systems running PV guests or HVM guests using stubdomains are vulnerable. Guests which run only HVM guests without stubdomains are not vulnerable. MITIGATION ========== Building the hypervisor without debugging enabled will completely avoid this issue. Note that debugging is not enabled by default. Avoiding running PV guests with untrusted administrators will also avoid this issue NOTE REGARDING LACK OF EMBARGO ============================== This issue was disclosed publicly on xen-devel; the person reporting it did not appreciate that it was a security issue. Under the circumstances the Xen.org security team do not consider that this advisory should be embargoed. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa37-4.2.patch Xen 4.2.x xsa37-unstable.patch xen-unstable $ sha256sum xsa37*.patch beb9406e2d2de7a9768034af443b2eb30f69cd6e4688ceb63305595d2221194d xsa37-4.2.patch 161f41f95bd679cdb19e37df4da6a75386af4689118377ec501a9e3d4f66c873 xsa37-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ5vyNAAoJEIP+FMlX6CvZkGUH/38HiKMfj+95DCgRzQI8dGpu 6bvyhnHOY1WyGPGmDYuaMfLhOdBIoOdR46qMkC7R4kgaNqRIrev2KmzXSF//UuRq w/8eUwby1jGmZ4NnrxjBQfHQMUywkZGO0IdSzK573nCsOBDMH42Ec/vtEpnJsNK/ vxWibmsPmNvDuZ0l/fhuc78iGcpF1D2T9D5ndujfJQ02cYFKeXVzBLuMtA/+YAPF JszVIknZnXYKoVjcXMOf5qokRxZehsI4BsbI6A4AxxZboSBzV1lX+fkPqGZnUury oiGTSIzdnTq4UbgrgV3JJGcfsCpB2xm5pDLsmXiggd8Zjo2oW25dWrpmTo5B8dU= =bPx0 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa37-4.2.patch" Content-Disposition: attachment; filename="xsa37-4.2.patch" Content-Transfer-Encoding: base64 eDg2OiBmaXggYXNzZXJ0aW9uIGluIGdldF9wYWdlX3R5cGUoKQoKYy9zIDIy OTk4OmU5ZmFiNTBkN2I2MSAoYW5kIGltbWVkaWF0ZWx5IGZvbGxvd2luZyBv bmVzKSBtYWRlIGl0CnBvc3NpYmxlIHRoYXQgX19nZXRfcGFnZV90eXBlKCkg cmV0dXJucyBvdGhlciB0aGFuIC1FSU5WQUwsIGluCnBhcnRpY3VsYXIgLUVC VVNZLiBDb25zZXF1ZW50bHksIHRoZSBhc3NlcnRpb24gaW4gZ2V0X3BhZ2Vf dHlwZSgpCnNob3VsZCBjaGVjayBmb3Igb25seSB0aGUgcmV0dXJuIHZhbHVl cyB3ZSBhYnNvbHV0ZWx5IGRvbid0IGV4cGVjdCB0bwpzZWUgdGhlcmUuCgpU aGlzIGlzIFhTQS0zNyAvIENWRS0yMDEzLTAxNTQuCgpTaWduZWQtb2ZmLWJ5 OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgotLS0gYS94ZW4v YXJjaC94ODYvbW0uYworKysgYi94ZW4vYXJjaC94ODYvbW0uYwpAQCAtMjU4 Niw3ICsyNTg2LDcgQEAgaW50IGdldF9wYWdlX3R5cGUoc3RydWN0IHBhZ2Vf aW5mbyAqcGFnZQogICAgIGludCByYyA9IF9fZ2V0X3BhZ2VfdHlwZShwYWdl LCB0eXBlLCAwKTsKICAgICBpZiAoIGxpa2VseShyYyA9PSAwKSApCiAgICAg ICAgIHJldHVybiAxOwotICAgIEFTU0VSVChyYyA9PSAtRUlOVkFMKTsKKyAg ICBBU1NFUlQocmMgIT0gLUVJTlRSICYmIHJjICE9IC1FQUdBSU4pOwogICAg IHJldHVybiAwOwogfQogCg== --=separator Content-Type: application/octet-stream; name="xsa37-unstable.patch" Content-Disposition: attachment; filename="xsa37-unstable.patch" Content-Transfer-Encoding: base64 eDg2OiBmaXggYXNzZXJ0aW9uIGluIGdldF9wYWdlX3R5cGUoKQoKYy9zIDIy OTk4OmU5ZmFiNTBkN2I2MSAoYW5kIGltbWVkaWF0ZWx5IGZvbGxvd2luZyBv bmVzKSBtYWRlIGl0CnBvc3NpYmxlIHRoYXQgX19nZXRfcGFnZV90eXBlKCkg cmV0dXJucyBvdGhlciB0aGFuIC1FSU5WQUwsIGluCnBhcnRpY3VsYXIgLUVC VVNZLiBDb25zZXF1ZW50bHksIHRoZSBhc3NlcnRpb24gaW4gZ2V0X3BhZ2Vf dHlwZSgpCnNob3VsZCBjaGVjayBmb3Igb25seSB0aGUgcmV0dXJuIHZhbHVl cyB3ZSBhYnNvbHV0ZWx5IGRvbid0IGV4cGVjdCB0bwpzZWUgdGhlcmUuCgpU aGlzIGlzIFhTQS0zNyAvIENWRS0yMDEzLTAxNTQuCgpTaWduZWQtb2ZmLWJ5 OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgotLS0gYS94ZW4v YXJjaC94ODYvbW0uYworKysgYi94ZW4vYXJjaC94ODYvbW0uYwpAQCAtMjMx OCw3ICsyMzE4LDcgQEAgaW50IGdldF9wYWdlX3R5cGUoc3RydWN0IHBhZ2Vf aW5mbyAqcGFnZQogICAgIGludCByYyA9IF9fZ2V0X3BhZ2VfdHlwZShwYWdl LCB0eXBlLCAwKTsKICAgICBpZiAoIGxpa2VseShyYyA9PSAwKSApCiAgICAg ICAgIHJldHVybiAxOwotICAgIEFTU0VSVChyYyA9PSAtRUlOVkFMKTsKKyAg ICBBU1NFUlQocmMgIT0gLUVJTlRSICYmIHJjICE9IC1FQUdBSU4pOwogICAg IHJldHVybiAwOwogfQogCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Jan 16 14:53:18 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 16 Jan 2013 14:53:18 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TvUKo-0001tu-1s; Wed, 16 Jan 2013 14:51:22 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Tti97-0001Co-8z; Fri, 11 Jan 2013 17:11:57 +0000 Received: from [193.109.254.147:7784] by server-13.bemta-14.messagelabs.com id 74/1F-01725-CD740F05; Fri, 11 Jan 2013 17:11:56 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-10.tower-27.messagelabs.com!1357924314!3420552!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.7; banners=-,-,- X-VirusChecked: Checked Received: (qmail 9175 invoked from network); 11 Jan 2013 17:11:55 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-10.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 11 Jan 2013 17:11:55 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Tti8y-0001JY-MK; Fri, 11 Jan 2013 17:11:48 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1Tti8y-0006uU-7E; Fri, 11 Jan 2013 17:11:48 +0000 Date: Fri, 11 Jan 2013 17:11:48 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Wed, 16 Jan 2013 14:51:20 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 33 (CVE-2012-5634) - VT-d interrupt remapping source validation flaw X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5634 / XSA-33 version 3 VT-d interrupt remapping source validation flaw UPDATES IN VERSION 3 ==================== The patch supplied for Xen 4.1 (xsa33-4.1.patch) contained a build error. A corrected patch is attached. The fix is also now available in http://xenbits.xen.org/hg/xen-4.1-testing.hg as changeset 23441:2a91623a5807 ISSUE DESCRIPTION ================= When passing a device which is behind a legacy PCI Bridge through to a guest Xen incorrectly configures the VT-d hardware. This could allow incorrect interrupts to be injected to other guests which also have passthrough devices. In a typical Xen system many devices are owned by domain 0 or driver domains, leaving them vulnerable to such an attack. Such a DoS is likely to have an impact on other guests running in the system. IMPACT ====== A malicious domain, given access to a device which is behind a legacy PCI bridge, can mount a denial of service attack affecting the whole system. VULNERABLE SYSTEMS ================== Xen version 4.0 onwards is vulnerable. Only systems using Intel VT-d for PCI passthrough are vulnerable. Any domain which is given access to a PCI device that is behind a legacy PCI bridge can take advantage of this vulnerability. Domains which are given access to PCIe devices only are not able to take advantage of this vulnerability. MITIGATION ========== This issue can be avoided by not assigning PCI devices which are behind a legacy PCI bridge to untrusted guests. NOTE REGARDING EMBARGO TIMELINE =============================== After discussion with the discloser we have decided to set a longer than usual embargo in order to avoid public disclosure during the holiday period. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa33-4.2-unstable.patch Xen 4.2.x, xen-unstable xsa33-4.1.patch Xen 4.1.x $ sha256sum xsa33*.patch cb015155e63c1ccedfe2ef01b2f2679ac14b00fa20d423bb1570199c3dd66af6 xsa33-4.1.patch ba05474b8e1232318ae010d63d24ff1b15ba4d83e28cdb69d6a76e8f9eb5292c xsa33-4.2-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ8EdlAAoJEIP+FMlX6CvZVs0IAJJBsSxzETJbHGE16+1UEYD5 Tk3STo7nuf/qZKQUc8ORpepRd9+b34jgtwi/kdkqxyo3fza/SXuNNcAhPew1+TtT +GGeXRoNjEQIcho5KjLLEMwogW+gi7I/Y3XM3FZUfKU659sqltqsVly3HC8nstlw iwiAIKcXnuJa/ARMdcV0/IgKBu3AjAd7me3XnKVb7Kl0ZoOo+7FFQRlKxWkSthpJ ALkNoqyPXzlHN9lMfdPJF5Gyxhqprp8Xg9jdEVZnKNQx0Jzl8SsahJWEUVlgeeLo fIGAXgc12yvsL4CRS1z3uSwpon1AgOV0XT9V6xWtoeXraKhmvTQN4LCEqF8ovzg= =qMzC -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa33-4.1.patch" Content-Disposition: attachment; filename="xsa33-4.1.patch" Content-Transfer-Encoding: base64 VlQtZDogZml4IGludGVycnVwdCByZW1hcHBpbmcgc291cmNlIHZhbGlkYXRp b24gZm9yIGRldmljZXMgYmVoaW5kCmxlZ2FjeSBicmlkZ2VzCgpVc2luZyBT VlRfVkVSSUZZX0JVUyBoZXJlIGRvZXNuJ3QgbWFrZSBzZW5zZTsgbmF0aXZl IExpbnV4IGFsc28KdXNlcyBTVlRfVkVSSUZZX1NJRF9TUSBoZXJlIGluc3Rl YWQuCgpUaGlzIGlzIFhTQS0zMyAvIENWRS0yMDEyLTU2MzQuCgpTaWduZWQt b2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgotLS0g YS94ZW4vZHJpdmVycy9wYXNzdGhyb3VnaC92dGQvaW50cmVtYXAuYworKysg Yi94ZW4vZHJpdmVycy9wYXNzdGhyb3VnaC92dGQvaW50cmVtYXAuYwpAQCAt NDk5LDcgKzQ5OSw3IEBAIHN0YXRpYyB2b2lkIHNldF9tc2lfc291cmNlX2lk KHN0cnVjdCBwY2lfZGV2ICpwZGV2LCBzdHJ1Y3QgaXJlbWFwX2VudHJ5ICpp cmUpCiAgICAgICAgICAgICAgICAgc2V0X2lyZV9zaWQoaXJlLCBTVlRfVkVS SUZZX0JVUywgU1FfQUxMXzE2LAogICAgICAgICAgICAgICAgICAgICAgICAg ICAgIChidXMgPDwgOCkgfCBwZGV2LT5idXMpOwogICAgICAgICAgICAgZWxz ZSBpZiAoIHBkZXZfdHlwZShidXMsIGRldmZuKSA9PSBERVZfVFlQRV9MRUdB Q1lfUENJX0JSSURHRSApCi0gICAgICAgICAgICAgICAgc2V0X2lyZV9zaWQo aXJlLCBTVlRfVkVSSUZZX0JVUywgU1FfQUxMXzE2LAorICAgICAgICAgICAg ICAgIHNldF9pcmVfc2lkKGlyZSwgU1ZUX1ZFUklGWV9TSURfU1EsIFNRX0FM TF8xNiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ0lfQkRGMihi dXMsIGRldmZuKSk7CiAgICAgICAgIH0KICAgICAgICAgYnJlYWs7Cg== --=separator Content-Type: application/octet-stream; name="xsa33-4.2-unstable.patch" Content-Disposition: attachment; filename="xsa33-4.2-unstable.patch" Content-Transfer-Encoding: base64 VlQtZDogZml4IGludGVycnVwdCByZW1hcHBpbmcgc291cmNlIHZhbGlkYXRp b24gZm9yIGRldmljZXMgYmVoaW5kCmxlZ2FjeSBicmlkZ2VzCgpVc2luZyBT VlRfVkVSSUZZX0JVUyBoZXJlIGRvZXNuJ3QgbWFrZSBzZW5zZTsgbmF0aXZl IExpbnV4IGFsc28KdXNlcyBTVlRfVkVSSUZZX1NJRF9TUSBoZXJlIGluc3Rl YWQuCgpUaGlzIGlzIFhTQS0zMyAvIENWRS0yMDEyLTU2MzQuCgpTaWduZWQt b2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgotLS0g YS94ZW4vZHJpdmVycy9wYXNzdGhyb3VnaC92dGQvaW50cmVtYXAuYworKysg Yi94ZW4vZHJpdmVycy9wYXNzdGhyb3VnaC92dGQvaW50cmVtYXAuYwpAQCAt NDY2LDcgKzQ2Niw3IEBAIHN0YXRpYyB2b2lkIHNldF9tc2lfc291cmNlX2lk KHN0cnVjdCBwY2lfZGV2ICpwZGV2LCBzdHJ1Y3QgaXJlbWFwX2VudHJ5ICpp cmUpCiAgICAgICAgICAgICAgICAgc2V0X2lyZV9zaWQoaXJlLCBTVlRfVkVS SUZZX0JVUywgU1FfQUxMXzE2LAogICAgICAgICAgICAgICAgICAgICAgICAg ICAgIChidXMgPDwgOCkgfCBwZGV2LT5idXMpOwogICAgICAgICAgICAgZWxz ZSBpZiAoIHBkZXZfdHlwZShzZWcsIGJ1cywgZGV2Zm4pID09IERFVl9UWVBF X0xFR0FDWV9QQ0lfQlJJREdFICkKLSAgICAgICAgICAgICAgICBzZXRfaXJl X3NpZChpcmUsIFNWVF9WRVJJRllfQlVTLCBTUV9BTExfMTYsCisgICAgICAg ICAgICAgICAgc2V0X2lyZV9zaWQoaXJlLCBTVlRfVkVSSUZZX1NJRF9TUSwg U1FfQUxMXzE2LAogICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBDSV9C REYyKGJ1cywgZGV2Zm4pKTsKICAgICAgICAgfQogICAgICAgICBicmVhazsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Jan 16 14:53:18 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 16 Jan 2013 14:53:18 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TvUKo-0001tu-1s; Wed, 16 Jan 2013 14:51:22 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Tti97-0001Co-8z; Fri, 11 Jan 2013 17:11:57 +0000 Received: from [193.109.254.147:7784] by server-13.bemta-14.messagelabs.com id 74/1F-01725-CD740F05; Fri, 11 Jan 2013 17:11:56 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-10.tower-27.messagelabs.com!1357924314!3420552!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.7; banners=-,-,- X-VirusChecked: Checked Received: (qmail 9175 invoked from network); 11 Jan 2013 17:11:55 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-10.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 11 Jan 2013 17:11:55 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Tti8y-0001JY-MK; Fri, 11 Jan 2013 17:11:48 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1Tti8y-0006uU-7E; Fri, 11 Jan 2013 17:11:48 +0000 Date: Fri, 11 Jan 2013 17:11:48 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Wed, 16 Jan 2013 14:51:20 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 33 (CVE-2012-5634) - VT-d interrupt remapping source validation flaw X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5634 / XSA-33 version 3 VT-d interrupt remapping source validation flaw UPDATES IN VERSION 3 ==================== The patch supplied for Xen 4.1 (xsa33-4.1.patch) contained a build error. A corrected patch is attached. The fix is also now available in http://xenbits.xen.org/hg/xen-4.1-testing.hg as changeset 23441:2a91623a5807 ISSUE DESCRIPTION ================= When passing a device which is behind a legacy PCI Bridge through to a guest Xen incorrectly configures the VT-d hardware. This could allow incorrect interrupts to be injected to other guests which also have passthrough devices. In a typical Xen system many devices are owned by domain 0 or driver domains, leaving them vulnerable to such an attack. Such a DoS is likely to have an impact on other guests running in the system. IMPACT ====== A malicious domain, given access to a device which is behind a legacy PCI bridge, can mount a denial of service attack affecting the whole system. VULNERABLE SYSTEMS ================== Xen version 4.0 onwards is vulnerable. Only systems using Intel VT-d for PCI passthrough are vulnerable. Any domain which is given access to a PCI device that is behind a legacy PCI bridge can take advantage of this vulnerability. Domains which are given access to PCIe devices only are not able to take advantage of this vulnerability. MITIGATION ========== This issue can be avoided by not assigning PCI devices which are behind a legacy PCI bridge to untrusted guests. NOTE REGARDING EMBARGO TIMELINE =============================== After discussion with the discloser we have decided to set a longer than usual embargo in order to avoid public disclosure during the holiday period. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa33-4.2-unstable.patch Xen 4.2.x, xen-unstable xsa33-4.1.patch Xen 4.1.x $ sha256sum xsa33*.patch cb015155e63c1ccedfe2ef01b2f2679ac14b00fa20d423bb1570199c3dd66af6 xsa33-4.1.patch ba05474b8e1232318ae010d63d24ff1b15ba4d83e28cdb69d6a76e8f9eb5292c xsa33-4.2-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ8EdlAAoJEIP+FMlX6CvZVs0IAJJBsSxzETJbHGE16+1UEYD5 Tk3STo7nuf/qZKQUc8ORpepRd9+b34jgtwi/kdkqxyo3fza/SXuNNcAhPew1+TtT +GGeXRoNjEQIcho5KjLLEMwogW+gi7I/Y3XM3FZUfKU659sqltqsVly3HC8nstlw iwiAIKcXnuJa/ARMdcV0/IgKBu3AjAd7me3XnKVb7Kl0ZoOo+7FFQRlKxWkSthpJ ALkNoqyPXzlHN9lMfdPJF5Gyxhqprp8Xg9jdEVZnKNQx0Jzl8SsahJWEUVlgeeLo fIGAXgc12yvsL4CRS1z3uSwpon1AgOV0XT9V6xWtoeXraKhmvTQN4LCEqF8ovzg= =qMzC -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa33-4.1.patch" Content-Disposition: attachment; filename="xsa33-4.1.patch" Content-Transfer-Encoding: base64 VlQtZDogZml4IGludGVycnVwdCByZW1hcHBpbmcgc291cmNlIHZhbGlkYXRp b24gZm9yIGRldmljZXMgYmVoaW5kCmxlZ2FjeSBicmlkZ2VzCgpVc2luZyBT VlRfVkVSSUZZX0JVUyBoZXJlIGRvZXNuJ3QgbWFrZSBzZW5zZTsgbmF0aXZl IExpbnV4IGFsc28KdXNlcyBTVlRfVkVSSUZZX1NJRF9TUSBoZXJlIGluc3Rl YWQuCgpUaGlzIGlzIFhTQS0zMyAvIENWRS0yMDEyLTU2MzQuCgpTaWduZWQt b2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgotLS0g YS94ZW4vZHJpdmVycy9wYXNzdGhyb3VnaC92dGQvaW50cmVtYXAuYworKysg Yi94ZW4vZHJpdmVycy9wYXNzdGhyb3VnaC92dGQvaW50cmVtYXAuYwpAQCAt NDk5LDcgKzQ5OSw3IEBAIHN0YXRpYyB2b2lkIHNldF9tc2lfc291cmNlX2lk KHN0cnVjdCBwY2lfZGV2ICpwZGV2LCBzdHJ1Y3QgaXJlbWFwX2VudHJ5ICpp cmUpCiAgICAgICAgICAgICAgICAgc2V0X2lyZV9zaWQoaXJlLCBTVlRfVkVS SUZZX0JVUywgU1FfQUxMXzE2LAogICAgICAgICAgICAgICAgICAgICAgICAg ICAgIChidXMgPDwgOCkgfCBwZGV2LT5idXMpOwogICAgICAgICAgICAgZWxz ZSBpZiAoIHBkZXZfdHlwZShidXMsIGRldmZuKSA9PSBERVZfVFlQRV9MRUdB Q1lfUENJX0JSSURHRSApCi0gICAgICAgICAgICAgICAgc2V0X2lyZV9zaWQo aXJlLCBTVlRfVkVSSUZZX0JVUywgU1FfQUxMXzE2LAorICAgICAgICAgICAg ICAgIHNldF9pcmVfc2lkKGlyZSwgU1ZUX1ZFUklGWV9TSURfU1EsIFNRX0FM TF8xNiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ0lfQkRGMihi dXMsIGRldmZuKSk7CiAgICAgICAgIH0KICAgICAgICAgYnJlYWs7Cg== --=separator Content-Type: application/octet-stream; name="xsa33-4.2-unstable.patch" Content-Disposition: attachment; filename="xsa33-4.2-unstable.patch" Content-Transfer-Encoding: base64 VlQtZDogZml4IGludGVycnVwdCByZW1hcHBpbmcgc291cmNlIHZhbGlkYXRp b24gZm9yIGRldmljZXMgYmVoaW5kCmxlZ2FjeSBicmlkZ2VzCgpVc2luZyBT VlRfVkVSSUZZX0JVUyBoZXJlIGRvZXNuJ3QgbWFrZSBzZW5zZTsgbmF0aXZl IExpbnV4IGFsc28KdXNlcyBTVlRfVkVSSUZZX1NJRF9TUSBoZXJlIGluc3Rl YWQuCgpUaGlzIGlzIFhTQS0zMyAvIENWRS0yMDEyLTU2MzQuCgpTaWduZWQt b2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgotLS0g YS94ZW4vZHJpdmVycy9wYXNzdGhyb3VnaC92dGQvaW50cmVtYXAuYworKysg Yi94ZW4vZHJpdmVycy9wYXNzdGhyb3VnaC92dGQvaW50cmVtYXAuYwpAQCAt NDY2LDcgKzQ2Niw3IEBAIHN0YXRpYyB2b2lkIHNldF9tc2lfc291cmNlX2lk KHN0cnVjdCBwY2lfZGV2ICpwZGV2LCBzdHJ1Y3QgaXJlbWFwX2VudHJ5ICpp cmUpCiAgICAgICAgICAgICAgICAgc2V0X2lyZV9zaWQoaXJlLCBTVlRfVkVS SUZZX0JVUywgU1FfQUxMXzE2LAogICAgICAgICAgICAgICAgICAgICAgICAg ICAgIChidXMgPDwgOCkgfCBwZGV2LT5idXMpOwogICAgICAgICAgICAgZWxz ZSBpZiAoIHBkZXZfdHlwZShzZWcsIGJ1cywgZGV2Zm4pID09IERFVl9UWVBF X0xFR0FDWV9QQ0lfQlJJREdFICkKLSAgICAgICAgICAgICAgICBzZXRfaXJl X3NpZChpcmUsIFNWVF9WRVJJRllfQlVTLCBTUV9BTExfMTYsCisgICAgICAg ICAgICAgICAgc2V0X2lyZV9zaWQoaXJlLCBTVlRfVkVSSUZZX1NJRF9TUSwg U1FfQUxMXzE2LAogICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBDSV9C REYyKGJ1cywgZGV2Zm4pKTsKICAgICAgICAgfQogICAgICAgICBicmVhazsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Jan 16 14:53:18 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 16 Jan 2013 14:53:18 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TvUKo-0001uA-Nt; Wed, 16 Jan 2013 14:51:22 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TvUJq-0001df-SE; Wed, 16 Jan 2013 14:50:23 +0000 Received: from [85.158.143.99:5823] by server-2.bemta-4.messagelabs.com id 6E/AE-24322-E2EB6F05; Wed, 16 Jan 2013 14:50:22 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-12.tower-216.messagelabs.com!1358347819!22876676!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.7; banners=-,-,- X-VirusChecked: Checked Received: (qmail 18941 invoked from network); 16 Jan 2013 14:50:20 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-12.tower-216.messagelabs.com with AES256-SHA encrypted SMTP; 16 Jan 2013 14:50:20 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TvUJg-0008IH-Ea; Wed, 16 Jan 2013 14:50:12 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TvUJf-0002Qy-Qt; Wed, 16 Jan 2013 14:50:12 +0000 Date: Wed, 16 Jan 2013 14:50:11 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Wed, 16 Jan 2013 14:51:20 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 40 (CVE-2013-0190) - Linux stack corruption in xen_failsafe_callback for 32bit PVOPS guests. X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-0190 / XSA-40 Linux stack corruption in xen_failsafe_callback for 32bit PVOPS guests. ISSUE DESCRIPTION ================= xen_failsafe_callback incorrectly sets up its stack if an iret fault is injected by the hypervisor. IMPACT ====== Malicious or buggy unprivileged userspace can cause the guest kernel to crash, or operate erroneously. VULNERABLE SYSTEMS ================== All 32bit PVOPS versions of Linux are affected, since the introduction of Xen PVOPS support in 2.6.23. Classic-Xen kernels are not vulnerable. MITIGATION ========== This can be mitigated by not running 32bit PVOPS Linux guests. 32bit classic-Xen guests, all 64bit PV guests and all HVM guests are unaffected. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa40.patch $ sha256sum xsa40*.patch b6aa67b4605f6088f757ca28093d265c71e456906619d81d129bf656944ed721 xsa40.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ9r4HAAoJEIP+FMlX6CvZhIMIAKa3l8CMZ4Di0gyp1cVi95es 0Pzq8qV5Qwla+NZEuz1O91UAxzwke8mrVsKK9PQCUVqdrmKbIrWjGX3b/KNIoa3d hCGBd1wkTld7XmQxNfr+0BcfybqM92dww623rhv6G2jPaehOMVGWl28vomwkMU9E iT/z2dqYJuAkcq6hobJ02tyfABl5sWNDE+HvI6EFxTptzeUGQtaPm9q6qbdbw1pT InAae/VU7u+qAZTr0MY8kncFiK3206LvJX2Wq6YBI6LCFw4eaOvTFfJiAvFojqQb nl5PT2KXH3IbiZEAiSOENBRiudkzxY0OfGyTnyuwsZuJa7SaI47pN1Sp5YtRPf0= =9uNq -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa40.patch" Content-Disposition: attachment; filename="xsa40.patch" Content-Transfer-Encoding: base64 WGVuOiBGaXggc3RhY2sgY29ycnVwdGlvbiBpbiB4ZW5fZmFpbHNhZmVfY2Fs bGJhY2sgZm9yIDMyYml0IFBWT1BTIGd1ZXN0cy4KClRoaXMgZml4ZXMgQ1ZF LTIwMTMtMDE5MCAvIFhTQS00MAoKVGhlcmUgaGFzIGJlZW4gYW4gZXJyb3Ig b24gdGhlIHhlbl9mYWlsc2FmZV9jYWxsYmFjayBwYXRoIGZvciBmYWlsZWQK aXJldCwgd2hpY2ggY2F1c2VzIHRoZSBzdGFjayBwb2ludGVyIHRvIGJlIHdy b25nIHdoZW4gZW50ZXJpbmcgdGhlCmlyZXRfZXhjIGVycm9yIHBhdGguICBU aGlzIGNhbiByZXN1bHQgaW4gdGhlIGtlcm5lbCBjcmFzaGluZy4KCkluIHRo ZSBjbGFzc2ljIGtlcm5lbCBjYXNlLCB0aGUgcmVsZXZhbnQgY29kZSBsb29r ZWQgYSBsaXR0bGUgbGlrZToKCiAgICAgICAgcG9wbCAlZWF4ICAgICAgIyBF cnJvciBjb2RlIGZyb20gaHlwZXJ2aXNvcgogICAgICAgIGp6IDVmCiAgICAg ICAgYWRkbCAkMTYsJWVzcAogICAgICAgIGptcCBpcmV0X2V4YyAgICMgSHlw ZXJ2aXNvciBzYWlkIGlyZXQgZmF1bHQKNTogICAgICBhZGRsICQxNiwlZXNw CiAgICAgICAgICAgICAgICAgICAgICAgIyBIeXBlcnZpc29yIHNhaWQgc2Vn bWVudCBzZWxlY3RvciBmYXVsdAoKSGVyZSwgdGhlcmUgYXJlIHR3byBpZGVu dGljYWwgYWRkbHMgb24gZWl0aGVyIG9wdGlvbiBvZiBhIGJyYW5jaCB3aGlj aAphcHBlYXJzIHRvIGhhdmUgYmVlbiBvcHRpbWlzZWQgYnkgaG9pc3Rpbmcg aXQgYWJvdmUgdGhlIGp6LCBhbmQKY29udmVydGluZyBpdCB0byBhbiBsZWEs IHdoaWNoIGxlYXZlcyB0aGUgZmxhZ3MgcmVnaXN0ZXIgdW5hZmZlY3RlZC4K CkluIHRoZSBQVk9QUyBjYXNlLCB0aGUgY29kZSBsb29rcyBsaWtlOgoKICAg ICAgICBwb3BsX2NmaSAlZWF4ICAgICAgICAgIyBFcnJvciBmcm9tIHRoZSBo eXBlcnZpc29yCiAgICAgICAgbGVhIDE2KCVlc3ApLCVlc3AgICAgICMgQWRk ICQxNiBiZWZvcmUgY2hvb3NpbmcgZmF1bHQgcGF0aAogICAgICAgIENGSV9B REpVU1RfQ0ZBX09GRlNFVCAtMTYKICAgICAgICBqeiA1ZgogICAgICAgIGFk ZGwgJDE2LCVlc3AgICAgICAgICAjIEluY29ycmVjdGx5IGFkanVzdCAlZXNw IGFnYWluCiAgICAgICAgam1wIGlyZXRfZXhjCgpJdCBpcyBwb3NzaWJsZSB1 bnByaXZpbGVnZWQgdXNlcnNwYWNlIGFwcGxpY2F0aW9ucyB0byBjYXVzZSB0 aGlzCmJlaGF2aW91ciwgZm9yIGV4YW1wbGUgYnkgbG9hZGluZyBhbiBMRFQg Y29kZSBzZWxlY3RvciwgdGhlbiBjaGFuZ2luZwp0aGUgY29kZSBzZWxlY3Rv ciB0byBiZSBub3QtcHJlc2VudC4gIEF0IHRoaXMgcG9pbnQsIHRoZXJlIGlz IGEgcmFjZQpjb25kaXRpb24gd2hlcmUgaXQgaXMgcG9zc2libGUgZm9yIHRo ZSBoeXBlcnZpc29yIHRvIHJldHVybiBiYWNrIHRvCnVzZXJzcGFjZSBmcm9t IGFuIGludGVycnVwdCwgZmF1bHQgb24gaXRzIG93biBpcmV0LCBhbmQgaW5q ZWN0IGEKZmFpbHNhZmVfY2FsbGJhY2sgaW50byB0aGUga2VybmVsLgoKVGhp cyBidWcgaGFzIGJlZW4gcHJlc2VudCBzaW5jZSB0aGUgaW50cm9kdWN0aW9u IG9mIFhlbiBQVk9QUyBzdXBwb3J0CmluIGNvbW1pdCA1ZWFkOTdjODQgKHhl bjogQ29yZSBYZW4gaW1wbGVtZW50YXRpb24pLCBpbiAyLjYuMjMuCgpTaWdu ZWQtb2ZmLWJ5OiBGcmVkaWFubyBaaWdsaW8gPGZyZWRpYW5vLnppZ2xpb0Bj aXRyaXguY29tPgpTaWduZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRy ZXcuY29vcGVyM0BjaXRyaXguY29tPgoKZGlmZiAtLWdpdCBhL2FyY2gveDg2 L2tlcm5lbC9lbnRyeV8zMi5TIGIvYXJjaC94ODYva2VybmVsL2VudHJ5XzMy LlMKaW5kZXggZmY4NGQ1NC4uNmVkOTFkOSAxMDA2NDQKLS0tIGEvYXJjaC94 ODYva2VybmVsL2VudHJ5XzMyLlMKKysrIGIvYXJjaC94ODYva2VybmVsL2Vu dHJ5XzMyLlMKQEAgLTEwNjUsNyArMTA2NSw2IEBAIEVOVFJZKHhlbl9mYWls c2FmZV9jYWxsYmFjaykKIAlsZWEgMTYoJWVzcCksJWVzcAogCUNGSV9BREpV U1RfQ0ZBX09GRlNFVCAtMTYKIAlqeiA1ZgotCWFkZGwgJDE2LCVlc3AKIAlq bXAgaXJldF9leGMKIDU6CXB1c2hsX2NmaSAkLTEgLyogb3JpZ19heCA9IC0x ID0+IG5vdCBhIHN5c3RlbSBjYWxsICovCiAJU0FWRV9BTEwKCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Jan 16 14:53:18 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 16 Jan 2013 14:53:18 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TvUKo-0001uA-Nt; Wed, 16 Jan 2013 14:51:22 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TvUJq-0001df-SE; Wed, 16 Jan 2013 14:50:23 +0000 Received: from [85.158.143.99:5823] by server-2.bemta-4.messagelabs.com id 6E/AE-24322-E2EB6F05; Wed, 16 Jan 2013 14:50:22 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-12.tower-216.messagelabs.com!1358347819!22876676!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.7; banners=-,-,- X-VirusChecked: Checked Received: (qmail 18941 invoked from network); 16 Jan 2013 14:50:20 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-12.tower-216.messagelabs.com with AES256-SHA encrypted SMTP; 16 Jan 2013 14:50:20 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TvUJg-0008IH-Ea; Wed, 16 Jan 2013 14:50:12 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TvUJf-0002Qy-Qt; Wed, 16 Jan 2013 14:50:12 +0000 Date: Wed, 16 Jan 2013 14:50:11 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Wed, 16 Jan 2013 14:51:20 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 40 (CVE-2013-0190) - Linux stack corruption in xen_failsafe_callback for 32bit PVOPS guests. X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-0190 / XSA-40 Linux stack corruption in xen_failsafe_callback for 32bit PVOPS guests. ISSUE DESCRIPTION ================= xen_failsafe_callback incorrectly sets up its stack if an iret fault is injected by the hypervisor. IMPACT ====== Malicious or buggy unprivileged userspace can cause the guest kernel to crash, or operate erroneously. VULNERABLE SYSTEMS ================== All 32bit PVOPS versions of Linux are affected, since the introduction of Xen PVOPS support in 2.6.23. Classic-Xen kernels are not vulnerable. MITIGATION ========== This can be mitigated by not running 32bit PVOPS Linux guests. 32bit classic-Xen guests, all 64bit PV guests and all HVM guests are unaffected. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa40.patch $ sha256sum xsa40*.patch b6aa67b4605f6088f757ca28093d265c71e456906619d81d129bf656944ed721 xsa40.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ9r4HAAoJEIP+FMlX6CvZhIMIAKa3l8CMZ4Di0gyp1cVi95es 0Pzq8qV5Qwla+NZEuz1O91UAxzwke8mrVsKK9PQCUVqdrmKbIrWjGX3b/KNIoa3d hCGBd1wkTld7XmQxNfr+0BcfybqM92dww623rhv6G2jPaehOMVGWl28vomwkMU9E iT/z2dqYJuAkcq6hobJ02tyfABl5sWNDE+HvI6EFxTptzeUGQtaPm9q6qbdbw1pT InAae/VU7u+qAZTr0MY8kncFiK3206LvJX2Wq6YBI6LCFw4eaOvTFfJiAvFojqQb nl5PT2KXH3IbiZEAiSOENBRiudkzxY0OfGyTnyuwsZuJa7SaI47pN1Sp5YtRPf0= =9uNq -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa40.patch" Content-Disposition: attachment; filename="xsa40.patch" Content-Transfer-Encoding: base64 WGVuOiBGaXggc3RhY2sgY29ycnVwdGlvbiBpbiB4ZW5fZmFpbHNhZmVfY2Fs bGJhY2sgZm9yIDMyYml0IFBWT1BTIGd1ZXN0cy4KClRoaXMgZml4ZXMgQ1ZF LTIwMTMtMDE5MCAvIFhTQS00MAoKVGhlcmUgaGFzIGJlZW4gYW4gZXJyb3Ig b24gdGhlIHhlbl9mYWlsc2FmZV9jYWxsYmFjayBwYXRoIGZvciBmYWlsZWQK aXJldCwgd2hpY2ggY2F1c2VzIHRoZSBzdGFjayBwb2ludGVyIHRvIGJlIHdy b25nIHdoZW4gZW50ZXJpbmcgdGhlCmlyZXRfZXhjIGVycm9yIHBhdGguICBU aGlzIGNhbiByZXN1bHQgaW4gdGhlIGtlcm5lbCBjcmFzaGluZy4KCkluIHRo ZSBjbGFzc2ljIGtlcm5lbCBjYXNlLCB0aGUgcmVsZXZhbnQgY29kZSBsb29r ZWQgYSBsaXR0bGUgbGlrZToKCiAgICAgICAgcG9wbCAlZWF4ICAgICAgIyBF cnJvciBjb2RlIGZyb20gaHlwZXJ2aXNvcgogICAgICAgIGp6IDVmCiAgICAg ICAgYWRkbCAkMTYsJWVzcAogICAgICAgIGptcCBpcmV0X2V4YyAgICMgSHlw ZXJ2aXNvciBzYWlkIGlyZXQgZmF1bHQKNTogICAgICBhZGRsICQxNiwlZXNw CiAgICAgICAgICAgICAgICAgICAgICAgIyBIeXBlcnZpc29yIHNhaWQgc2Vn bWVudCBzZWxlY3RvciBmYXVsdAoKSGVyZSwgdGhlcmUgYXJlIHR3byBpZGVu dGljYWwgYWRkbHMgb24gZWl0aGVyIG9wdGlvbiBvZiBhIGJyYW5jaCB3aGlj aAphcHBlYXJzIHRvIGhhdmUgYmVlbiBvcHRpbWlzZWQgYnkgaG9pc3Rpbmcg aXQgYWJvdmUgdGhlIGp6LCBhbmQKY29udmVydGluZyBpdCB0byBhbiBsZWEs IHdoaWNoIGxlYXZlcyB0aGUgZmxhZ3MgcmVnaXN0ZXIgdW5hZmZlY3RlZC4K CkluIHRoZSBQVk9QUyBjYXNlLCB0aGUgY29kZSBsb29rcyBsaWtlOgoKICAg ICAgICBwb3BsX2NmaSAlZWF4ICAgICAgICAgIyBFcnJvciBmcm9tIHRoZSBo eXBlcnZpc29yCiAgICAgICAgbGVhIDE2KCVlc3ApLCVlc3AgICAgICMgQWRk ICQxNiBiZWZvcmUgY2hvb3NpbmcgZmF1bHQgcGF0aAogICAgICAgIENGSV9B REpVU1RfQ0ZBX09GRlNFVCAtMTYKICAgICAgICBqeiA1ZgogICAgICAgIGFk ZGwgJDE2LCVlc3AgICAgICAgICAjIEluY29ycmVjdGx5IGFkanVzdCAlZXNw IGFnYWluCiAgICAgICAgam1wIGlyZXRfZXhjCgpJdCBpcyBwb3NzaWJsZSB1 bnByaXZpbGVnZWQgdXNlcnNwYWNlIGFwcGxpY2F0aW9ucyB0byBjYXVzZSB0 aGlzCmJlaGF2aW91ciwgZm9yIGV4YW1wbGUgYnkgbG9hZGluZyBhbiBMRFQg Y29kZSBzZWxlY3RvciwgdGhlbiBjaGFuZ2luZwp0aGUgY29kZSBzZWxlY3Rv ciB0byBiZSBub3QtcHJlc2VudC4gIEF0IHRoaXMgcG9pbnQsIHRoZXJlIGlz IGEgcmFjZQpjb25kaXRpb24gd2hlcmUgaXQgaXMgcG9zc2libGUgZm9yIHRo ZSBoeXBlcnZpc29yIHRvIHJldHVybiBiYWNrIHRvCnVzZXJzcGFjZSBmcm9t IGFuIGludGVycnVwdCwgZmF1bHQgb24gaXRzIG93biBpcmV0LCBhbmQgaW5q ZWN0IGEKZmFpbHNhZmVfY2FsbGJhY2sgaW50byB0aGUga2VybmVsLgoKVGhp cyBidWcgaGFzIGJlZW4gcHJlc2VudCBzaW5jZSB0aGUgaW50cm9kdWN0aW9u IG9mIFhlbiBQVk9QUyBzdXBwb3J0CmluIGNvbW1pdCA1ZWFkOTdjODQgKHhl bjogQ29yZSBYZW4gaW1wbGVtZW50YXRpb24pLCBpbiAyLjYuMjMuCgpTaWdu ZWQtb2ZmLWJ5OiBGcmVkaWFubyBaaWdsaW8gPGZyZWRpYW5vLnppZ2xpb0Bj aXRyaXguY29tPgpTaWduZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRy ZXcuY29vcGVyM0BjaXRyaXguY29tPgoKZGlmZiAtLWdpdCBhL2FyY2gveDg2 L2tlcm5lbC9lbnRyeV8zMi5TIGIvYXJjaC94ODYva2VybmVsL2VudHJ5XzMy LlMKaW5kZXggZmY4NGQ1NC4uNmVkOTFkOSAxMDA2NDQKLS0tIGEvYXJjaC94 ODYva2VybmVsL2VudHJ5XzMyLlMKKysrIGIvYXJjaC94ODYva2VybmVsL2Vu dHJ5XzMyLlMKQEAgLTEwNjUsNyArMTA2NSw2IEBAIEVOVFJZKHhlbl9mYWls c2FmZV9jYWxsYmFjaykKIAlsZWEgMTYoJWVzcCksJWVzcAogCUNGSV9BREpV U1RfQ0ZBX09GRlNFVCAtMTYKIAlqeiA1ZgotCWFkZGwgJDE2LCVlc3AKIAlq bXAgaXJldF9leGMKIDU6CXB1c2hsX2NmaSAkLTEgLyogb3JpZ19heCA9IC0x ID0+IG5vdCBhIHN5c3RlbSBjYWxsICovCiAJU0FWRV9BTEwKCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Jan 16 14:53:19 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 16 Jan 2013 14:53:19 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TvUKp-0001uV-Hs; Wed, 16 Jan 2013 14:51:23 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TvUKI-0001h7-6g; Wed, 16 Jan 2013 14:50:50 +0000 Received: from [85.158.139.211:61023] by server-4.bemta-5.messagelabs.com id C4/96-14295-94EB6F05; Wed, 16 Jan 2013 14:50:49 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-9.tower-206.messagelabs.com!1358347829!16881290!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.7; banners=-,-,- X-VirusChecked: Checked Received: (qmail 4542 invoked from network); 16 Jan 2013 14:50:35 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-9.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 16 Jan 2013 14:50:35 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TvUJq-0008Ia-7r; Wed, 16 Jan 2013 14:50:22 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TvUJp-0002SX-TY; Wed, 16 Jan 2013 14:50:21 +0000 Date: Wed, 16 Jan 2013 14:50:21 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Wed, 16 Jan 2013 14:51:20 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 41 (CVE-2012-6075) - qemu (e1000 device driver): Buffer overflow when processing large packets X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-6075 / XSA-41 qemu (e1000 device driver): Buffer overflow when processing large packets SUMMARY AND SOURCES OF INFORMATION ================================== An issue in qemu has been disclosed which we believe affects some users of Xen. The Qemu project has not itself issued an advisory. More information may be available in the advisories published by the distros: https://bugzilla.redhat.com/show_bug.cgi?id=889301 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696051 CAVEAT ====== For full and accurate information please refer to those advisories. We have not conducted a full review of the information and patches provided. The rest of the information in this advisory is true to the best of our knowledge at the time of writing. IMPACT ====== The vulnerability impacts any host running HVM (Fully-Emulated) guests which are configured with an e1000 NIC (using "model=e1000") in their VIF configuration. Note that the default emulated NIC is "rtl8139" which is not vulnerable. In a vulnerable configuration a hostile network packet may be able to corrupt the memory of the guest, leading to a guest DoS or remote privilege escalation. We do not believe that this issue enables an attack against the host. MITIGATION ========== Limiting the size of network frames (e.g. by disabling jumbo frames) on the local network and the Xen bridge may reduce or eliminate guests' vulnerability to the bug. RESOLUTION ========== The patch is this git commit: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=b0d9ffcd0251161c7c92f94804dcf599dfa3edeb The fix has been applied to all qemu branches contained in Xen version 4.1 onwards. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ9r4JAAoJEIP+FMlX6CvZkmcH+gPMPr1x2G381ytNGLcPjiZI HAYlaRt2dGg2DBFCaTLTuJJ16DztNLsv4hPab25fAs/eTq3SRvtwsYZkzZ0YgUct ItdGseV9IoHRs5xvzkU5yzo/VScBb3hn5T+yMh2uQ1PS5EG+GFEjJlUxeggKEsQW IJMY2+lIPElX8VdYKVIxS/M9IeNlT56sALXE4aA+FylX8CIbPlnErZF5AgubY5Pd MUSnp72CwYjTkfBBvMYpFgxaDVVep72UEhSC1LlN84kIgQ/bXlr7C74G4fi6SvS/ YnyDAld6sX7ALAYzCEO0qYd9VjTUjKh0vv0lvttJXRdUrDN1fwbKhuGWeKFsASI= =12x9 -----END PGP SIGNATURE----- --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Jan 16 14:53:19 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 16 Jan 2013 14:53:19 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TvUKp-0001uV-Hs; Wed, 16 Jan 2013 14:51:23 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TvUKI-0001h7-6g; Wed, 16 Jan 2013 14:50:50 +0000 Received: from [85.158.139.211:61023] by server-4.bemta-5.messagelabs.com id C4/96-14295-94EB6F05; Wed, 16 Jan 2013 14:50:49 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-9.tower-206.messagelabs.com!1358347829!16881290!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.7; banners=-,-,- X-VirusChecked: Checked Received: (qmail 4542 invoked from network); 16 Jan 2013 14:50:35 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-9.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 16 Jan 2013 14:50:35 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TvUJq-0008Ia-7r; Wed, 16 Jan 2013 14:50:22 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TvUJp-0002SX-TY; Wed, 16 Jan 2013 14:50:21 +0000 Date: Wed, 16 Jan 2013 14:50:21 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Wed, 16 Jan 2013 14:51:20 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 41 (CVE-2012-6075) - qemu (e1000 device driver): Buffer overflow when processing large packets X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-6075 / XSA-41 qemu (e1000 device driver): Buffer overflow when processing large packets SUMMARY AND SOURCES OF INFORMATION ================================== An issue in qemu has been disclosed which we believe affects some users of Xen. The Qemu project has not itself issued an advisory. More information may be available in the advisories published by the distros: https://bugzilla.redhat.com/show_bug.cgi?id=889301 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696051 CAVEAT ====== For full and accurate information please refer to those advisories. We have not conducted a full review of the information and patches provided. The rest of the information in this advisory is true to the best of our knowledge at the time of writing. IMPACT ====== The vulnerability impacts any host running HVM (Fully-Emulated) guests which are configured with an e1000 NIC (using "model=e1000") in their VIF configuration. Note that the default emulated NIC is "rtl8139" which is not vulnerable. In a vulnerable configuration a hostile network packet may be able to corrupt the memory of the guest, leading to a guest DoS or remote privilege escalation. We do not believe that this issue enables an attack against the host. MITIGATION ========== Limiting the size of network frames (e.g. by disabling jumbo frames) on the local network and the Xen bridge may reduce or eliminate guests' vulnerability to the bug. RESOLUTION ========== The patch is this git commit: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=b0d9ffcd0251161c7c92f94804dcf599dfa3edeb The fix has been applied to all qemu branches contained in Xen version 4.1 onwards. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ9r4JAAoJEIP+FMlX6CvZkmcH+gPMPr1x2G381ytNGLcPjiZI HAYlaRt2dGg2DBFCaTLTuJJ16DztNLsv4hPab25fAs/eTq3SRvtwsYZkzZ0YgUct ItdGseV9IoHRs5xvzkU5yzo/VScBb3hn5T+yMh2uQ1PS5EG+GFEjJlUxeggKEsQW IJMY2+lIPElX8VdYKVIxS/M9IeNlT56sALXE4aA+FylX8CIbPlnErZF5AgubY5Pd MUSnp72CwYjTkfBBvMYpFgxaDVVep72UEhSC1LlN84kIgQ/bXlr7C74G4fi6SvS/ YnyDAld6sX7ALAYzCEO0qYd9VjTUjKh0vv0lvttJXRdUrDN1fwbKhuGWeKFsASI= =12x9 -----END PGP SIGNATURE----- --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Jan 16 14:53:19 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 16 Jan 2013 14:53:19 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TvUKn-0001tZ-Af; Wed, 16 Jan 2013 14:51:21 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TsvYC-0006u2-Mj; Wed, 09 Jan 2013 13:18:36 +0000 Received: from [85.158.137.99:3217] by server-6.bemta-3.messagelabs.com id BF/F2-12154-B2E6DE05; Wed, 09 Jan 2013 13:18:35 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-15.tower-217.messagelabs.com!1357737513!20166311!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.6.1.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 20531 invoked from network); 9 Jan 2013 13:18:34 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-15.tower-217.messagelabs.com with AES256-SHA encrypted SMTP; 9 Jan 2013 13:18:34 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TsvY1-0001X8-4U; Wed, 09 Jan 2013 13:18:25 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TsvY0-00005Q-Is; Wed, 09 Jan 2013 13:18:24 +0000 Date: Wed, 09 Jan 2013 13:18:24 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Wed, 16 Jan 2013 14:51:20 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 33 (CVE-2012-5634) - VT-d interrupt remapping source validation flaw X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5634 / XSA-33 version 2 VT-d interrupt remapping source validation flaw UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= When passing a device which is behind a legacy PCI Bridge through to a guest Xen incorrectly configures the VT-d hardware. This could allow incorrect interrupts to be injected to other guests which also have passthrough devices. In a typical Xen system many devices are owned by domain 0 or driver domains, leaving them vulnerable to such an attack. Such a DoS is likely to have an impact on other guests running in the system. IMPACT ====== A malicious domain, given access to a device which is behind a legacy PCI bridge, can mount a denial of service attack affecting the whole system. VULNERABLE SYSTEMS ================== Xen version 4.0 onwards is vulnerable. Only systems using Intel VT-d for PCI passthrough are vulnerable. Any domain which is given access to a PCI device that is behind a legacy PCI bridge can take advantage of this vulnerability. Domains which are given access to PCIe devices only are not able to take advantage of this vulnerability. MITIGATION ========== This issue can be avoided by not assigning PCI devices which are behind a legacy PCI bridge to untrusted guests. NOTE REGARDING EMBARGO TIMELINE =============================== After discussion with the discloser we have decided to set a longer than usual embargo in order to avoid public disclosure during the holiday period. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa33-4.2-unstable.patch Xen 4.2.x, xen-unstable xsa33-4.1.patch Xen 4.1.x $ sha256sum xsa33*.patch b97ce505a4ea92d574d0b3abef7b4c600b7fdc682787dfd1e50fddd520f6a87d xsa33-4.1.patch ba05474b8e1232318ae010d63d24ff1b15ba4d83e28cdb69d6a76e8f9eb5292c xsa33-4.2-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ7W34AAoJEIP+FMlX6CvZENoH/3baTpBwdJ/BaI+p8d9BYtIk lc78U3eX5LPX6wW5rO8m3ID0+y8jjGZftIm7VQBXCo1sRgW05feHZnRcxTJfzxvm NOoVA6yXxlULbi1gwpG5e2aPpOXywYE/SfQfesW+ooJXiUzUZyBxhM1WZWoSKgee 8VyT/uo57wcL7uqYZeDJIqwdljYDaysoxvTtFizQRo65uxOmDlOP0IjWhoMBxqSW YBrA9jcHXI+8Cx9GruLOeMqbxJKWAD0jF1QMv+wL/psl3nQ682A7TIUSjKIIuEnk guvF8+lZpkB3MER0kTisjbYdiRiE5Em/MP5r8B/Ft52Ejh15/V65Irv0kMdVnog= =+i2W -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa33-4.1.patch" Content-Disposition: attachment; filename="xsa33-4.1.patch" Content-Transfer-Encoding: base64 VlQtZDogZml4IGludGVycnVwdCByZW1hcHBpbmcgc291cmNlIHZhbGlkYXRp b24gZm9yIGRldmljZXMgYmVoaW5kCmxlZ2FjeSBicmlkZ2VzCgpVc2luZyBT VlRfVkVSSUZZX0JVUyBoZXJlIGRvZXNuJ3QgbWFrZSBzZW5zZTsgbmF0aXZl IExpbnV4IGFsc28KdXNlcyBTVlRfVkVSSUZZX1NJRF9TUSBoZXJlIGluc3Rl YWQuCgpUaGlzIGlzIFhTQS0zMyAvIENWRS0yMDEyLTU2MzQuCgpTaWduZWQt b2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgotLS0g YS94ZW4vZHJpdmVycy9wYXNzdGhyb3VnaC92dGQvaW50cmVtYXAuYworKysg Yi94ZW4vZHJpdmVycy9wYXNzdGhyb3VnaC92dGQvaW50cmVtYXAuYwpAQCAt NDk5LDcgKzQ5OSw3IEBAIHN0YXRpYyB2b2lkIHNldF9tc2lfc291cmNlX2lk KHN0cnVjdCBwY2lfZGV2ICpwZGV2LCBzdHJ1Y3QgaXJlbWFwX2VudHJ5ICpp cmUpCiAgICAgICAgICAgICAgICAgc2V0X2lyZV9zaWQoaXJlLCBTVlRfVkVS SUZZX0JVUywgU1FfQUxMXzE2LAogICAgICAgICAgICAgICAgICAgICAgICAg ICAgIChidXMgPDwgOCkgfCBwZGV2LT5idXMpOwogICAgICAgICAgICAgZWxz ZSBpZiAoIHBkZXZfdHlwZShidXMsIGRldmZuKSA9PSBERVZfVFlQRV9MRUdB Q1lfUENJX0JSSURHRSApCi0gICAgICAgICAgICAgICAgc2V0X2lyZV9zaWQo aXJlLCBTVlRfVkVSSUZZX0JVUywgU1FfQUxMXzE2LAorICAgICAgICAgICAg ICAgIHNldF9pcmVfc2lkKGlyZSwgU1ZUX1ZFUklGWV9CVVNfU1EsIFNRX0FM TF8xNiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ0lfQkRGMihi dXMsIGRldmZuKSk7CiAgICAgICAgIH0KICAgICAgICAgYnJlYWs7Cg== --=separator Content-Type: application/octet-stream; name="xsa33-4.2-unstable.patch" Content-Disposition: attachment; filename="xsa33-4.2-unstable.patch" Content-Transfer-Encoding: base64 VlQtZDogZml4IGludGVycnVwdCByZW1hcHBpbmcgc291cmNlIHZhbGlkYXRp b24gZm9yIGRldmljZXMgYmVoaW5kCmxlZ2FjeSBicmlkZ2VzCgpVc2luZyBT VlRfVkVSSUZZX0JVUyBoZXJlIGRvZXNuJ3QgbWFrZSBzZW5zZTsgbmF0aXZl IExpbnV4IGFsc28KdXNlcyBTVlRfVkVSSUZZX1NJRF9TUSBoZXJlIGluc3Rl YWQuCgpUaGlzIGlzIFhTQS0zMyAvIENWRS0yMDEyLTU2MzQuCgpTaWduZWQt b2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgotLS0g YS94ZW4vZHJpdmVycy9wYXNzdGhyb3VnaC92dGQvaW50cmVtYXAuYworKysg Yi94ZW4vZHJpdmVycy9wYXNzdGhyb3VnaC92dGQvaW50cmVtYXAuYwpAQCAt NDY2LDcgKzQ2Niw3IEBAIHN0YXRpYyB2b2lkIHNldF9tc2lfc291cmNlX2lk KHN0cnVjdCBwY2lfZGV2ICpwZGV2LCBzdHJ1Y3QgaXJlbWFwX2VudHJ5ICpp cmUpCiAgICAgICAgICAgICAgICAgc2V0X2lyZV9zaWQoaXJlLCBTVlRfVkVS SUZZX0JVUywgU1FfQUxMXzE2LAogICAgICAgICAgICAgICAgICAgICAgICAg ICAgIChidXMgPDwgOCkgfCBwZGV2LT5idXMpOwogICAgICAgICAgICAgZWxz ZSBpZiAoIHBkZXZfdHlwZShzZWcsIGJ1cywgZGV2Zm4pID09IERFVl9UWVBF X0xFR0FDWV9QQ0lfQlJJREdFICkKLSAgICAgICAgICAgICAgICBzZXRfaXJl X3NpZChpcmUsIFNWVF9WRVJJRllfQlVTLCBTUV9BTExfMTYsCisgICAgICAg ICAgICAgICAgc2V0X2lyZV9zaWQoaXJlLCBTVlRfVkVSSUZZX1NJRF9TUSwg U1FfQUxMXzE2LAogICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBDSV9C REYyKGJ1cywgZGV2Zm4pKTsKICAgICAgICAgfQogICAgICAgICBicmVhazsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Jan 16 14:53:19 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 16 Jan 2013 14:53:19 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TvUKn-0001tZ-Af; Wed, 16 Jan 2013 14:51:21 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TsvYC-0006u2-Mj; Wed, 09 Jan 2013 13:18:36 +0000 Received: from [85.158.137.99:3217] by server-6.bemta-3.messagelabs.com id BF/F2-12154-B2E6DE05; Wed, 09 Jan 2013 13:18:35 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-15.tower-217.messagelabs.com!1357737513!20166311!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.6.1.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 20531 invoked from network); 9 Jan 2013 13:18:34 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-15.tower-217.messagelabs.com with AES256-SHA encrypted SMTP; 9 Jan 2013 13:18:34 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TsvY1-0001X8-4U; Wed, 09 Jan 2013 13:18:25 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TsvY0-00005Q-Is; Wed, 09 Jan 2013 13:18:24 +0000 Date: Wed, 09 Jan 2013 13:18:24 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Wed, 16 Jan 2013 14:51:20 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 33 (CVE-2012-5634) - VT-d interrupt remapping source validation flaw X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5634 / XSA-33 version 2 VT-d interrupt remapping source validation flaw UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= When passing a device which is behind a legacy PCI Bridge through to a guest Xen incorrectly configures the VT-d hardware. This could allow incorrect interrupts to be injected to other guests which also have passthrough devices. In a typical Xen system many devices are owned by domain 0 or driver domains, leaving them vulnerable to such an attack. Such a DoS is likely to have an impact on other guests running in the system. IMPACT ====== A malicious domain, given access to a device which is behind a legacy PCI bridge, can mount a denial of service attack affecting the whole system. VULNERABLE SYSTEMS ================== Xen version 4.0 onwards is vulnerable. Only systems using Intel VT-d for PCI passthrough are vulnerable. Any domain which is given access to a PCI device that is behind a legacy PCI bridge can take advantage of this vulnerability. Domains which are given access to PCIe devices only are not able to take advantage of this vulnerability. MITIGATION ========== This issue can be avoided by not assigning PCI devices which are behind a legacy PCI bridge to untrusted guests. NOTE REGARDING EMBARGO TIMELINE =============================== After discussion with the discloser we have decided to set a longer than usual embargo in order to avoid public disclosure during the holiday period. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa33-4.2-unstable.patch Xen 4.2.x, xen-unstable xsa33-4.1.patch Xen 4.1.x $ sha256sum xsa33*.patch b97ce505a4ea92d574d0b3abef7b4c600b7fdc682787dfd1e50fddd520f6a87d xsa33-4.1.patch ba05474b8e1232318ae010d63d24ff1b15ba4d83e28cdb69d6a76e8f9eb5292c xsa33-4.2-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ7W34AAoJEIP+FMlX6CvZENoH/3baTpBwdJ/BaI+p8d9BYtIk lc78U3eX5LPX6wW5rO8m3ID0+y8jjGZftIm7VQBXCo1sRgW05feHZnRcxTJfzxvm NOoVA6yXxlULbi1gwpG5e2aPpOXywYE/SfQfesW+ooJXiUzUZyBxhM1WZWoSKgee 8VyT/uo57wcL7uqYZeDJIqwdljYDaysoxvTtFizQRo65uxOmDlOP0IjWhoMBxqSW YBrA9jcHXI+8Cx9GruLOeMqbxJKWAD0jF1QMv+wL/psl3nQ682A7TIUSjKIIuEnk guvF8+lZpkB3MER0kTisjbYdiRiE5Em/MP5r8B/Ft52Ejh15/V65Irv0kMdVnog= =+i2W -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa33-4.1.patch" Content-Disposition: attachment; filename="xsa33-4.1.patch" Content-Transfer-Encoding: base64 VlQtZDogZml4IGludGVycnVwdCByZW1hcHBpbmcgc291cmNlIHZhbGlkYXRp b24gZm9yIGRldmljZXMgYmVoaW5kCmxlZ2FjeSBicmlkZ2VzCgpVc2luZyBT VlRfVkVSSUZZX0JVUyBoZXJlIGRvZXNuJ3QgbWFrZSBzZW5zZTsgbmF0aXZl IExpbnV4IGFsc28KdXNlcyBTVlRfVkVSSUZZX1NJRF9TUSBoZXJlIGluc3Rl YWQuCgpUaGlzIGlzIFhTQS0zMyAvIENWRS0yMDEyLTU2MzQuCgpTaWduZWQt b2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgotLS0g YS94ZW4vZHJpdmVycy9wYXNzdGhyb3VnaC92dGQvaW50cmVtYXAuYworKysg Yi94ZW4vZHJpdmVycy9wYXNzdGhyb3VnaC92dGQvaW50cmVtYXAuYwpAQCAt NDk5LDcgKzQ5OSw3IEBAIHN0YXRpYyB2b2lkIHNldF9tc2lfc291cmNlX2lk KHN0cnVjdCBwY2lfZGV2ICpwZGV2LCBzdHJ1Y3QgaXJlbWFwX2VudHJ5ICpp cmUpCiAgICAgICAgICAgICAgICAgc2V0X2lyZV9zaWQoaXJlLCBTVlRfVkVS SUZZX0JVUywgU1FfQUxMXzE2LAogICAgICAgICAgICAgICAgICAgICAgICAg ICAgIChidXMgPDwgOCkgfCBwZGV2LT5idXMpOwogICAgICAgICAgICAgZWxz ZSBpZiAoIHBkZXZfdHlwZShidXMsIGRldmZuKSA9PSBERVZfVFlQRV9MRUdB Q1lfUENJX0JSSURHRSApCi0gICAgICAgICAgICAgICAgc2V0X2lyZV9zaWQo aXJlLCBTVlRfVkVSSUZZX0JVUywgU1FfQUxMXzE2LAorICAgICAgICAgICAg ICAgIHNldF9pcmVfc2lkKGlyZSwgU1ZUX1ZFUklGWV9CVVNfU1EsIFNRX0FM TF8xNiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ0lfQkRGMihi dXMsIGRldmZuKSk7CiAgICAgICAgIH0KICAgICAgICAgYnJlYWs7Cg== --=separator Content-Type: application/octet-stream; name="xsa33-4.2-unstable.patch" Content-Disposition: attachment; filename="xsa33-4.2-unstable.patch" Content-Transfer-Encoding: base64 VlQtZDogZml4IGludGVycnVwdCByZW1hcHBpbmcgc291cmNlIHZhbGlkYXRp b24gZm9yIGRldmljZXMgYmVoaW5kCmxlZ2FjeSBicmlkZ2VzCgpVc2luZyBT VlRfVkVSSUZZX0JVUyBoZXJlIGRvZXNuJ3QgbWFrZSBzZW5zZTsgbmF0aXZl IExpbnV4IGFsc28KdXNlcyBTVlRfVkVSSUZZX1NJRF9TUSBoZXJlIGluc3Rl YWQuCgpUaGlzIGlzIFhTQS0zMyAvIENWRS0yMDEyLTU2MzQuCgpTaWduZWQt b2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgotLS0g YS94ZW4vZHJpdmVycy9wYXNzdGhyb3VnaC92dGQvaW50cmVtYXAuYworKysg Yi94ZW4vZHJpdmVycy9wYXNzdGhyb3VnaC92dGQvaW50cmVtYXAuYwpAQCAt NDY2LDcgKzQ2Niw3IEBAIHN0YXRpYyB2b2lkIHNldF9tc2lfc291cmNlX2lk KHN0cnVjdCBwY2lfZGV2ICpwZGV2LCBzdHJ1Y3QgaXJlbWFwX2VudHJ5ICpp cmUpCiAgICAgICAgICAgICAgICAgc2V0X2lyZV9zaWQoaXJlLCBTVlRfVkVS SUZZX0JVUywgU1FfQUxMXzE2LAogICAgICAgICAgICAgICAgICAgICAgICAg ICAgIChidXMgPDwgOCkgfCBwZGV2LT5idXMpOwogICAgICAgICAgICAgZWxz ZSBpZiAoIHBkZXZfdHlwZShzZWcsIGJ1cywgZGV2Zm4pID09IERFVl9UWVBF X0xFR0FDWV9QQ0lfQlJJREdFICkKLSAgICAgICAgICAgICAgICBzZXRfaXJl X3NpZChpcmUsIFNWVF9WRVJJRllfQlVTLCBTUV9BTExfMTYsCisgICAgICAg ICAgICAgICAgc2V0X2lyZV9zaWQoaXJlLCBTVlRfVkVSSUZZX1NJRF9TUSwg U1FfQUxMXzE2LAogICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBDSV9C REYyKGJ1cywgZGV2Zm4pKTsKICAgICAgICAgfQogICAgICAgICBicmVhazsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Jan 17 12:28:53 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 17 Jan 2013 12:28:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TvoYE-0006FN-UB; Thu, 17 Jan 2013 12:26:34 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TvoYC-0006F3-UJ; Thu, 17 Jan 2013 12:26:33 +0000 Received: from [85.158.143.99:64753] by server-1.bemta-4.messagelabs.com id 7C/1C-18740-8FDE7F05; Thu, 17 Jan 2013 12:26:32 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-13.tower-216.messagelabs.com!1358425587!27429326!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.7; banners=-,-,- X-VirusChecked: Checked Received: (qmail 13586 invoked from network); 17 Jan 2013 12:26:28 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-13.tower-216.messagelabs.com with AES256-SHA encrypted SMTP; 17 Jan 2013 12:26:28 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TvoXz-0005JA-9R; Thu, 17 Jan 2013 12:26:19 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TvoXy-0002vk-Te; Thu, 17 Jan 2013 12:26:19 +0000 Date: Thu, 17 Jan 2013 12:26:18 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 27 (CVE-2012-5511, CVE-2012-6333) - several HVM operations do not validate the range of their inputs X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5511,CVE-2012-6333 / XSA-27 version 5 several HVM operations do not validate the range of their inputs UPDATES IN VERSION 5 ==================== The supplied patch for 4.1 was found to contain a bug. The patch has been updated. The incremental fix can be found at http://lists.xen.org/archives/html/xen-devel/2013-01/msg01193.html Mitre have asked that two CVEs are used for the issues described here: * CVE-2012-5511 now applies only to the stack-based buffer overflow that was fixed in 4.2. * CVE-2012-6333 applies to the large input validation issues. ISSUE DESCRIPTION ================= Several HVM control operations do not check the size of their inputs and can tie up a physical CPU for extended periods of time. In addition dirty video RAM tracking involves clearing the bitmap provided by the domain controlling the guest (e.g. dom0 or a stubdom). If the size of that bitmap is overly large, an intermediate variable on the hypervisor stack may overflow that stack. IMPACT ====== A malicious guest administrator can cause Xen to become unresponsive or to crash leading in either case to a Denial of Service. VULNERABLE SYSTEMS ================== All Xen versions from 3.4 onwards are vulnerable. However Xen 4.2 and unstable are not vulnerable to the stack overflow. Systems running either of these are not vulnerable to the crash. Version 3.4, 4.0 and 4.1 are vulnerable to both the stack overflow and the physical CPU hang. The vulnerability is only exposed to HVM guests. MITIGATION ========== Running only PV guests will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa27-4.1.patch Xen 4.1.x xsa27-4.2.patch Xen 4.2.x xsa27-4.unstable.patch xen-unstable $ sha256sum xsa27*.patch 82c9160484165acdebf91e8d80538829c756cf5abc2d8d890c8b4abd9aa4800a xsa27-4.1.patch 462eae827944d1d337a6ebf13a36ea952d7fb76b993b9c29946e1d9cfb5ea2a3 xsa27-4.2.patch fcb07c6bd78a0d9513a68e2eb3bf0c21ef4d8ff0e6ebf6fdce04a3170303cab6 xsa27-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ9+vTAAoJEIP+FMlX6CvZYdIIAIydLf9OVKnYmFvbze6CeSTd KOp0EgmJu/Da4bbGejn3HKMZD9KsZ8nMAv/rIyQKgfNcSLWd0giMJ0IDyqnoVP0v W/UiL5b7IiGToYLhqQJWM21sIxD/YC9rZTyqg00LhSSxO0NPzsPuD5r/qPakuJ8l 11cJ87oEObZAK/0csyy2X+Eh00UAkcc0pOiAM3+jjamM1lq/lUt/RX4e00VRGLoJ K3Cy1B5IesnA1CbgJZn2RSQSLWLFKN5W6/ChtkPUmJDsJzuv60VRHptv4PbD+/Cf VtdGChfvs/dDYhPVt2c/kYMmqv/Brz8TzpaeUC4CzYnCLyRxplsQOPtLRzK+46o= =NqsN -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa27-4.1.patch" Content-Disposition: attachment; filename="xsa27-4.1.patch" Content-Transfer-Encoding: base64 aHZtOiBMaW1pdCB0aGUgc2l6ZSBvZiBsYXJnZSBIVk0gb3AgYmF0Y2hlcwoK RG9pbmcgbGFyZ2UgcDJtIHVwZGF0ZXMgZm9yIEhWTU9QX3RyYWNrX2RpcnR5 X3ZyYW0gd2l0aG91dCBwcmVlbXB0aW9uCnRpZXMgdXAgdGhlIHBoeXNpY2Fs IHByb2Nlc3Nvci4gSW50ZWdyYXRpbmcgcHJlZW1wdGlvbiBpbnRvIHRoZSBw Mm0KdXBkYXRlcyBpcyBoYXJkIHNvIHNpbXBseSBsaW1pdCB0byAxR0Igd2hp Y2ggaXMgc3VmZmljaWVudCBmb3IgYSAxNTAwMAoqIDE1MDAwICogMzJicHAg ZnJhbWVidWZmZXIuCgpGb3IgSFZNT1BfbW9kaWZpZWRfbWVtb3J5IGFuZCBI Vk1PUF9zZXRfbWVtX3R5cGUgcHJlZW1wdGlibGUgYWRkIHRoZQpuZWNlc3Nh cnkgbWFjaGluZXJ5IHRvIGhhbmRsZSBwcmVlbXB0aW9uLgoKVGhpcyBpcyBD VkUtMjAxMi01NTExIC8gWFNBLTI3LgoKU2lnbmVkLW9mZi1ieTogVGltIERl ZWdhbiA8dGltQHhlbi5vcmc+ClNpZ25lZC1vZmYtYnk6IElhbiBDYW1wYmVs bCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBJYW4gSmFj a3NvbiA8aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4KCng4Ni9wYWdpbmc6 IERvbid0IGFsbG9jYXRlIHVzZXItY29udHJvbGxlZCBhbW91bnRzIG9mIHN0 YWNrIG1lbW9yeS4KClRoaXMgaXMgWFNBLTI3IC8gQ1ZFLTIwMTItNTUxMS4K ClNpZ25lZC1vZmYtYnk6IFRpbSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgpBY2tl ZC1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgp2MjogUHJv dmlkZSBkZWZpbml0aW9uIG9mIEdCIHRvIGZpeCB4ODYtMzIgY29tcGlsZS4K ClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxKQmV1bGljaEBzdXNlLmNv bT4KQWNrZWQtYnk6IElhbiBKYWNrc29uIDxpYW4uamFja3NvbkBldS5jaXRy aXguY29tPgoKdjM6IEZpeCBsb29wIGluY3JlbWVudCBpbiBwYWdpbmdfbG9n X2RpcnR5X3JhbmdlKCkKCmRpZmYgLXIgNTYzOTA0N2Q2YzlmIHhlbi9hcmNo L3g4Ni9odm0vaHZtLmMKLS0tIGEveGVuL2FyY2gveDg2L2h2bS9odm0uYwlN b24gTm92IDE5IDA5OjQzOjQ4IDIwMTIgKzAxMDAKKysrIGIveGVuL2FyY2gv eDg2L2h2bS9odm0uYwlNb24gTm92IDE5IDE2OjAwOjMzIDIwMTIgKzAwMDAK QEAgLTM0NzEsNiArMzQ3MSw5IEBAIGxvbmcgZG9faHZtX29wKHVuc2lnbmVk IGxvbmcgb3AsIFhFTl9HVUUKICAgICAgICAgaWYgKCAhaXNfaHZtX2RvbWFp bihkKSApCiAgICAgICAgICAgICBnb3RvIHBhcmFtX2ZhaWwyOwogCisgICAg ICAgIGlmICggYS5uciA+IEdCKDEpID4+IFBBR0VfU0hJRlQgKQorICAgICAg ICAgICAgZ290byBwYXJhbV9mYWlsMjsKKwogICAgICAgICByYyA9IHhzbV9o dm1fcGFyYW0oZCwgb3ApOwogICAgICAgICBpZiAoIHJjICkKICAgICAgICAg ICAgIGdvdG8gcGFyYW1fZmFpbDI7CkBAIC0zNDk4LDcgKzM1MDEsNiBAQCBs b25nIGRvX2h2bV9vcCh1bnNpZ25lZCBsb25nIG9wLCBYRU5fR1VFCiAgICAg ICAgIHN0cnVjdCB4ZW5faHZtX21vZGlmaWVkX21lbW9yeSBhOwogICAgICAg ICBzdHJ1Y3QgZG9tYWluICpkOwogICAgICAgICBzdHJ1Y3QgcDJtX2RvbWFp biAqcDJtOwotICAgICAgICB1bnNpZ25lZCBsb25nIHBmbjsKIAogICAgICAg ICBpZiAoIGNvcHlfZnJvbV9ndWVzdCgmYSwgYXJnLCAxKSApCiAgICAgICAg ICAgICByZXR1cm4gLUVGQVVMVDsKQEAgLTM1MjYsOCArMzUyOCw5IEBAIGxv bmcgZG9faHZtX29wKHVuc2lnbmVkIGxvbmcgb3AsIFhFTl9HVUUKICAgICAg ICAgICAgIGdvdG8gcGFyYW1fZmFpbDM7CiAKICAgICAgICAgcDJtID0gcDJt X2dldF9ob3N0cDJtKGQpOwotICAgICAgICBmb3IgKCBwZm4gPSBhLmZpcnN0 X3BmbjsgcGZuIDwgYS5maXJzdF9wZm4gKyBhLm5yOyBwZm4rKyApCisgICAg ICAgIHdoaWxlICggYS5uciA+IDAgKQogICAgICAgICB7CisgICAgICAgICAg ICB1bnNpZ25lZCBsb25nIHBmbiA9IGEuZmlyc3RfcGZuOwogICAgICAgICAg ICAgcDJtX3R5cGVfdCB0OwogICAgICAgICAgICAgbWZuX3QgbWZuID0gZ2Zu X3RvX21mbihwMm0sIHBmbiwgJnQpOwogICAgICAgICAgICAgaWYgKCBwMm1f aXNfcGFnaW5nKHQpICkKQEAgLTM1NDgsNiArMzU1MSwxOSBAQCBsb25nIGRv X2h2bV9vcCh1bnNpZ25lZCBsb25nIG9wLCBYRU5fR1VFCiAgICAgICAgICAg ICAgICAgLyogZG9uJ3QgdGFrZSBhIGxvbmcgdGltZSBhbmQgZG9uJ3QgZGll IGVpdGhlciAqLwogICAgICAgICAgICAgICAgIHNoX3JlbW92ZV9zaGFkb3dz KGQtPnZjcHVbMF0sIG1mbiwgMSwgMCk7CiAgICAgICAgICAgICB9CisKKyAg ICAgICAgICAgIGEuZmlyc3RfcGZuKys7CisgICAgICAgICAgICBhLm5yLS07 CisKKyAgICAgICAgICAgIC8qIENoZWNrIGZvciBjb250aW51YXRpb24gaWYg aXQncyBub3QgdGhlIGxhc3QgaW50ZXJhdGlvbiAqLworICAgICAgICAgICAg aWYgKCBhLm5yID4gMCAmJiBoeXBlcmNhbGxfcHJlZW1wdF9jaGVjaygpICkK KyAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBpZiAoIGNvcHlfdG9f Z3Vlc3QoYXJnLCAmYSwgMSkgKQorICAgICAgICAgICAgICAgICAgICByYyA9 IC1FRkFVTFQ7CisgICAgICAgICAgICAgICAgZWxzZQorICAgICAgICAgICAg ICAgICAgICByYyA9IC1FQUdBSU47CisgICAgICAgICAgICAgICAgYnJlYWs7 CisgICAgICAgICAgICB9CiAgICAgICAgIH0KIAogICAgIHBhcmFtX2ZhaWwz OgpAQCAtMzU5NSw3ICszNjExLDYgQEAgbG9uZyBkb19odm1fb3AodW5zaWdu ZWQgbG9uZyBvcCwgWEVOX0dVRQogICAgICAgICBzdHJ1Y3QgeGVuX2h2bV9z ZXRfbWVtX3R5cGUgYTsKICAgICAgICAgc3RydWN0IGRvbWFpbiAqZDsKICAg ICAgICAgc3RydWN0IHAybV9kb21haW4gKnAybTsKLSAgICAgICAgdW5zaWdu ZWQgbG9uZyBwZm47CiAgICAgICAgIAogICAgICAgICAvKiBJbnRlcmZhY2Ug dHlwZXMgdG8gaW50ZXJuYWwgcDJtIHR5cGVzICovCiAgICAgICAgIHAybV90 eXBlX3QgbWVtdHlwZVtdID0gewpAQCAtMzYyNSw4ICszNjQwLDkgQEAgbG9u ZyBkb19odm1fb3AodW5zaWduZWQgbG9uZyBvcCwgWEVOX0dVRQogICAgICAg ICAgICAgZ290byBwYXJhbV9mYWlsNDsKIAogICAgICAgICBwMm0gPSBwMm1f Z2V0X2hvc3RwMm0oZCk7Ci0gICAgICAgIGZvciAoIHBmbiA9IGEuZmlyc3Rf cGZuOyBwZm4gPCBhLmZpcnN0X3BmbiArIGEubnI7IHBmbisrICkKKyAgICAg ICAgd2hpbGUgKCBhLm5yID4gMCApCiAgICAgICAgIHsKKyAgICAgICAgICAg IHVuc2lnbmVkIGxvbmcgcGZuID0gYS5maXJzdF9wZm47CiAgICAgICAgICAg ICBwMm1fdHlwZV90IHQ7CiAgICAgICAgICAgICBwMm1fdHlwZV90IG50Owog ICAgICAgICAgICAgbWZuX3QgbWZuOwpAQCAtMzY2Miw2ICszNjc4LDE5IEBA IGxvbmcgZG9faHZtX29wKHVuc2lnbmVkIGxvbmcgb3AsIFhFTl9HVUUKICAg ICAgICAgICAgICAgICAgICAgZ290byBwYXJhbV9mYWlsNDsKICAgICAgICAg ICAgICAgICB9CiAgICAgICAgICAgICB9CisKKyAgICAgICAgICAgIGEuZmly c3RfcGZuKys7CisgICAgICAgICAgICBhLm5yLS07CisKKyAgICAgICAgICAg IC8qIENoZWNrIGZvciBjb250aW51YXRpb24gaWYgaXQncyBub3QgdGhlIGxh c3QgaW50ZXJhdGlvbiAqLworICAgICAgICAgICAgaWYgKCBhLm5yID4gMCAm JiBoeXBlcmNhbGxfcHJlZW1wdF9jaGVjaygpICkKKyAgICAgICAgICAgIHsK KyAgICAgICAgICAgICAgICBpZiAoIGNvcHlfdG9fZ3Vlc3QoYXJnLCAmYSwg MSkgKQorICAgICAgICAgICAgICAgICAgICByYyA9IC1FRkFVTFQ7CisgICAg ICAgICAgICAgICAgZWxzZQorICAgICAgICAgICAgICAgICAgICByYyA9IC1F QUdBSU47CisgICAgICAgICAgICAgICAgZ290byBwYXJhbV9mYWlsNDsKKyAg ICAgICAgICAgIH0KICAgICAgICAgfQogCiAgICAgICAgIHJjID0gMDsKZGlm ZiAtciA1NjM5MDQ3ZDZjOWYgeGVuL2FyY2gveDg2L21tL3BhZ2luZy5jCi0t LSBhL3hlbi9hcmNoL3g4Ni9tbS9wYWdpbmcuYwlNb24gTm92IDE5IDA5OjQz OjQ4IDIwMTIgKzAxMDAKKysrIGIveGVuL2FyY2gveDg2L21tL3BhZ2luZy5j CU1vbiBOb3YgMTkgMTY6MDA6MzMgMjAxMiArMDAwMApAQCAtNTI5LDEzICs1 MjksMTkgQEAgaW50IHBhZ2luZ19sb2dfZGlydHlfcmFuZ2Uoc3RydWN0IGRv bWFpbgogCiAgICAgaWYgKCAhZC0+YXJjaC5wYWdpbmcubG9nX2RpcnR5LmZh dWx0X2NvdW50ICYmCiAgICAgICAgICAhZC0+YXJjaC5wYWdpbmcubG9nX2Rp cnR5LmRpcnR5X2NvdW50ICkgewotICAgICAgICBpbnQgc2l6ZSA9IChuciAr IEJJVFNfUEVSX0xPTkcgLSAxKSAvIEJJVFNfUEVSX0xPTkc7Ci0gICAgICAg IHVuc2lnbmVkIGxvbmcgemVyb2VzW3NpemVdOwotICAgICAgICBtZW1zZXQo emVyb2VzLCAweDAwLCBzaXplICogQllURVNfUEVSX0xPTkcpOworICAgICAg ICBzdGF0aWMgdWludDhfdCB6ZXJvZXNbUEFHRV9TSVpFXTsKKyAgICAgICAg aW50IG9mZiwgc2l6ZTsKKworICAgICAgICBzaXplID0gKChuciArIEJJVFNf UEVSX0xPTkcgLSAxKSAvIEJJVFNfUEVSX0xPTkcpICogc2l6ZW9mIChsb25n KTsKICAgICAgICAgcnYgPSAwOwotICAgICAgICBpZiAoIGNvcHlfdG9fZ3Vl c3Rfb2Zmc2V0KGRpcnR5X2JpdG1hcCwgMCwgKHVpbnQ4X3QgKikgemVyb2Vz LAotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNpemUgKiBC WVRFU19QRVJfTE9ORykgIT0gMCApCi0gICAgICAgICAgICBydiA9IC1FRkFV TFQ7CisgICAgICAgIG9mZiA9IDA7CisgICAgICAgIHdoaWxlICggIXJ2ICYm IG9mZiA8IHNpemUgKQorICAgICAgICB7CisgICAgICAgICAgICBpbnQgdG9k byA9IG1pbihzaXplIC0gb2ZmLCAoaW50KSBQQUdFX1NJWkUpOworICAgICAg ICAgICAgaWYgKCBjb3B5X3RvX2d1ZXN0X29mZnNldChkaXJ0eV9iaXRtYXAs IG9mZiwgemVyb2VzLCB0b2RvKSApCisgICAgICAgICAgICAgICAgcnYgPSAt RUZBVUxUOworICAgICAgICAgICAgb2ZmICs9IHRvZG87CisgICAgICAgIH0K ICAgICAgICAgZ290byBvdXQ7CiAgICAgfQogICAgIGQtPmFyY2gucGFnaW5n LmxvZ19kaXJ0eS5mYXVsdF9jb3VudCA9IDA7CmRpZmYgLXIgNTYzOTA0N2Q2 YzlmIHhlbi9pbmNsdWRlL2FzbS14ODYvY29uZmlnLmgKLS0tIGEveGVuL2lu Y2x1ZGUvYXNtLXg4Ni9jb25maWcuaAlNb24gTm92IDE5IDA5OjQzOjQ4IDIw MTIgKzAxMDAKKysrIGIveGVuL2luY2x1ZGUvYXNtLXg4Ni9jb25maWcuaAlN b24gTm92IDE5IDE2OjAwOjMzIDIwMTIgKzAwMDAKQEAgLTEwOCw2ICsxMDgs OSBAQCBleHRlcm4gdW5zaWduZWQgaW50IHRyYW1wb2xpbmVfeGVuX3BoeXNf CiBleHRlcm4gdW5zaWduZWQgY2hhciB0cmFtcG9saW5lX2NwdV9zdGFydGVk OwogZXh0ZXJuIGNoYXIgd2FrZXVwX3N0YXJ0W107CiBleHRlcm4gdW5zaWdu ZWQgaW50IHZpZGVvX21vZGUsIHZpZGVvX2ZsYWdzOworCisjZGVmaW5lIEdC KF9nYikgKF9nYiAjIyBVTCA8PCAzMCkKKwogI2VuZGlmCiAKICNkZWZpbmUg YXNtbGlua2FnZQpAQCAtMTIzLDcgKzEyNiw2IEBAIGV4dGVybiB1bnNpZ25l ZCBpbnQgdmlkZW9fbW9kZSwgdmlkZW9fZmwKICNkZWZpbmUgUE1MNF9BRERS KF9zbG90KSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAogICAgICgo KChfc2xvdCAjIyBVTCkgPj4gOCkgKiAweGZmZmYwMDAwMDAwMDAwMDBVTCkg fCBcCiAgICAgIChfc2xvdCAjIyBVTCA8PCBQTUw0X0VOVFJZX0JJVFMpKQot I2RlZmluZSBHQihfZ2IpIChfZ2IgIyMgVUwgPDwgMzApCiAjZWxzZQogI2Rl ZmluZSBQTUw0X0VOVFJZX0JZVEVTICgxIDw8IFBNTDRfRU5UUllfQklUUykK ICNkZWZpbmUgUE1MNF9BRERSKF9zbG90KSAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgXAo= --=separator Content-Type: application/octet-stream; name="xsa27-4.2.patch" Content-Disposition: attachment; filename="xsa27-4.2.patch" Content-Transfer-Encoding: base64 aHZtOiBMaW1pdCB0aGUgc2l6ZSBvZiBsYXJnZSBIVk0gb3AgYmF0Y2hlcwoK RG9pbmcgbGFyZ2UgcDJtIHVwZGF0ZXMgZm9yIEhWTU9QX3RyYWNrX2RpcnR5 X3ZyYW0gd2l0aG91dCBwcmVlbXB0aW9uCnRpZXMgdXAgdGhlIHBoeXNpY2Fs IHByb2Nlc3Nvci4gSW50ZWdyYXRpbmcgcHJlZW1wdGlvbiBpbnRvIHRoZSBw Mm0KdXBkYXRlcyBpcyBoYXJkIHNvIHNpbXBseSBsaW1pdCB0byAxR0Igd2hp Y2ggaXMgc3VmZmljaWVudCBmb3IgYSAxNTAwMAoqIDE1MDAwICogMzJicHAg ZnJhbWVidWZmZXIuCgpGb3IgSFZNT1BfbW9kaWZpZWRfbWVtb3J5IGFuZCBI Vk1PUF9zZXRfbWVtX3R5cGUgcHJlZW1wdGlibGUgYWRkIHRoZQpuZWNlc3Nh cnkgbWFjaGluZXJ5IHRvIGhhbmRsZSBwcmVlbXB0aW9uLgoKVGhpcyBpcyBD VkUtMjAxMi01NTExIC8gWFNBLTI3LgoKU2lnbmVkLW9mZi1ieTogVGltIERl ZWdhbiA8dGltQHhlbi5vcmc+ClNpZ25lZC1vZmYtYnk6IElhbiBDYW1wYmVs bCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBJYW4gSmFj a3NvbiA8aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4KCnYyOiBQcm92aWRl IGRlZmluaXRpb24gb2YgR0IgdG8gZml4IHg4Ni0zMiBjb21waWxlLgoKU2ln bmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPEpCZXVsaWNoQHN1c2UuY29tPgpB Y2tlZC1ieTogSWFuIEphY2tzb24gPGlhbi5qYWNrc29uQGV1LmNpdHJpeC5j b20+CgoKZGlmZiAtciA3YzRkODA2YjM3NTMgeGVuL2FyY2gveDg2L2h2bS9o dm0uYwotLS0gYS94ZW4vYXJjaC94ODYvaHZtL2h2bS5jCUZyaSBOb3YgMTYg MTU6NTY6MTQgMjAxMiArMDAwMAorKysgYi94ZW4vYXJjaC94ODYvaHZtL2h2 bS5jCU1vbiBOb3YgMTkgMTQ6NDI6MTAgMjAxMiArMDAwMApAQCAtMzk2OSw2 ICszOTY5LDkgQEAgbG9uZyBkb19odm1fb3AodW5zaWduZWQgbG9uZyBvcCwg WEVOX0dVRQogICAgICAgICBpZiAoICFpc19odm1fZG9tYWluKGQpICkKICAg ICAgICAgICAgIGdvdG8gcGFyYW1fZmFpbDI7CiAKKyAgICAgICAgaWYgKCBh Lm5yID4gR0IoMSkgPj4gUEFHRV9TSElGVCApCisgICAgICAgICAgICBnb3Rv IHBhcmFtX2ZhaWwyOworCiAgICAgICAgIHJjID0geHNtX2h2bV9wYXJhbShk LCBvcCk7CiAgICAgICAgIGlmICggcmMgKQogICAgICAgICAgICAgZ290byBw YXJhbV9mYWlsMjsKQEAgLTM5OTUsNyArMzk5OCw2IEBAIGxvbmcgZG9faHZt X29wKHVuc2lnbmVkIGxvbmcgb3AsIFhFTl9HVUUKICAgICB7CiAgICAgICAg IHN0cnVjdCB4ZW5faHZtX21vZGlmaWVkX21lbW9yeSBhOwogICAgICAgICBz dHJ1Y3QgZG9tYWluICpkOwotICAgICAgICB1bnNpZ25lZCBsb25nIHBmbjsK IAogICAgICAgICBpZiAoIGNvcHlfZnJvbV9ndWVzdCgmYSwgYXJnLCAxKSAp CiAgICAgICAgICAgICByZXR1cm4gLUVGQVVMVDsKQEAgLTQwMjIsOSArNDAy NCwxMSBAQCBsb25nIGRvX2h2bV9vcCh1bnNpZ25lZCBsb25nIG9wLCBYRU5f R1VFCiAgICAgICAgIGlmICggIXBhZ2luZ19tb2RlX2xvZ19kaXJ0eShkKSAp CiAgICAgICAgICAgICBnb3RvIHBhcmFtX2ZhaWwzOwogCi0gICAgICAgIGZv ciAoIHBmbiA9IGEuZmlyc3RfcGZuOyBwZm4gPCBhLmZpcnN0X3BmbiArIGEu bnI7IHBmbisrICkKKyAgICAgICAgd2hpbGUgKCBhLm5yID4gMCApCiAgICAg ICAgIHsKKyAgICAgICAgICAgIHVuc2lnbmVkIGxvbmcgcGZuID0gYS5maXJz dF9wZm47CiAgICAgICAgICAgICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwor CiAgICAgICAgICAgICBwYWdlID0gZ2V0X3BhZ2VfZnJvbV9nZm4oZCwgcGZu LCBOVUxMLCBQMk1fVU5TSEFSRSk7CiAgICAgICAgICAgICBpZiAoIHBhZ2Ug KQogICAgICAgICAgICAgewpAQCAtNDAzNCw2ICs0MDM4LDE5IEBAIGxvbmcg ZG9faHZtX29wKHVuc2lnbmVkIGxvbmcgb3AsIFhFTl9HVUUKICAgICAgICAg ICAgICAgICBzaF9yZW1vdmVfc2hhZG93cyhkLT52Y3B1WzBdLCBfbWZuKHBh Z2VfdG9fbWZuKHBhZ2UpKSwgMSwgMCk7CiAgICAgICAgICAgICAgICAgcHV0 X3BhZ2UocGFnZSk7CiAgICAgICAgICAgICB9CisKKyAgICAgICAgICAgIGEu Zmlyc3RfcGZuKys7CisgICAgICAgICAgICBhLm5yLS07CisKKyAgICAgICAg ICAgIC8qIENoZWNrIGZvciBjb250aW51YXRpb24gaWYgaXQncyBub3QgdGhl IGxhc3QgaW50ZXJhdGlvbiAqLworICAgICAgICAgICAgaWYgKCBhLm5yID4g MCAmJiBoeXBlcmNhbGxfcHJlZW1wdF9jaGVjaygpICkKKyAgICAgICAgICAg IHsKKyAgICAgICAgICAgICAgICBpZiAoIGNvcHlfdG9fZ3Vlc3QoYXJnLCAm YSwgMSkgKQorICAgICAgICAgICAgICAgICAgICByYyA9IC1FRkFVTFQ7Cisg ICAgICAgICAgICAgICAgZWxzZQorICAgICAgICAgICAgICAgICAgICByYyA9 IC1FQUdBSU47CisgICAgICAgICAgICAgICAgYnJlYWs7CisgICAgICAgICAg ICB9CiAgICAgICAgIH0KIAogICAgIHBhcmFtX2ZhaWwzOgpAQCAtNDA4OSw3 ICs0MTA2LDYgQEAgbG9uZyBkb19odm1fb3AodW5zaWduZWQgbG9uZyBvcCwg WEVOX0dVRQogICAgIHsKICAgICAgICAgc3RydWN0IHhlbl9odm1fc2V0X21l bV90eXBlIGE7CiAgICAgICAgIHN0cnVjdCBkb21haW4gKmQ7Ci0gICAgICAg IHVuc2lnbmVkIGxvbmcgcGZuOwogICAgICAgICAKICAgICAgICAgLyogSW50 ZXJmYWNlIHR5cGVzIHRvIGludGVybmFsIHAybSB0eXBlcyAqLwogICAgICAg ICBwMm1fdHlwZV90IG1lbXR5cGVbXSA9IHsKQEAgLTQxMjIsOCArNDEzOCw5 IEBAIGxvbmcgZG9faHZtX29wKHVuc2lnbmVkIGxvbmcgb3AsIFhFTl9HVUUK ICAgICAgICAgaWYgKCBhLmh2bW1lbV90eXBlID49IEFSUkFZX1NJWkUobWVt dHlwZSkgKQogICAgICAgICAgICAgZ290byBwYXJhbV9mYWlsNDsKIAotICAg ICAgICBmb3IgKCBwZm4gPSBhLmZpcnN0X3BmbjsgcGZuIDwgYS5maXJzdF9w Zm4gKyBhLm5yOyBwZm4rKyApCisgICAgICAgIHdoaWxlICggYS5uciApCiAg ICAgICAgIHsKKyAgICAgICAgICAgIHVuc2lnbmVkIGxvbmcgcGZuID0gYS5m aXJzdF9wZm47CiAgICAgICAgICAgICBwMm1fdHlwZV90IHQ7CiAgICAgICAg ICAgICBwMm1fdHlwZV90IG50OwogICAgICAgICAgICAgbWZuX3QgbWZuOwpA QCAtNDE2Myw2ICs0MTgwLDE5IEBAIGxvbmcgZG9faHZtX29wKHVuc2lnbmVk IGxvbmcgb3AsIFhFTl9HVUUKICAgICAgICAgICAgICAgICB9CiAgICAgICAg ICAgICB9CiAgICAgICAgICAgICBwdXRfZ2ZuKGQsIHBmbik7CisKKyAgICAg ICAgICAgIGEuZmlyc3RfcGZuKys7CisgICAgICAgICAgICBhLm5yLS07CisK KyAgICAgICAgICAgIC8qIENoZWNrIGZvciBjb250aW51YXRpb24gaWYgaXQn cyBub3QgdGhlIGxhc3QgaW50ZXJhdGlvbiAqLworICAgICAgICAgICAgaWYg KCBhLm5yID4gMCAmJiBoeXBlcmNhbGxfcHJlZW1wdF9jaGVjaygpICkKKyAg ICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBpZiAoIGNvcHlfdG9fZ3Vl c3QoYXJnLCAmYSwgMSkgKQorICAgICAgICAgICAgICAgICAgICByYyA9IC1F RkFVTFQ7CisgICAgICAgICAgICAgICAgZWxzZQorICAgICAgICAgICAgICAg ICAgICByYyA9IC1FQUdBSU47CisgICAgICAgICAgICAgICAgZ290byBwYXJh bV9mYWlsNDsKKyAgICAgICAgICAgIH0KICAgICAgICAgfQogCiAgICAgICAg IHJjID0gMDsKZGlmZiAtciA3YzRkODA2YjM3NTMgeGVuL2luY2x1ZGUvYXNt LXg4Ni9jb25maWcuaAotLS0gYS94ZW4vaW5jbHVkZS9hc20teDg2L2NvbmZp Zy5oCUZyaSBOb3YgMTYgMTU6NTY6MTQgMjAxMiArMDAwMAorKysgYi94ZW4v aW5jbHVkZS9hc20teDg2L2NvbmZpZy5oCU1vbiBOb3YgMTkgMTQ6NDI6MTAg MjAxMiArMDAwMApAQCAtMTE5LDYgKzExOSw5IEBAIGV4dGVybiBjaGFyIHdh a2V1cF9zdGFydFtdOwogZXh0ZXJuIHVuc2lnbmVkIGludCB2aWRlb19tb2Rl LCB2aWRlb19mbGFnczsKIGV4dGVybiB1bnNpZ25lZCBzaG9ydCBib290X2Vk aWRfY2FwczsKIGV4dGVybiB1bnNpZ25lZCBjaGFyIGJvb3RfZWRpZF9pbmZv WzEyOF07CisKKyNkZWZpbmUgR0IoX2diKSAoX2diICMjIFVMIDw8IDMwKQor CiAjZW5kaWYKIAogI2RlZmluZSBhc21saW5rYWdlCkBAIC0xMzQsNyArMTM3 LDYgQEAgZXh0ZXJuIHVuc2lnbmVkIGNoYXIgYm9vdF9lZGlkX2luZm9bMTI4 XQogI2RlZmluZSBQTUw0X0FERFIoX3Nsb3QpICAgICAgICAgICAgICAgICAg ICAgICAgICAgICBcCiAgICAgKCgoKF9zbG90ICMjIFVMKSA+PiA4KSAqIDB4 ZmZmZjAwMDAwMDAwMDAwMFVMKSB8IFwKICAgICAgKF9zbG90ICMjIFVMIDw8 IFBNTDRfRU5UUllfQklUUykpCi0jZGVmaW5lIEdCKF9nYikgKF9nYiAjIyBV TCA8PCAzMCkKICNlbHNlCiAjZGVmaW5lIFBNTDRfRU5UUllfQllURVMgKDEg PDwgUE1MNF9FTlRSWV9CSVRTKQogI2RlZmluZSBQTUw0X0FERFIoX3Nsb3Qp ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcCg== --=separator Content-Type: application/octet-stream; name="xsa27-unstable.patch" Content-Disposition: attachment; filename="xsa27-unstable.patch" Content-Transfer-Encoding: base64 aHZtOiBMaW1pdCB0aGUgc2l6ZSBvZiBsYXJnZSBIVk0gb3AgYmF0Y2hlcwoK RG9pbmcgbGFyZ2UgcDJtIHVwZGF0ZXMgZm9yIEhWTU9QX3RyYWNrX2RpcnR5 X3ZyYW0gd2l0aG91dCBwcmVlbXB0aW9uCnRpZXMgdXAgdGhlIHBoeXNpY2Fs IHByb2Nlc3Nvci4gSW50ZWdyYXRpbmcgcHJlZW1wdGlvbiBpbnRvIHRoZSBw Mm0KdXBkYXRlcyBpcyBoYXJkIHNvIHNpbXBseSBsaW1pdCB0byAxR0Igd2hp Y2ggaXMgc3VmZmljaWVudCBmb3IgYSAxNTAwMAoqIDE1MDAwICogMzJicHAg ZnJhbWVidWZmZXIuCgpGb3IgSFZNT1BfbW9kaWZpZWRfbWVtb3J5IGFuZCBI Vk1PUF9zZXRfbWVtX3R5cGUgcHJlZW1wdGlibGUgYWRkIHRoZQpuZWNlc3Nh cnkgbWFjaGluZXJ5IHRvIGhhbmRsZSBwcmVlbXB0aW9uLgoKVGhpcyBpcyBD VkUtMjAxMi01NTExIC8gWFNBLTI3LgoKU2lnbmVkLW9mZi1ieTogVGltIERl ZWdhbiA8dGltQHhlbi5vcmc+ClNpZ25lZC1vZmYtYnk6IElhbiBDYW1wYmVs bCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBJYW4gSmFj a3NvbiA8aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4KCmRpZmYgLS1naXQg YS94ZW4vYXJjaC94ODYvaHZtL2h2bS5jIGIveGVuL2FyY2gveDg2L2h2bS9o dm0uYwppbmRleCAzNGRhMmY1Li4yZDQ2ZDk4IDEwMDY0NAotLS0gYS94ZW4v YXJjaC94ODYvaHZtL2h2bS5jCisrKyBiL3hlbi9hcmNoL3g4Ni9odm0vaHZt LmMKQEAgLTM5ODQsNiArMzk4NCw5IEBAIGxvbmcgZG9faHZtX29wKHVuc2ln bmVkIGxvbmcgb3AsIFhFTl9HVUVTVF9IQU5ETEVfUEFSQU0odm9pZCkgYXJn KQogICAgICAgICBpZiAoICFpc19odm1fZG9tYWluKGQpICkKICAgICAgICAg ICAgIGdvdG8gcGFyYW1fZmFpbDI7CiAKKyAgICAgICAgaWYgKCBhLm5yID4g R0IoMSkgPj4gUEFHRV9TSElGVCApCisgICAgICAgICAgICBnb3RvIHBhcmFt X2ZhaWwyOworCiAgICAgICAgIHJjID0geHNtX2h2bV9wYXJhbShkLCBvcCk7 CiAgICAgICAgIGlmICggcmMgKQogICAgICAgICAgICAgZ290byBwYXJhbV9m YWlsMjsKQEAgLTQwMTAsNyArNDAxMyw2IEBAIGxvbmcgZG9faHZtX29wKHVu c2lnbmVkIGxvbmcgb3AsIFhFTl9HVUVTVF9IQU5ETEVfUEFSQU0odm9pZCkg YXJnKQogICAgIHsKICAgICAgICAgc3RydWN0IHhlbl9odm1fbW9kaWZpZWRf bWVtb3J5IGE7CiAgICAgICAgIHN0cnVjdCBkb21haW4gKmQ7Ci0gICAgICAg IHVuc2lnbmVkIGxvbmcgcGZuOwogCiAgICAgICAgIGlmICggY29weV9mcm9t X2d1ZXN0KCZhLCBhcmcsIDEpICkKICAgICAgICAgICAgIHJldHVybiAtRUZB VUxUOwpAQCAtNDAzNyw5ICs0MDM5LDExIEBAIGxvbmcgZG9faHZtX29wKHVu c2lnbmVkIGxvbmcgb3AsIFhFTl9HVUVTVF9IQU5ETEVfUEFSQU0odm9pZCkg YXJnKQogICAgICAgICBpZiAoICFwYWdpbmdfbW9kZV9sb2dfZGlydHkoZCkg KQogICAgICAgICAgICAgZ290byBwYXJhbV9mYWlsMzsKIAotICAgICAgICBm b3IgKCBwZm4gPSBhLmZpcnN0X3BmbjsgcGZuIDwgYS5maXJzdF9wZm4gKyBh Lm5yOyBwZm4rKyApCisgICAgICAgIHdoaWxlICggYS5uciA+IDAgKQogICAg ICAgICB7CisgICAgICAgICAgICB1bnNpZ25lZCBsb25nIHBmbiA9IGEuZmly c3RfcGZuOwogICAgICAgICAgICAgc3RydWN0IHBhZ2VfaW5mbyAqcGFnZTsK KwogICAgICAgICAgICAgcGFnZSA9IGdldF9wYWdlX2Zyb21fZ2ZuKGQsIHBm biwgTlVMTCwgUDJNX1VOU0hBUkUpOwogICAgICAgICAgICAgaWYgKCBwYWdl ICkKICAgICAgICAgICAgIHsKQEAgLTQwNDksNiArNDA1MywxOSBAQCBsb25n IGRvX2h2bV9vcCh1bnNpZ25lZCBsb25nIG9wLCBYRU5fR1VFU1RfSEFORExF X1BBUkFNKHZvaWQpIGFyZykKICAgICAgICAgICAgICAgICBzaF9yZW1vdmVf c2hhZG93cyhkLT52Y3B1WzBdLCBfbWZuKHBhZ2VfdG9fbWZuKHBhZ2UpKSwg MSwgMCk7CiAgICAgICAgICAgICAgICAgcHV0X3BhZ2UocGFnZSk7CiAgICAg ICAgICAgICB9CisKKyAgICAgICAgICAgIGEuZmlyc3RfcGZuKys7CisgICAg ICAgICAgICBhLm5yLS07CisKKyAgICAgICAgICAgIC8qIENoZWNrIGZvciBj b250aW51YXRpb24gaWYgaXQncyBub3QgdGhlIGxhc3QgaW50ZXJhdGlvbiAq LworICAgICAgICAgICAgaWYgKCBhLm5yID4gMCAmJiBoeXBlcmNhbGxfcHJl ZW1wdF9jaGVjaygpICkKKyAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAg ICBpZiAoIGNvcHlfdG9fZ3Vlc3QoYXJnLCAmYSwgMSkgKQorICAgICAgICAg ICAgICAgICAgICByYyA9IC1FRkFVTFQ7CisgICAgICAgICAgICAgICAgZWxz ZQorICAgICAgICAgICAgICAgICAgICByYyA9IC1FQUdBSU47CisgICAgICAg ICAgICAgICAgYnJlYWs7CisgICAgICAgICAgICB9CiAgICAgICAgIH0KIAog ICAgIHBhcmFtX2ZhaWwzOgpAQCAtNDEwNCw3ICs0MTIxLDYgQEAgbG9uZyBk b19odm1fb3AodW5zaWduZWQgbG9uZyBvcCwgWEVOX0dVRVNUX0hBTkRMRV9Q QVJBTSh2b2lkKSBhcmcpCiAgICAgewogICAgICAgICBzdHJ1Y3QgeGVuX2h2 bV9zZXRfbWVtX3R5cGUgYTsKICAgICAgICAgc3RydWN0IGRvbWFpbiAqZDsK LSAgICAgICAgdW5zaWduZWQgbG9uZyBwZm47CiAgICAgICAgIAogICAgICAg ICAvKiBJbnRlcmZhY2UgdHlwZXMgdG8gaW50ZXJuYWwgcDJtIHR5cGVzICov CiAgICAgICAgIHAybV90eXBlX3QgbWVtdHlwZVtdID0gewpAQCAtNDEzNyw4 ICs0MTUzLDkgQEAgbG9uZyBkb19odm1fb3AodW5zaWduZWQgbG9uZyBvcCwg WEVOX0dVRVNUX0hBTkRMRV9QQVJBTSh2b2lkKSBhcmcpCiAgICAgICAgIGlm ICggYS5odm1tZW1fdHlwZSA+PSBBUlJBWV9TSVpFKG1lbXR5cGUpICkKICAg ICAgICAgICAgIGdvdG8gcGFyYW1fZmFpbDQ7CiAKLSAgICAgICAgZm9yICgg cGZuID0gYS5maXJzdF9wZm47IHBmbiA8IGEuZmlyc3RfcGZuICsgYS5ucjsg cGZuKysgKQorICAgICAgICB3aGlsZSAoIGEubnIgKQogICAgICAgICB7Cisg ICAgICAgICAgICB1bnNpZ25lZCBsb25nIHBmbiA9IGEuZmlyc3RfcGZuOwog ICAgICAgICAgICAgcDJtX3R5cGVfdCB0OwogICAgICAgICAgICAgcDJtX3R5 cGVfdCBudDsKICAgICAgICAgICAgIG1mbl90IG1mbjsKQEAgLTQxNzgsNiAr NDE5NSwxOSBAQCBsb25nIGRvX2h2bV9vcCh1bnNpZ25lZCBsb25nIG9wLCBY RU5fR1VFU1RfSEFORExFX1BBUkFNKHZvaWQpIGFyZykKICAgICAgICAgICAg ICAgICB9CiAgICAgICAgICAgICB9CiAgICAgICAgICAgICBwdXRfZ2ZuKGQs IHBmbik7CisKKyAgICAgICAgICAgIGEuZmlyc3RfcGZuKys7CisgICAgICAg ICAgICBhLm5yLS07CisKKyAgICAgICAgICAgIC8qIENoZWNrIGZvciBjb250 aW51YXRpb24gaWYgaXQncyBub3QgdGhlIGxhc3QgaW50ZXJhdGlvbiAqLwor ICAgICAgICAgICAgaWYgKCBhLm5yID4gMCAmJiBoeXBlcmNhbGxfcHJlZW1w dF9jaGVjaygpICkKKyAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBp ZiAoIGNvcHlfdG9fZ3Vlc3QoYXJnLCAmYSwgMSkgKQorICAgICAgICAgICAg ICAgICAgICByYyA9IC1FRkFVTFQ7CisgICAgICAgICAgICAgICAgZWxzZQor ICAgICAgICAgICAgICAgICAgICByYyA9IC1FQUdBSU47CisgICAgICAgICAg ICAgICAgZ290byBwYXJhbV9mYWlsNDsKKyAgICAgICAgICAgIH0KICAgICAg ICAgfQogCiAgICAgICAgIHJjID0gMDsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Jan 17 12:28:53 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 17 Jan 2013 12:28:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TvoYE-0006FN-UB; Thu, 17 Jan 2013 12:26:34 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TvoYC-0006F3-UJ; Thu, 17 Jan 2013 12:26:33 +0000 Received: from [85.158.143.99:64753] by server-1.bemta-4.messagelabs.com id 7C/1C-18740-8FDE7F05; Thu, 17 Jan 2013 12:26:32 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-13.tower-216.messagelabs.com!1358425587!27429326!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.7; banners=-,-,- X-VirusChecked: Checked Received: (qmail 13586 invoked from network); 17 Jan 2013 12:26:28 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-13.tower-216.messagelabs.com with AES256-SHA encrypted SMTP; 17 Jan 2013 12:26:28 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TvoXz-0005JA-9R; Thu, 17 Jan 2013 12:26:19 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TvoXy-0002vk-Te; Thu, 17 Jan 2013 12:26:19 +0000 Date: Thu, 17 Jan 2013 12:26:18 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 27 (CVE-2012-5511, CVE-2012-6333) - several HVM operations do not validate the range of their inputs X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5511,CVE-2012-6333 / XSA-27 version 5 several HVM operations do not validate the range of their inputs UPDATES IN VERSION 5 ==================== The supplied patch for 4.1 was found to contain a bug. The patch has been updated. The incremental fix can be found at http://lists.xen.org/archives/html/xen-devel/2013-01/msg01193.html Mitre have asked that two CVEs are used for the issues described here: * CVE-2012-5511 now applies only to the stack-based buffer overflow that was fixed in 4.2. * CVE-2012-6333 applies to the large input validation issues. ISSUE DESCRIPTION ================= Several HVM control operations do not check the size of their inputs and can tie up a physical CPU for extended periods of time. In addition dirty video RAM tracking involves clearing the bitmap provided by the domain controlling the guest (e.g. dom0 or a stubdom). If the size of that bitmap is overly large, an intermediate variable on the hypervisor stack may overflow that stack. IMPACT ====== A malicious guest administrator can cause Xen to become unresponsive or to crash leading in either case to a Denial of Service. VULNERABLE SYSTEMS ================== All Xen versions from 3.4 onwards are vulnerable. However Xen 4.2 and unstable are not vulnerable to the stack overflow. Systems running either of these are not vulnerable to the crash. Version 3.4, 4.0 and 4.1 are vulnerable to both the stack overflow and the physical CPU hang. The vulnerability is only exposed to HVM guests. MITIGATION ========== Running only PV guests will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa27-4.1.patch Xen 4.1.x xsa27-4.2.patch Xen 4.2.x xsa27-4.unstable.patch xen-unstable $ sha256sum xsa27*.patch 82c9160484165acdebf91e8d80538829c756cf5abc2d8d890c8b4abd9aa4800a xsa27-4.1.patch 462eae827944d1d337a6ebf13a36ea952d7fb76b993b9c29946e1d9cfb5ea2a3 xsa27-4.2.patch fcb07c6bd78a0d9513a68e2eb3bf0c21ef4d8ff0e6ebf6fdce04a3170303cab6 xsa27-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ9+vTAAoJEIP+FMlX6CvZYdIIAIydLf9OVKnYmFvbze6CeSTd KOp0EgmJu/Da4bbGejn3HKMZD9KsZ8nMAv/rIyQKgfNcSLWd0giMJ0IDyqnoVP0v W/UiL5b7IiGToYLhqQJWM21sIxD/YC9rZTyqg00LhSSxO0NPzsPuD5r/qPakuJ8l 11cJ87oEObZAK/0csyy2X+Eh00UAkcc0pOiAM3+jjamM1lq/lUt/RX4e00VRGLoJ K3Cy1B5IesnA1CbgJZn2RSQSLWLFKN5W6/ChtkPUmJDsJzuv60VRHptv4PbD+/Cf VtdGChfvs/dDYhPVt2c/kYMmqv/Brz8TzpaeUC4CzYnCLyRxplsQOPtLRzK+46o= =NqsN -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa27-4.1.patch" Content-Disposition: attachment; filename="xsa27-4.1.patch" Content-Transfer-Encoding: base64 aHZtOiBMaW1pdCB0aGUgc2l6ZSBvZiBsYXJnZSBIVk0gb3AgYmF0Y2hlcwoK RG9pbmcgbGFyZ2UgcDJtIHVwZGF0ZXMgZm9yIEhWTU9QX3RyYWNrX2RpcnR5 X3ZyYW0gd2l0aG91dCBwcmVlbXB0aW9uCnRpZXMgdXAgdGhlIHBoeXNpY2Fs IHByb2Nlc3Nvci4gSW50ZWdyYXRpbmcgcHJlZW1wdGlvbiBpbnRvIHRoZSBw Mm0KdXBkYXRlcyBpcyBoYXJkIHNvIHNpbXBseSBsaW1pdCB0byAxR0Igd2hp Y2ggaXMgc3VmZmljaWVudCBmb3IgYSAxNTAwMAoqIDE1MDAwICogMzJicHAg ZnJhbWVidWZmZXIuCgpGb3IgSFZNT1BfbW9kaWZpZWRfbWVtb3J5IGFuZCBI Vk1PUF9zZXRfbWVtX3R5cGUgcHJlZW1wdGlibGUgYWRkIHRoZQpuZWNlc3Nh cnkgbWFjaGluZXJ5IHRvIGhhbmRsZSBwcmVlbXB0aW9uLgoKVGhpcyBpcyBD VkUtMjAxMi01NTExIC8gWFNBLTI3LgoKU2lnbmVkLW9mZi1ieTogVGltIERl ZWdhbiA8dGltQHhlbi5vcmc+ClNpZ25lZC1vZmYtYnk6IElhbiBDYW1wYmVs bCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBJYW4gSmFj a3NvbiA8aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4KCng4Ni9wYWdpbmc6 IERvbid0IGFsbG9jYXRlIHVzZXItY29udHJvbGxlZCBhbW91bnRzIG9mIHN0 YWNrIG1lbW9yeS4KClRoaXMgaXMgWFNBLTI3IC8gQ1ZFLTIwMTItNTUxMS4K ClNpZ25lZC1vZmYtYnk6IFRpbSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgpBY2tl ZC1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgp2MjogUHJv dmlkZSBkZWZpbml0aW9uIG9mIEdCIHRvIGZpeCB4ODYtMzIgY29tcGlsZS4K ClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxKQmV1bGljaEBzdXNlLmNv bT4KQWNrZWQtYnk6IElhbiBKYWNrc29uIDxpYW4uamFja3NvbkBldS5jaXRy aXguY29tPgoKdjM6IEZpeCBsb29wIGluY3JlbWVudCBpbiBwYWdpbmdfbG9n X2RpcnR5X3JhbmdlKCkKCmRpZmYgLXIgNTYzOTA0N2Q2YzlmIHhlbi9hcmNo L3g4Ni9odm0vaHZtLmMKLS0tIGEveGVuL2FyY2gveDg2L2h2bS9odm0uYwlN b24gTm92IDE5IDA5OjQzOjQ4IDIwMTIgKzAxMDAKKysrIGIveGVuL2FyY2gv eDg2L2h2bS9odm0uYwlNb24gTm92IDE5IDE2OjAwOjMzIDIwMTIgKzAwMDAK QEAgLTM0NzEsNiArMzQ3MSw5IEBAIGxvbmcgZG9faHZtX29wKHVuc2lnbmVk IGxvbmcgb3AsIFhFTl9HVUUKICAgICAgICAgaWYgKCAhaXNfaHZtX2RvbWFp bihkKSApCiAgICAgICAgICAgICBnb3RvIHBhcmFtX2ZhaWwyOwogCisgICAg ICAgIGlmICggYS5uciA+IEdCKDEpID4+IFBBR0VfU0hJRlQgKQorICAgICAg ICAgICAgZ290byBwYXJhbV9mYWlsMjsKKwogICAgICAgICByYyA9IHhzbV9o dm1fcGFyYW0oZCwgb3ApOwogICAgICAgICBpZiAoIHJjICkKICAgICAgICAg ICAgIGdvdG8gcGFyYW1fZmFpbDI7CkBAIC0zNDk4LDcgKzM1MDEsNiBAQCBs b25nIGRvX2h2bV9vcCh1bnNpZ25lZCBsb25nIG9wLCBYRU5fR1VFCiAgICAg ICAgIHN0cnVjdCB4ZW5faHZtX21vZGlmaWVkX21lbW9yeSBhOwogICAgICAg ICBzdHJ1Y3QgZG9tYWluICpkOwogICAgICAgICBzdHJ1Y3QgcDJtX2RvbWFp biAqcDJtOwotICAgICAgICB1bnNpZ25lZCBsb25nIHBmbjsKIAogICAgICAg ICBpZiAoIGNvcHlfZnJvbV9ndWVzdCgmYSwgYXJnLCAxKSApCiAgICAgICAg ICAgICByZXR1cm4gLUVGQVVMVDsKQEAgLTM1MjYsOCArMzUyOCw5IEBAIGxv bmcgZG9faHZtX29wKHVuc2lnbmVkIGxvbmcgb3AsIFhFTl9HVUUKICAgICAg ICAgICAgIGdvdG8gcGFyYW1fZmFpbDM7CiAKICAgICAgICAgcDJtID0gcDJt X2dldF9ob3N0cDJtKGQpOwotICAgICAgICBmb3IgKCBwZm4gPSBhLmZpcnN0 X3BmbjsgcGZuIDwgYS5maXJzdF9wZm4gKyBhLm5yOyBwZm4rKyApCisgICAg ICAgIHdoaWxlICggYS5uciA+IDAgKQogICAgICAgICB7CisgICAgICAgICAg ICB1bnNpZ25lZCBsb25nIHBmbiA9IGEuZmlyc3RfcGZuOwogICAgICAgICAg ICAgcDJtX3R5cGVfdCB0OwogICAgICAgICAgICAgbWZuX3QgbWZuID0gZ2Zu X3RvX21mbihwMm0sIHBmbiwgJnQpOwogICAgICAgICAgICAgaWYgKCBwMm1f aXNfcGFnaW5nKHQpICkKQEAgLTM1NDgsNiArMzU1MSwxOSBAQCBsb25nIGRv X2h2bV9vcCh1bnNpZ25lZCBsb25nIG9wLCBYRU5fR1VFCiAgICAgICAgICAg ICAgICAgLyogZG9uJ3QgdGFrZSBhIGxvbmcgdGltZSBhbmQgZG9uJ3QgZGll IGVpdGhlciAqLwogICAgICAgICAgICAgICAgIHNoX3JlbW92ZV9zaGFkb3dz KGQtPnZjcHVbMF0sIG1mbiwgMSwgMCk7CiAgICAgICAgICAgICB9CisKKyAg ICAgICAgICAgIGEuZmlyc3RfcGZuKys7CisgICAgICAgICAgICBhLm5yLS07 CisKKyAgICAgICAgICAgIC8qIENoZWNrIGZvciBjb250aW51YXRpb24gaWYg aXQncyBub3QgdGhlIGxhc3QgaW50ZXJhdGlvbiAqLworICAgICAgICAgICAg aWYgKCBhLm5yID4gMCAmJiBoeXBlcmNhbGxfcHJlZW1wdF9jaGVjaygpICkK KyAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBpZiAoIGNvcHlfdG9f Z3Vlc3QoYXJnLCAmYSwgMSkgKQorICAgICAgICAgICAgICAgICAgICByYyA9 IC1FRkFVTFQ7CisgICAgICAgICAgICAgICAgZWxzZQorICAgICAgICAgICAg ICAgICAgICByYyA9IC1FQUdBSU47CisgICAgICAgICAgICAgICAgYnJlYWs7 CisgICAgICAgICAgICB9CiAgICAgICAgIH0KIAogICAgIHBhcmFtX2ZhaWwz OgpAQCAtMzU5NSw3ICszNjExLDYgQEAgbG9uZyBkb19odm1fb3AodW5zaWdu ZWQgbG9uZyBvcCwgWEVOX0dVRQogICAgICAgICBzdHJ1Y3QgeGVuX2h2bV9z ZXRfbWVtX3R5cGUgYTsKICAgICAgICAgc3RydWN0IGRvbWFpbiAqZDsKICAg ICAgICAgc3RydWN0IHAybV9kb21haW4gKnAybTsKLSAgICAgICAgdW5zaWdu ZWQgbG9uZyBwZm47CiAgICAgICAgIAogICAgICAgICAvKiBJbnRlcmZhY2Ug dHlwZXMgdG8gaW50ZXJuYWwgcDJtIHR5cGVzICovCiAgICAgICAgIHAybV90 eXBlX3QgbWVtdHlwZVtdID0gewpAQCAtMzYyNSw4ICszNjQwLDkgQEAgbG9u ZyBkb19odm1fb3AodW5zaWduZWQgbG9uZyBvcCwgWEVOX0dVRQogICAgICAg ICAgICAgZ290byBwYXJhbV9mYWlsNDsKIAogICAgICAgICBwMm0gPSBwMm1f Z2V0X2hvc3RwMm0oZCk7Ci0gICAgICAgIGZvciAoIHBmbiA9IGEuZmlyc3Rf cGZuOyBwZm4gPCBhLmZpcnN0X3BmbiArIGEubnI7IHBmbisrICkKKyAgICAg ICAgd2hpbGUgKCBhLm5yID4gMCApCiAgICAgICAgIHsKKyAgICAgICAgICAg IHVuc2lnbmVkIGxvbmcgcGZuID0gYS5maXJzdF9wZm47CiAgICAgICAgICAg ICBwMm1fdHlwZV90IHQ7CiAgICAgICAgICAgICBwMm1fdHlwZV90IG50Owog ICAgICAgICAgICAgbWZuX3QgbWZuOwpAQCAtMzY2Miw2ICszNjc4LDE5IEBA IGxvbmcgZG9faHZtX29wKHVuc2lnbmVkIGxvbmcgb3AsIFhFTl9HVUUKICAg ICAgICAgICAgICAgICAgICAgZ290byBwYXJhbV9mYWlsNDsKICAgICAgICAg ICAgICAgICB9CiAgICAgICAgICAgICB9CisKKyAgICAgICAgICAgIGEuZmly c3RfcGZuKys7CisgICAgICAgICAgICBhLm5yLS07CisKKyAgICAgICAgICAg IC8qIENoZWNrIGZvciBjb250aW51YXRpb24gaWYgaXQncyBub3QgdGhlIGxh c3QgaW50ZXJhdGlvbiAqLworICAgICAgICAgICAgaWYgKCBhLm5yID4gMCAm JiBoeXBlcmNhbGxfcHJlZW1wdF9jaGVjaygpICkKKyAgICAgICAgICAgIHsK KyAgICAgICAgICAgICAgICBpZiAoIGNvcHlfdG9fZ3Vlc3QoYXJnLCAmYSwg MSkgKQorICAgICAgICAgICAgICAgICAgICByYyA9IC1FRkFVTFQ7CisgICAg ICAgICAgICAgICAgZWxzZQorICAgICAgICAgICAgICAgICAgICByYyA9IC1F QUdBSU47CisgICAgICAgICAgICAgICAgZ290byBwYXJhbV9mYWlsNDsKKyAg ICAgICAgICAgIH0KICAgICAgICAgfQogCiAgICAgICAgIHJjID0gMDsKZGlm ZiAtciA1NjM5MDQ3ZDZjOWYgeGVuL2FyY2gveDg2L21tL3BhZ2luZy5jCi0t LSBhL3hlbi9hcmNoL3g4Ni9tbS9wYWdpbmcuYwlNb24gTm92IDE5IDA5OjQz OjQ4IDIwMTIgKzAxMDAKKysrIGIveGVuL2FyY2gveDg2L21tL3BhZ2luZy5j CU1vbiBOb3YgMTkgMTY6MDA6MzMgMjAxMiArMDAwMApAQCAtNTI5LDEzICs1 MjksMTkgQEAgaW50IHBhZ2luZ19sb2dfZGlydHlfcmFuZ2Uoc3RydWN0IGRv bWFpbgogCiAgICAgaWYgKCAhZC0+YXJjaC5wYWdpbmcubG9nX2RpcnR5LmZh dWx0X2NvdW50ICYmCiAgICAgICAgICAhZC0+YXJjaC5wYWdpbmcubG9nX2Rp cnR5LmRpcnR5X2NvdW50ICkgewotICAgICAgICBpbnQgc2l6ZSA9IChuciAr IEJJVFNfUEVSX0xPTkcgLSAxKSAvIEJJVFNfUEVSX0xPTkc7Ci0gICAgICAg IHVuc2lnbmVkIGxvbmcgemVyb2VzW3NpemVdOwotICAgICAgICBtZW1zZXQo emVyb2VzLCAweDAwLCBzaXplICogQllURVNfUEVSX0xPTkcpOworICAgICAg ICBzdGF0aWMgdWludDhfdCB6ZXJvZXNbUEFHRV9TSVpFXTsKKyAgICAgICAg aW50IG9mZiwgc2l6ZTsKKworICAgICAgICBzaXplID0gKChuciArIEJJVFNf UEVSX0xPTkcgLSAxKSAvIEJJVFNfUEVSX0xPTkcpICogc2l6ZW9mIChsb25n KTsKICAgICAgICAgcnYgPSAwOwotICAgICAgICBpZiAoIGNvcHlfdG9fZ3Vl c3Rfb2Zmc2V0KGRpcnR5X2JpdG1hcCwgMCwgKHVpbnQ4X3QgKikgemVyb2Vz LAotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNpemUgKiBC WVRFU19QRVJfTE9ORykgIT0gMCApCi0gICAgICAgICAgICBydiA9IC1FRkFV TFQ7CisgICAgICAgIG9mZiA9IDA7CisgICAgICAgIHdoaWxlICggIXJ2ICYm IG9mZiA8IHNpemUgKQorICAgICAgICB7CisgICAgICAgICAgICBpbnQgdG9k byA9IG1pbihzaXplIC0gb2ZmLCAoaW50KSBQQUdFX1NJWkUpOworICAgICAg ICAgICAgaWYgKCBjb3B5X3RvX2d1ZXN0X29mZnNldChkaXJ0eV9iaXRtYXAs IG9mZiwgemVyb2VzLCB0b2RvKSApCisgICAgICAgICAgICAgICAgcnYgPSAt RUZBVUxUOworICAgICAgICAgICAgb2ZmICs9IHRvZG87CisgICAgICAgIH0K ICAgICAgICAgZ290byBvdXQ7CiAgICAgfQogICAgIGQtPmFyY2gucGFnaW5n LmxvZ19kaXJ0eS5mYXVsdF9jb3VudCA9IDA7CmRpZmYgLXIgNTYzOTA0N2Q2 YzlmIHhlbi9pbmNsdWRlL2FzbS14ODYvY29uZmlnLmgKLS0tIGEveGVuL2lu Y2x1ZGUvYXNtLXg4Ni9jb25maWcuaAlNb24gTm92IDE5IDA5OjQzOjQ4IDIw MTIgKzAxMDAKKysrIGIveGVuL2luY2x1ZGUvYXNtLXg4Ni9jb25maWcuaAlN b24gTm92IDE5IDE2OjAwOjMzIDIwMTIgKzAwMDAKQEAgLTEwOCw2ICsxMDgs OSBAQCBleHRlcm4gdW5zaWduZWQgaW50IHRyYW1wb2xpbmVfeGVuX3BoeXNf CiBleHRlcm4gdW5zaWduZWQgY2hhciB0cmFtcG9saW5lX2NwdV9zdGFydGVk OwogZXh0ZXJuIGNoYXIgd2FrZXVwX3N0YXJ0W107CiBleHRlcm4gdW5zaWdu ZWQgaW50IHZpZGVvX21vZGUsIHZpZGVvX2ZsYWdzOworCisjZGVmaW5lIEdC KF9nYikgKF9nYiAjIyBVTCA8PCAzMCkKKwogI2VuZGlmCiAKICNkZWZpbmUg YXNtbGlua2FnZQpAQCAtMTIzLDcgKzEyNiw2IEBAIGV4dGVybiB1bnNpZ25l ZCBpbnQgdmlkZW9fbW9kZSwgdmlkZW9fZmwKICNkZWZpbmUgUE1MNF9BRERS KF9zbG90KSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAogICAgICgo KChfc2xvdCAjIyBVTCkgPj4gOCkgKiAweGZmZmYwMDAwMDAwMDAwMDBVTCkg fCBcCiAgICAgIChfc2xvdCAjIyBVTCA8PCBQTUw0X0VOVFJZX0JJVFMpKQot I2RlZmluZSBHQihfZ2IpIChfZ2IgIyMgVUwgPDwgMzApCiAjZWxzZQogI2Rl ZmluZSBQTUw0X0VOVFJZX0JZVEVTICgxIDw8IFBNTDRfRU5UUllfQklUUykK ICNkZWZpbmUgUE1MNF9BRERSKF9zbG90KSAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgXAo= --=separator Content-Type: application/octet-stream; name="xsa27-4.2.patch" Content-Disposition: attachment; filename="xsa27-4.2.patch" Content-Transfer-Encoding: base64 aHZtOiBMaW1pdCB0aGUgc2l6ZSBvZiBsYXJnZSBIVk0gb3AgYmF0Y2hlcwoK RG9pbmcgbGFyZ2UgcDJtIHVwZGF0ZXMgZm9yIEhWTU9QX3RyYWNrX2RpcnR5 X3ZyYW0gd2l0aG91dCBwcmVlbXB0aW9uCnRpZXMgdXAgdGhlIHBoeXNpY2Fs IHByb2Nlc3Nvci4gSW50ZWdyYXRpbmcgcHJlZW1wdGlvbiBpbnRvIHRoZSBw Mm0KdXBkYXRlcyBpcyBoYXJkIHNvIHNpbXBseSBsaW1pdCB0byAxR0Igd2hp Y2ggaXMgc3VmZmljaWVudCBmb3IgYSAxNTAwMAoqIDE1MDAwICogMzJicHAg ZnJhbWVidWZmZXIuCgpGb3IgSFZNT1BfbW9kaWZpZWRfbWVtb3J5IGFuZCBI Vk1PUF9zZXRfbWVtX3R5cGUgcHJlZW1wdGlibGUgYWRkIHRoZQpuZWNlc3Nh cnkgbWFjaGluZXJ5IHRvIGhhbmRsZSBwcmVlbXB0aW9uLgoKVGhpcyBpcyBD VkUtMjAxMi01NTExIC8gWFNBLTI3LgoKU2lnbmVkLW9mZi1ieTogVGltIERl ZWdhbiA8dGltQHhlbi5vcmc+ClNpZ25lZC1vZmYtYnk6IElhbiBDYW1wYmVs bCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBJYW4gSmFj a3NvbiA8aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4KCnYyOiBQcm92aWRl IGRlZmluaXRpb24gb2YgR0IgdG8gZml4IHg4Ni0zMiBjb21waWxlLgoKU2ln bmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPEpCZXVsaWNoQHN1c2UuY29tPgpB Y2tlZC1ieTogSWFuIEphY2tzb24gPGlhbi5qYWNrc29uQGV1LmNpdHJpeC5j b20+CgoKZGlmZiAtciA3YzRkODA2YjM3NTMgeGVuL2FyY2gveDg2L2h2bS9o dm0uYwotLS0gYS94ZW4vYXJjaC94ODYvaHZtL2h2bS5jCUZyaSBOb3YgMTYg MTU6NTY6MTQgMjAxMiArMDAwMAorKysgYi94ZW4vYXJjaC94ODYvaHZtL2h2 bS5jCU1vbiBOb3YgMTkgMTQ6NDI6MTAgMjAxMiArMDAwMApAQCAtMzk2OSw2 ICszOTY5LDkgQEAgbG9uZyBkb19odm1fb3AodW5zaWduZWQgbG9uZyBvcCwg WEVOX0dVRQogICAgICAgICBpZiAoICFpc19odm1fZG9tYWluKGQpICkKICAg ICAgICAgICAgIGdvdG8gcGFyYW1fZmFpbDI7CiAKKyAgICAgICAgaWYgKCBh Lm5yID4gR0IoMSkgPj4gUEFHRV9TSElGVCApCisgICAgICAgICAgICBnb3Rv IHBhcmFtX2ZhaWwyOworCiAgICAgICAgIHJjID0geHNtX2h2bV9wYXJhbShk LCBvcCk7CiAgICAgICAgIGlmICggcmMgKQogICAgICAgICAgICAgZ290byBw YXJhbV9mYWlsMjsKQEAgLTM5OTUsNyArMzk5OCw2IEBAIGxvbmcgZG9faHZt X29wKHVuc2lnbmVkIGxvbmcgb3AsIFhFTl9HVUUKICAgICB7CiAgICAgICAg IHN0cnVjdCB4ZW5faHZtX21vZGlmaWVkX21lbW9yeSBhOwogICAgICAgICBz dHJ1Y3QgZG9tYWluICpkOwotICAgICAgICB1bnNpZ25lZCBsb25nIHBmbjsK IAogICAgICAgICBpZiAoIGNvcHlfZnJvbV9ndWVzdCgmYSwgYXJnLCAxKSAp CiAgICAgICAgICAgICByZXR1cm4gLUVGQVVMVDsKQEAgLTQwMjIsOSArNDAy NCwxMSBAQCBsb25nIGRvX2h2bV9vcCh1bnNpZ25lZCBsb25nIG9wLCBYRU5f R1VFCiAgICAgICAgIGlmICggIXBhZ2luZ19tb2RlX2xvZ19kaXJ0eShkKSAp CiAgICAgICAgICAgICBnb3RvIHBhcmFtX2ZhaWwzOwogCi0gICAgICAgIGZv ciAoIHBmbiA9IGEuZmlyc3RfcGZuOyBwZm4gPCBhLmZpcnN0X3BmbiArIGEu bnI7IHBmbisrICkKKyAgICAgICAgd2hpbGUgKCBhLm5yID4gMCApCiAgICAg ICAgIHsKKyAgICAgICAgICAgIHVuc2lnbmVkIGxvbmcgcGZuID0gYS5maXJz dF9wZm47CiAgICAgICAgICAgICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwor CiAgICAgICAgICAgICBwYWdlID0gZ2V0X3BhZ2VfZnJvbV9nZm4oZCwgcGZu LCBOVUxMLCBQMk1fVU5TSEFSRSk7CiAgICAgICAgICAgICBpZiAoIHBhZ2Ug KQogICAgICAgICAgICAgewpAQCAtNDAzNCw2ICs0MDM4LDE5IEBAIGxvbmcg ZG9faHZtX29wKHVuc2lnbmVkIGxvbmcgb3AsIFhFTl9HVUUKICAgICAgICAg ICAgICAgICBzaF9yZW1vdmVfc2hhZG93cyhkLT52Y3B1WzBdLCBfbWZuKHBh Z2VfdG9fbWZuKHBhZ2UpKSwgMSwgMCk7CiAgICAgICAgICAgICAgICAgcHV0 X3BhZ2UocGFnZSk7CiAgICAgICAgICAgICB9CisKKyAgICAgICAgICAgIGEu Zmlyc3RfcGZuKys7CisgICAgICAgICAgICBhLm5yLS07CisKKyAgICAgICAg ICAgIC8qIENoZWNrIGZvciBjb250aW51YXRpb24gaWYgaXQncyBub3QgdGhl IGxhc3QgaW50ZXJhdGlvbiAqLworICAgICAgICAgICAgaWYgKCBhLm5yID4g MCAmJiBoeXBlcmNhbGxfcHJlZW1wdF9jaGVjaygpICkKKyAgICAgICAgICAg IHsKKyAgICAgICAgICAgICAgICBpZiAoIGNvcHlfdG9fZ3Vlc3QoYXJnLCAm YSwgMSkgKQorICAgICAgICAgICAgICAgICAgICByYyA9IC1FRkFVTFQ7Cisg ICAgICAgICAgICAgICAgZWxzZQorICAgICAgICAgICAgICAgICAgICByYyA9 IC1FQUdBSU47CisgICAgICAgICAgICAgICAgYnJlYWs7CisgICAgICAgICAg ICB9CiAgICAgICAgIH0KIAogICAgIHBhcmFtX2ZhaWwzOgpAQCAtNDA4OSw3 ICs0MTA2LDYgQEAgbG9uZyBkb19odm1fb3AodW5zaWduZWQgbG9uZyBvcCwg WEVOX0dVRQogICAgIHsKICAgICAgICAgc3RydWN0IHhlbl9odm1fc2V0X21l bV90eXBlIGE7CiAgICAgICAgIHN0cnVjdCBkb21haW4gKmQ7Ci0gICAgICAg IHVuc2lnbmVkIGxvbmcgcGZuOwogICAgICAgICAKICAgICAgICAgLyogSW50 ZXJmYWNlIHR5cGVzIHRvIGludGVybmFsIHAybSB0eXBlcyAqLwogICAgICAg ICBwMm1fdHlwZV90IG1lbXR5cGVbXSA9IHsKQEAgLTQxMjIsOCArNDEzOCw5 IEBAIGxvbmcgZG9faHZtX29wKHVuc2lnbmVkIGxvbmcgb3AsIFhFTl9HVUUK ICAgICAgICAgaWYgKCBhLmh2bW1lbV90eXBlID49IEFSUkFZX1NJWkUobWVt dHlwZSkgKQogICAgICAgICAgICAgZ290byBwYXJhbV9mYWlsNDsKIAotICAg ICAgICBmb3IgKCBwZm4gPSBhLmZpcnN0X3BmbjsgcGZuIDwgYS5maXJzdF9w Zm4gKyBhLm5yOyBwZm4rKyApCisgICAgICAgIHdoaWxlICggYS5uciApCiAg ICAgICAgIHsKKyAgICAgICAgICAgIHVuc2lnbmVkIGxvbmcgcGZuID0gYS5m aXJzdF9wZm47CiAgICAgICAgICAgICBwMm1fdHlwZV90IHQ7CiAgICAgICAg ICAgICBwMm1fdHlwZV90IG50OwogICAgICAgICAgICAgbWZuX3QgbWZuOwpA QCAtNDE2Myw2ICs0MTgwLDE5IEBAIGxvbmcgZG9faHZtX29wKHVuc2lnbmVk IGxvbmcgb3AsIFhFTl9HVUUKICAgICAgICAgICAgICAgICB9CiAgICAgICAg ICAgICB9CiAgICAgICAgICAgICBwdXRfZ2ZuKGQsIHBmbik7CisKKyAgICAg ICAgICAgIGEuZmlyc3RfcGZuKys7CisgICAgICAgICAgICBhLm5yLS07CisK KyAgICAgICAgICAgIC8qIENoZWNrIGZvciBjb250aW51YXRpb24gaWYgaXQn cyBub3QgdGhlIGxhc3QgaW50ZXJhdGlvbiAqLworICAgICAgICAgICAgaWYg KCBhLm5yID4gMCAmJiBoeXBlcmNhbGxfcHJlZW1wdF9jaGVjaygpICkKKyAg ICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBpZiAoIGNvcHlfdG9fZ3Vl c3QoYXJnLCAmYSwgMSkgKQorICAgICAgICAgICAgICAgICAgICByYyA9IC1F RkFVTFQ7CisgICAgICAgICAgICAgICAgZWxzZQorICAgICAgICAgICAgICAg ICAgICByYyA9IC1FQUdBSU47CisgICAgICAgICAgICAgICAgZ290byBwYXJh bV9mYWlsNDsKKyAgICAgICAgICAgIH0KICAgICAgICAgfQogCiAgICAgICAg IHJjID0gMDsKZGlmZiAtciA3YzRkODA2YjM3NTMgeGVuL2luY2x1ZGUvYXNt LXg4Ni9jb25maWcuaAotLS0gYS94ZW4vaW5jbHVkZS9hc20teDg2L2NvbmZp Zy5oCUZyaSBOb3YgMTYgMTU6NTY6MTQgMjAxMiArMDAwMAorKysgYi94ZW4v aW5jbHVkZS9hc20teDg2L2NvbmZpZy5oCU1vbiBOb3YgMTkgMTQ6NDI6MTAg MjAxMiArMDAwMApAQCAtMTE5LDYgKzExOSw5IEBAIGV4dGVybiBjaGFyIHdh a2V1cF9zdGFydFtdOwogZXh0ZXJuIHVuc2lnbmVkIGludCB2aWRlb19tb2Rl LCB2aWRlb19mbGFnczsKIGV4dGVybiB1bnNpZ25lZCBzaG9ydCBib290X2Vk aWRfY2FwczsKIGV4dGVybiB1bnNpZ25lZCBjaGFyIGJvb3RfZWRpZF9pbmZv WzEyOF07CisKKyNkZWZpbmUgR0IoX2diKSAoX2diICMjIFVMIDw8IDMwKQor CiAjZW5kaWYKIAogI2RlZmluZSBhc21saW5rYWdlCkBAIC0xMzQsNyArMTM3 LDYgQEAgZXh0ZXJuIHVuc2lnbmVkIGNoYXIgYm9vdF9lZGlkX2luZm9bMTI4 XQogI2RlZmluZSBQTUw0X0FERFIoX3Nsb3QpICAgICAgICAgICAgICAgICAg ICAgICAgICAgICBcCiAgICAgKCgoKF9zbG90ICMjIFVMKSA+PiA4KSAqIDB4 ZmZmZjAwMDAwMDAwMDAwMFVMKSB8IFwKICAgICAgKF9zbG90ICMjIFVMIDw8 IFBNTDRfRU5UUllfQklUUykpCi0jZGVmaW5lIEdCKF9nYikgKF9nYiAjIyBV TCA8PCAzMCkKICNlbHNlCiAjZGVmaW5lIFBNTDRfRU5UUllfQllURVMgKDEg PDwgUE1MNF9FTlRSWV9CSVRTKQogI2RlZmluZSBQTUw0X0FERFIoX3Nsb3Qp ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcCg== --=separator Content-Type: application/octet-stream; name="xsa27-unstable.patch" Content-Disposition: attachment; filename="xsa27-unstable.patch" Content-Transfer-Encoding: base64 aHZtOiBMaW1pdCB0aGUgc2l6ZSBvZiBsYXJnZSBIVk0gb3AgYmF0Y2hlcwoK RG9pbmcgbGFyZ2UgcDJtIHVwZGF0ZXMgZm9yIEhWTU9QX3RyYWNrX2RpcnR5 X3ZyYW0gd2l0aG91dCBwcmVlbXB0aW9uCnRpZXMgdXAgdGhlIHBoeXNpY2Fs IHByb2Nlc3Nvci4gSW50ZWdyYXRpbmcgcHJlZW1wdGlvbiBpbnRvIHRoZSBw Mm0KdXBkYXRlcyBpcyBoYXJkIHNvIHNpbXBseSBsaW1pdCB0byAxR0Igd2hp Y2ggaXMgc3VmZmljaWVudCBmb3IgYSAxNTAwMAoqIDE1MDAwICogMzJicHAg ZnJhbWVidWZmZXIuCgpGb3IgSFZNT1BfbW9kaWZpZWRfbWVtb3J5IGFuZCBI Vk1PUF9zZXRfbWVtX3R5cGUgcHJlZW1wdGlibGUgYWRkIHRoZQpuZWNlc3Nh cnkgbWFjaGluZXJ5IHRvIGhhbmRsZSBwcmVlbXB0aW9uLgoKVGhpcyBpcyBD VkUtMjAxMi01NTExIC8gWFNBLTI3LgoKU2lnbmVkLW9mZi1ieTogVGltIERl ZWdhbiA8dGltQHhlbi5vcmc+ClNpZ25lZC1vZmYtYnk6IElhbiBDYW1wYmVs bCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBJYW4gSmFj a3NvbiA8aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4KCmRpZmYgLS1naXQg YS94ZW4vYXJjaC94ODYvaHZtL2h2bS5jIGIveGVuL2FyY2gveDg2L2h2bS9o dm0uYwppbmRleCAzNGRhMmY1Li4yZDQ2ZDk4IDEwMDY0NAotLS0gYS94ZW4v YXJjaC94ODYvaHZtL2h2bS5jCisrKyBiL3hlbi9hcmNoL3g4Ni9odm0vaHZt LmMKQEAgLTM5ODQsNiArMzk4NCw5IEBAIGxvbmcgZG9faHZtX29wKHVuc2ln bmVkIGxvbmcgb3AsIFhFTl9HVUVTVF9IQU5ETEVfUEFSQU0odm9pZCkgYXJn KQogICAgICAgICBpZiAoICFpc19odm1fZG9tYWluKGQpICkKICAgICAgICAg ICAgIGdvdG8gcGFyYW1fZmFpbDI7CiAKKyAgICAgICAgaWYgKCBhLm5yID4g R0IoMSkgPj4gUEFHRV9TSElGVCApCisgICAgICAgICAgICBnb3RvIHBhcmFt X2ZhaWwyOworCiAgICAgICAgIHJjID0geHNtX2h2bV9wYXJhbShkLCBvcCk7 CiAgICAgICAgIGlmICggcmMgKQogICAgICAgICAgICAgZ290byBwYXJhbV9m YWlsMjsKQEAgLTQwMTAsNyArNDAxMyw2IEBAIGxvbmcgZG9faHZtX29wKHVu c2lnbmVkIGxvbmcgb3AsIFhFTl9HVUVTVF9IQU5ETEVfUEFSQU0odm9pZCkg YXJnKQogICAgIHsKICAgICAgICAgc3RydWN0IHhlbl9odm1fbW9kaWZpZWRf bWVtb3J5IGE7CiAgICAgICAgIHN0cnVjdCBkb21haW4gKmQ7Ci0gICAgICAg IHVuc2lnbmVkIGxvbmcgcGZuOwogCiAgICAgICAgIGlmICggY29weV9mcm9t X2d1ZXN0KCZhLCBhcmcsIDEpICkKICAgICAgICAgICAgIHJldHVybiAtRUZB VUxUOwpAQCAtNDAzNyw5ICs0MDM5LDExIEBAIGxvbmcgZG9faHZtX29wKHVu c2lnbmVkIGxvbmcgb3AsIFhFTl9HVUVTVF9IQU5ETEVfUEFSQU0odm9pZCkg YXJnKQogICAgICAgICBpZiAoICFwYWdpbmdfbW9kZV9sb2dfZGlydHkoZCkg KQogICAgICAgICAgICAgZ290byBwYXJhbV9mYWlsMzsKIAotICAgICAgICBm b3IgKCBwZm4gPSBhLmZpcnN0X3BmbjsgcGZuIDwgYS5maXJzdF9wZm4gKyBh Lm5yOyBwZm4rKyApCisgICAgICAgIHdoaWxlICggYS5uciA+IDAgKQogICAg ICAgICB7CisgICAgICAgICAgICB1bnNpZ25lZCBsb25nIHBmbiA9IGEuZmly c3RfcGZuOwogICAgICAgICAgICAgc3RydWN0IHBhZ2VfaW5mbyAqcGFnZTsK KwogICAgICAgICAgICAgcGFnZSA9IGdldF9wYWdlX2Zyb21fZ2ZuKGQsIHBm biwgTlVMTCwgUDJNX1VOU0hBUkUpOwogICAgICAgICAgICAgaWYgKCBwYWdl ICkKICAgICAgICAgICAgIHsKQEAgLTQwNDksNiArNDA1MywxOSBAQCBsb25n IGRvX2h2bV9vcCh1bnNpZ25lZCBsb25nIG9wLCBYRU5fR1VFU1RfSEFORExF X1BBUkFNKHZvaWQpIGFyZykKICAgICAgICAgICAgICAgICBzaF9yZW1vdmVf c2hhZG93cyhkLT52Y3B1WzBdLCBfbWZuKHBhZ2VfdG9fbWZuKHBhZ2UpKSwg MSwgMCk7CiAgICAgICAgICAgICAgICAgcHV0X3BhZ2UocGFnZSk7CiAgICAg ICAgICAgICB9CisKKyAgICAgICAgICAgIGEuZmlyc3RfcGZuKys7CisgICAg ICAgICAgICBhLm5yLS07CisKKyAgICAgICAgICAgIC8qIENoZWNrIGZvciBj b250aW51YXRpb24gaWYgaXQncyBub3QgdGhlIGxhc3QgaW50ZXJhdGlvbiAq LworICAgICAgICAgICAgaWYgKCBhLm5yID4gMCAmJiBoeXBlcmNhbGxfcHJl ZW1wdF9jaGVjaygpICkKKyAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAg ICBpZiAoIGNvcHlfdG9fZ3Vlc3QoYXJnLCAmYSwgMSkgKQorICAgICAgICAg ICAgICAgICAgICByYyA9IC1FRkFVTFQ7CisgICAgICAgICAgICAgICAgZWxz ZQorICAgICAgICAgICAgICAgICAgICByYyA9IC1FQUdBSU47CisgICAgICAg ICAgICAgICAgYnJlYWs7CisgICAgICAgICAgICB9CiAgICAgICAgIH0KIAog ICAgIHBhcmFtX2ZhaWwzOgpAQCAtNDEwNCw3ICs0MTIxLDYgQEAgbG9uZyBk b19odm1fb3AodW5zaWduZWQgbG9uZyBvcCwgWEVOX0dVRVNUX0hBTkRMRV9Q QVJBTSh2b2lkKSBhcmcpCiAgICAgewogICAgICAgICBzdHJ1Y3QgeGVuX2h2 bV9zZXRfbWVtX3R5cGUgYTsKICAgICAgICAgc3RydWN0IGRvbWFpbiAqZDsK LSAgICAgICAgdW5zaWduZWQgbG9uZyBwZm47CiAgICAgICAgIAogICAgICAg ICAvKiBJbnRlcmZhY2UgdHlwZXMgdG8gaW50ZXJuYWwgcDJtIHR5cGVzICov CiAgICAgICAgIHAybV90eXBlX3QgbWVtdHlwZVtdID0gewpAQCAtNDEzNyw4 ICs0MTUzLDkgQEAgbG9uZyBkb19odm1fb3AodW5zaWduZWQgbG9uZyBvcCwg WEVOX0dVRVNUX0hBTkRMRV9QQVJBTSh2b2lkKSBhcmcpCiAgICAgICAgIGlm ICggYS5odm1tZW1fdHlwZSA+PSBBUlJBWV9TSVpFKG1lbXR5cGUpICkKICAg ICAgICAgICAgIGdvdG8gcGFyYW1fZmFpbDQ7CiAKLSAgICAgICAgZm9yICgg cGZuID0gYS5maXJzdF9wZm47IHBmbiA8IGEuZmlyc3RfcGZuICsgYS5ucjsg cGZuKysgKQorICAgICAgICB3aGlsZSAoIGEubnIgKQogICAgICAgICB7Cisg ICAgICAgICAgICB1bnNpZ25lZCBsb25nIHBmbiA9IGEuZmlyc3RfcGZuOwog ICAgICAgICAgICAgcDJtX3R5cGVfdCB0OwogICAgICAgICAgICAgcDJtX3R5 cGVfdCBudDsKICAgICAgICAgICAgIG1mbl90IG1mbjsKQEAgLTQxNzgsNiAr NDE5NSwxOSBAQCBsb25nIGRvX2h2bV9vcCh1bnNpZ25lZCBsb25nIG9wLCBY RU5fR1VFU1RfSEFORExFX1BBUkFNKHZvaWQpIGFyZykKICAgICAgICAgICAg ICAgICB9CiAgICAgICAgICAgICB9CiAgICAgICAgICAgICBwdXRfZ2ZuKGQs IHBmbik7CisKKyAgICAgICAgICAgIGEuZmlyc3RfcGZuKys7CisgICAgICAg ICAgICBhLm5yLS07CisKKyAgICAgICAgICAgIC8qIENoZWNrIGZvciBjb250 aW51YXRpb24gaWYgaXQncyBub3QgdGhlIGxhc3QgaW50ZXJhdGlvbiAqLwor ICAgICAgICAgICAgaWYgKCBhLm5yID4gMCAmJiBoeXBlcmNhbGxfcHJlZW1w dF9jaGVjaygpICkKKyAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBp ZiAoIGNvcHlfdG9fZ3Vlc3QoYXJnLCAmYSwgMSkgKQorICAgICAgICAgICAg ICAgICAgICByYyA9IC1FRkFVTFQ7CisgICAgICAgICAgICAgICAgZWxzZQor ICAgICAgICAgICAgICAgICAgICByYyA9IC1FQUdBSU47CisgICAgICAgICAg ICAgICAgZ290byBwYXJhbV9mYWlsNDsKKyAgICAgICAgICAgIH0KICAgICAg ICAgfQogCiAgICAgICAgIHJjID0gMDsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Jan 17 12:31:57 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 17 Jan 2013 12:31:57 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Tvobh-0006qe-V8; Thu, 17 Jan 2013 12:30:09 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Tvobf-0006pq-Or; Thu, 17 Jan 2013 12:30:07 +0000 Received: from [193.109.254.147:64994] by server-6.bemta-14.messagelabs.com id C6/E6-25153-ECEE7F05; Thu, 17 Jan 2013 12:30:06 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-12.tower-27.messagelabs.com!1358425719!9212705!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.7; banners=-,-,- X-VirusChecked: Checked Received: (qmail 24311 invoked from network); 17 Jan 2013 12:28:40 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-12.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 17 Jan 2013 12:28:40 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TvoaA-0005Kp-BB; Thu, 17 Jan 2013 12:28:34 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TvoaA-0002yO-3f; Thu, 17 Jan 2013 12:28:34 +0000 Date: Thu, 17 Jan 2013 12:28:34 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 41 (CVE-2012-6075) - qemu (e1000 device driver): Buffer overflow when processing large packets X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-6075 / XSA-41 version 2 qemu (e1000 device driver): Buffer overflow when processing large packets UPDATES IN VERSION 2 ==================== Add a reference to a second required patch. SUMMARY AND SOURCES OF INFORMATION ================================== An issue in qemu has been disclosed which we believe affects some users of Xen. The Qemu project has not itself issued an advisory. More information may be available in the advisories published by the distros: https://bugzilla.redhat.com/show_bug.cgi?id=889301 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696051 CAVEAT ====== For full and accurate information please refer to those advisories. We have not conducted a full review of the information and patches provided. The rest of the information in this advisory is true to the best of our knowledge at the time of writing. IMPACT ====== The vulnerability impacts any host running HVM (Fully-Emulated) guests which are configured with an e1000 NIC (using "model=e1000") in their VIF configuration. Note that the default emulated NIC is "rtl8139" which is not vulnerable. In a vulnerable configuration a hostile network packet may be able to corrupt the memory of the guest, leading to a guest DoS or remote privilege escalation. We do not believe that this issue enables an attack against the host. MITIGATION ========== Limiting the size of network frames (e.g. by disabling jumbo frames) on the local network and the Xen bridge may reduce or eliminate guests' vulnerability to the bug. RESOLUTION ========== There are two patches required. See these git commits: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=b0d9ffcd0251161c7c92f94804dcf599dfa3edeb http://git.qemu.org/?p=qemu.git;a=commitdiff;h=2c0331f4f7d241995452b99afaf0aab00493334a These fixes have both been applied to all qemu branches contained in Xen version 4.1 onwards. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ9+sEAAoJEIP+FMlX6CvZMwwH/22uA3uKWWK78IdsyjtUx6mv 9IvBW+8gZn80eLaEURYI0zAR8CXpU20OHCWnPKpD2j8OfRdZDNyUCPIcQP6ztMD5 RqUoha0sYW7VeTmPADZmdy5MhjpOaJyhoPibpNeWwhJzX6xf0ukKEuNu4GIMzGf7 tEV90TIi8BevbO9KrNGnU7y1Pj1ZEj8OgBR6TmK0FcJ6A7g45ocIGQyKYHxzqc5U Akk5zgkr895DFUZr/88nHL1Bl7JH+PUIiVUrvco2OG0h06Jrgp4quovI0hzF/zvq yv5SqWyzABd6/QE9DRz9t+VLn4kiF3/c9Zb9XbGwHmhmJYlI8mTKqvD2Q0YMkE0= =Xwyw -----END PGP SIGNATURE----- --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Jan 17 12:31:57 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 17 Jan 2013 12:31:57 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Tvobh-0006qe-V8; Thu, 17 Jan 2013 12:30:09 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Tvobf-0006pq-Or; Thu, 17 Jan 2013 12:30:07 +0000 Received: from [193.109.254.147:64994] by server-6.bemta-14.messagelabs.com id C6/E6-25153-ECEE7F05; Thu, 17 Jan 2013 12:30:06 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-12.tower-27.messagelabs.com!1358425719!9212705!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.7; banners=-,-,- X-VirusChecked: Checked Received: (qmail 24311 invoked from network); 17 Jan 2013 12:28:40 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-12.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 17 Jan 2013 12:28:40 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TvoaA-0005Kp-BB; Thu, 17 Jan 2013 12:28:34 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TvoaA-0002yO-3f; Thu, 17 Jan 2013 12:28:34 +0000 Date: Thu, 17 Jan 2013 12:28:34 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 41 (CVE-2012-6075) - qemu (e1000 device driver): Buffer overflow when processing large packets X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-6075 / XSA-41 version 2 qemu (e1000 device driver): Buffer overflow when processing large packets UPDATES IN VERSION 2 ==================== Add a reference to a second required patch. SUMMARY AND SOURCES OF INFORMATION ================================== An issue in qemu has been disclosed which we believe affects some users of Xen. The Qemu project has not itself issued an advisory. More information may be available in the advisories published by the distros: https://bugzilla.redhat.com/show_bug.cgi?id=889301 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696051 CAVEAT ====== For full and accurate information please refer to those advisories. We have not conducted a full review of the information and patches provided. The rest of the information in this advisory is true to the best of our knowledge at the time of writing. IMPACT ====== The vulnerability impacts any host running HVM (Fully-Emulated) guests which are configured with an e1000 NIC (using "model=e1000") in their VIF configuration. Note that the default emulated NIC is "rtl8139" which is not vulnerable. In a vulnerable configuration a hostile network packet may be able to corrupt the memory of the guest, leading to a guest DoS or remote privilege escalation. We do not believe that this issue enables an attack against the host. MITIGATION ========== Limiting the size of network frames (e.g. by disabling jumbo frames) on the local network and the Xen bridge may reduce or eliminate guests' vulnerability to the bug. RESOLUTION ========== There are two patches required. See these git commits: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=b0d9ffcd0251161c7c92f94804dcf599dfa3edeb http://git.qemu.org/?p=qemu.git;a=commitdiff;h=2c0331f4f7d241995452b99afaf0aab00493334a These fixes have both been applied to all qemu branches contained in Xen version 4.1 onwards. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ9+sEAAoJEIP+FMlX6CvZMwwH/22uA3uKWWK78IdsyjtUx6mv 9IvBW+8gZn80eLaEURYI0zAR8CXpU20OHCWnPKpD2j8OfRdZDNyUCPIcQP6ztMD5 RqUoha0sYW7VeTmPADZmdy5MhjpOaJyhoPibpNeWwhJzX6xf0ukKEuNu4GIMzGf7 tEV90TIi8BevbO9KrNGnU7y1Pj1ZEj8OgBR6TmK0FcJ6A7g45ocIGQyKYHxzqc5U Akk5zgkr895DFUZr/88nHL1Bl7JH+PUIiVUrvco2OG0h06Jrgp4quovI0hzF/zvq yv5SqWyzABd6/QE9DRz9t+VLn4kiF3/c9Zb9XbGwHmhmJYlI8mTKqvD2Q0YMkE0= =Xwyw -----END PGP SIGNATURE----- --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Jan 22 12:05:04 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 22 Jan 2013 12:05:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TxcYo-0001Tw-AR; Tue, 22 Jan 2013 12:02:38 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TxcYm-0001Tb-VI; Tue, 22 Jan 2013 12:02:37 +0000 Received: from [85.158.138.51:45215] by server-9.bemta-3.messagelabs.com id 5A/E2-08786-BDF7EF05; Tue, 22 Jan 2013 12:02:35 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-16.tower-174.messagelabs.com!1358856153!28977135!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.7; banners=-,-,- X-VirusChecked: Checked Received: (qmail 16123 invoked from network); 22 Jan 2013 12:02:34 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-16.tower-174.messagelabs.com with AES256-SHA encrypted SMTP; 22 Jan 2013 12:02:34 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TxcYd-00058B-Df; Tue, 22 Jan 2013 12:02:27 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TxcYd-0007H4-74; Tue, 22 Jan 2013 12:02:27 +0000 Date: Tue, 22 Jan 2013 12:02:27 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 35 (CVE-2013-0152) - Nested HVM exposes host to being driven out of memory by guest X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-0152 / XSA-35 version 3 Nested HVM exposes host to being driven out of memory by guest UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Guests are currently permitted to enable nested virtualization on themselves. Missing error handling cleanup in the handling code makes it possible for a guest, particularly a multi-vCPU one, to repeatedly invoke this operation, thus causing a leak of - over time - unbounded amounts of memory. IMPACT ====== A malicious domain can mount a denial of service attack affecting the whole system. VULNERABLE SYSTEMS ================== Only Xen 4.2 and Xen unstable are vulnerable. Xen 4.1 and earlier are not vulnerable. The vulnerability is only exposed by HVM guests. MITIGATION ========== Running only PV guests will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. To fix both XSA 34 and XSA 35, first apply xsa34-4.2.patch from XSA 34 and then *also* apply xsa35-4.2-with-xsa34.patch from this advisory. To fix this issue without addressing XSA 34, use xsa35.patch. $ sha256sum xsa35*.patch 8372322e986bc2210f0d35b4d35a029301bd28fc1dffb789dff1436eb2024723 xsa35-4.2-with-xsa34.patch e69b01033b0fa4c3d175697566d2f0b161337e8d206654919937f77721dbf866 xsa35.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ/ny+AAoJEIP+FMlX6CvZajwIAJ2/2xGmEbI44LFJ4rGehOY8 CZRlTzyPLUt1eVk6lD7qwX1ondGEAsFwLrZdFp+c08Cle7o2RT502EwptPGIRhkc 8pPjOgqWr/YjHC/B0VAoCZOF08HsIpDU2wiaxKhcFODNoeUb2z01OL5G+7I60HzV 54F70rCBx229Myhq9zqCV4a1XW+73k6NL7bpRICAME5fDy+8q4gcF0UDLv6MZmNV PB9Ey2kiH6TMZO4Si+ekF4GQzfvje5/xTU/v0bHq6r7SxhHXq4aJ5e6jER0vlTsr 0HbE5uG/4LimCmc77q0ZiHOGg61gc/V1imfsUOTnnfaifw4qReCQHXpMAOdg9Ww= =O88v -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa35-4.2-with-xsa34.patch" Content-Disposition: attachment; filename="xsa35-4.2-with-xsa34.patch" Content-Transfer-Encoding: base64 eGVuOiBEbyBub3QgYWxsb3cgZ3Vlc3RzIHRvIGVuYWJsZSBuZXN0ZWQgSFZN IG9uIHRoZW1zZWx2ZXMKClRoZXJlIGlzIG5vIHJlYXNvbiBmb3IgdGhpcyBh bmQgZG9pbmcgc28gZXhwb3NlcyBhIG1lbW9yeSBsZWFrIHRvCmd1ZXN0cy4g T25seSB0b29sc3RhY2tzIG5lZWQgd3JpdGUgYWNjZXNzIHRvIHRoaXMgSFZN IHBhcmFtLgoKVGhpcyBpcyBYU0EtMzUgLyBDVkUtMjAxMy0wMTUyLgoKU2ln bmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJlbGxAY2l0cml4 LmNvbT4KQWNrZWQtYnk6IEphbiBCZXVsaWNoIDxKQmV1bGljaEBzdXNlLmNv bT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vaHZtLmMKKysrIGIveGVuL2Fy Y2gveDg2L2h2bS9odm0uYwpAQCAtMzg2Miw2ICszODYyLDEwIEBAIGxvbmcg ZG9faHZtX29wKHVuc2lnbmVkIGxvbmcgb3AsIFhFTl9HVUUKICAgICAgICAg ICAgICAgICAgICAgcmMgPSAtRUlOVkFMOwogICAgICAgICAgICAgICAgIGJy ZWFrOwogICAgICAgICAgICAgY2FzZSBIVk1fUEFSQU1fTkVTVEVESFZNOgor ICAgICAgICAgICAgICAgIGlmICggIUlTX1BSSVYoY3VycmVudC0+ZG9tYWlu KSApCisgICAgICAgICAgICAgICAgeworICAgICAgICAgICAgICAgICAgICBy YyA9IC1FUEVSTTsKKyAgICAgICAgICAgICAgICAgICAgYnJlYWs7CisgICAg ICAgICAgICAgICAgfQogI2lmZGVmIF9faTM4Nl9fCiAgICAgICAgICAgICAg ICAgaWYgKCBhLnZhbHVlICkKICAgICAgICAgICAgICAgICAgICAgcmMgPSAt RUlOVkFMOwo= --=separator Content-Type: application/octet-stream; name="xsa35.patch" Content-Disposition: attachment; filename="xsa35.patch" Content-Transfer-Encoding: base64 eGVuOiBEbyBub3QgYWxsb3cgZ3Vlc3RzIHRvIGVuYWJsZSBuZXN0ZWQgSFZN IG9uIHRoZW1zZWx2ZXMKClRoZXJlIGlzIG5vIHJlYXNvbiBmb3IgdGhpcyBh bmQgZG9pbmcgc28gZXhwb3NlcyBhIG1lbW9yeSBsZWFrIHRvCmd1ZXN0cy4g T25seSB0b29sc3RhY2tzIG5lZWQgd3JpdGUgYWNjZXNzIHRvIHRoaXMgSFZN IHBhcmFtLgoKVGhpcyBpcyBYU0EtMzUgLyBDVkUtMjAxMy0wMTUyLgoKU2ln bmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJlbGxAY2l0cml4 LmNvbT4KQWNrZWQtYnk6IEphbiBCZXVsaWNoIDxKQmV1bGljaEBzdXNlLmNv bT4KCmRpZmYgLS1naXQgYS94ZW4vYXJjaC94ODYvaHZtL2h2bS5jIGIveGVu L2FyY2gveDg2L2h2bS9odm0uYwppbmRleCA0MGMxYWIyLi44MjY0ZGE3IDEw MDY0NAotLS0gYS94ZW4vYXJjaC94ODYvaHZtL2h2bS5jCisrKyBiL3hlbi9h cmNoL3g4Ni9odm0vaHZtLmMKQEAgLTM4NzEsNiArMzg3MSwxMSBAQCBsb25n IGRvX2h2bV9vcCh1bnNpZ25lZCBsb25nIG9wLCBYRU5fR1VFU1RfSEFORExF X1BBUkFNKHZvaWQpIGFyZykKICAgICAgICAgICAgICAgICAgICAgcmMgPSAt RUlOVkFMOwogICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAg Y2FzZSBIVk1fUEFSQU1fTkVTVEVESFZNOgorICAgICAgICAgICAgICAgIGlm ICggIUlTX1BSSVYoY3VycmVudC0+ZG9tYWluKSApCisgICAgICAgICAgICAg ICAgeworICAgICAgICAgICAgICAgICAgICByYyA9IC1FUEVSTTsKKyAgICAg ICAgICAgICAgICAgICAgYnJlYWs7CisgICAgICAgICAgICAgICAgfQogICAg ICAgICAgICAgICAgIGlmICggYS52YWx1ZSA+IDEgKQogICAgICAgICAgICAg ICAgICAgICByYyA9IC1FSU5WQUw7CiAgICAgICAgICAgICAgICAgaWYgKCAh aXNfaHZtX2RvbWFpbihkKSApCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Jan 22 12:05:04 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 22 Jan 2013 12:05:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TxcYo-0001Tw-AR; Tue, 22 Jan 2013 12:02:38 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TxcYm-0001Tb-VI; Tue, 22 Jan 2013 12:02:37 +0000 Received: from [85.158.138.51:45215] by server-9.bemta-3.messagelabs.com id 5A/E2-08786-BDF7EF05; Tue, 22 Jan 2013 12:02:35 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-16.tower-174.messagelabs.com!1358856153!28977135!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.7; banners=-,-,- X-VirusChecked: Checked Received: (qmail 16123 invoked from network); 22 Jan 2013 12:02:34 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-16.tower-174.messagelabs.com with AES256-SHA encrypted SMTP; 22 Jan 2013 12:02:34 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TxcYd-00058B-Df; Tue, 22 Jan 2013 12:02:27 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TxcYd-0007H4-74; Tue, 22 Jan 2013 12:02:27 +0000 Date: Tue, 22 Jan 2013 12:02:27 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 35 (CVE-2013-0152) - Nested HVM exposes host to being driven out of memory by guest X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-0152 / XSA-35 version 3 Nested HVM exposes host to being driven out of memory by guest UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Guests are currently permitted to enable nested virtualization on themselves. Missing error handling cleanup in the handling code makes it possible for a guest, particularly a multi-vCPU one, to repeatedly invoke this operation, thus causing a leak of - over time - unbounded amounts of memory. IMPACT ====== A malicious domain can mount a denial of service attack affecting the whole system. VULNERABLE SYSTEMS ================== Only Xen 4.2 and Xen unstable are vulnerable. Xen 4.1 and earlier are not vulnerable. The vulnerability is only exposed by HVM guests. MITIGATION ========== Running only PV guests will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. To fix both XSA 34 and XSA 35, first apply xsa34-4.2.patch from XSA 34 and then *also* apply xsa35-4.2-with-xsa34.patch from this advisory. To fix this issue without addressing XSA 34, use xsa35.patch. $ sha256sum xsa35*.patch 8372322e986bc2210f0d35b4d35a029301bd28fc1dffb789dff1436eb2024723 xsa35-4.2-with-xsa34.patch e69b01033b0fa4c3d175697566d2f0b161337e8d206654919937f77721dbf866 xsa35.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ/ny+AAoJEIP+FMlX6CvZajwIAJ2/2xGmEbI44LFJ4rGehOY8 CZRlTzyPLUt1eVk6lD7qwX1ondGEAsFwLrZdFp+c08Cle7o2RT502EwptPGIRhkc 8pPjOgqWr/YjHC/B0VAoCZOF08HsIpDU2wiaxKhcFODNoeUb2z01OL5G+7I60HzV 54F70rCBx229Myhq9zqCV4a1XW+73k6NL7bpRICAME5fDy+8q4gcF0UDLv6MZmNV PB9Ey2kiH6TMZO4Si+ekF4GQzfvje5/xTU/v0bHq6r7SxhHXq4aJ5e6jER0vlTsr 0HbE5uG/4LimCmc77q0ZiHOGg61gc/V1imfsUOTnnfaifw4qReCQHXpMAOdg9Ww= =O88v -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa35-4.2-with-xsa34.patch" Content-Disposition: attachment; filename="xsa35-4.2-with-xsa34.patch" Content-Transfer-Encoding: base64 eGVuOiBEbyBub3QgYWxsb3cgZ3Vlc3RzIHRvIGVuYWJsZSBuZXN0ZWQgSFZN IG9uIHRoZW1zZWx2ZXMKClRoZXJlIGlzIG5vIHJlYXNvbiBmb3IgdGhpcyBh bmQgZG9pbmcgc28gZXhwb3NlcyBhIG1lbW9yeSBsZWFrIHRvCmd1ZXN0cy4g T25seSB0b29sc3RhY2tzIG5lZWQgd3JpdGUgYWNjZXNzIHRvIHRoaXMgSFZN IHBhcmFtLgoKVGhpcyBpcyBYU0EtMzUgLyBDVkUtMjAxMy0wMTUyLgoKU2ln bmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJlbGxAY2l0cml4 LmNvbT4KQWNrZWQtYnk6IEphbiBCZXVsaWNoIDxKQmV1bGljaEBzdXNlLmNv bT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vaHZtLmMKKysrIGIveGVuL2Fy Y2gveDg2L2h2bS9odm0uYwpAQCAtMzg2Miw2ICszODYyLDEwIEBAIGxvbmcg ZG9faHZtX29wKHVuc2lnbmVkIGxvbmcgb3AsIFhFTl9HVUUKICAgICAgICAg ICAgICAgICAgICAgcmMgPSAtRUlOVkFMOwogICAgICAgICAgICAgICAgIGJy ZWFrOwogICAgICAgICAgICAgY2FzZSBIVk1fUEFSQU1fTkVTVEVESFZNOgor ICAgICAgICAgICAgICAgIGlmICggIUlTX1BSSVYoY3VycmVudC0+ZG9tYWlu KSApCisgICAgICAgICAgICAgICAgeworICAgICAgICAgICAgICAgICAgICBy YyA9IC1FUEVSTTsKKyAgICAgICAgICAgICAgICAgICAgYnJlYWs7CisgICAg ICAgICAgICAgICAgfQogI2lmZGVmIF9faTM4Nl9fCiAgICAgICAgICAgICAg ICAgaWYgKCBhLnZhbHVlICkKICAgICAgICAgICAgICAgICAgICAgcmMgPSAt RUlOVkFMOwo= --=separator Content-Type: application/octet-stream; name="xsa35.patch" Content-Disposition: attachment; filename="xsa35.patch" Content-Transfer-Encoding: base64 eGVuOiBEbyBub3QgYWxsb3cgZ3Vlc3RzIHRvIGVuYWJsZSBuZXN0ZWQgSFZN IG9uIHRoZW1zZWx2ZXMKClRoZXJlIGlzIG5vIHJlYXNvbiBmb3IgdGhpcyBh bmQgZG9pbmcgc28gZXhwb3NlcyBhIG1lbW9yeSBsZWFrIHRvCmd1ZXN0cy4g T25seSB0b29sc3RhY2tzIG5lZWQgd3JpdGUgYWNjZXNzIHRvIHRoaXMgSFZN IHBhcmFtLgoKVGhpcyBpcyBYU0EtMzUgLyBDVkUtMjAxMy0wMTUyLgoKU2ln bmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJlbGxAY2l0cml4 LmNvbT4KQWNrZWQtYnk6IEphbiBCZXVsaWNoIDxKQmV1bGljaEBzdXNlLmNv bT4KCmRpZmYgLS1naXQgYS94ZW4vYXJjaC94ODYvaHZtL2h2bS5jIGIveGVu L2FyY2gveDg2L2h2bS9odm0uYwppbmRleCA0MGMxYWIyLi44MjY0ZGE3IDEw MDY0NAotLS0gYS94ZW4vYXJjaC94ODYvaHZtL2h2bS5jCisrKyBiL3hlbi9h cmNoL3g4Ni9odm0vaHZtLmMKQEAgLTM4NzEsNiArMzg3MSwxMSBAQCBsb25n IGRvX2h2bV9vcCh1bnNpZ25lZCBsb25nIG9wLCBYRU5fR1VFU1RfSEFORExF X1BBUkFNKHZvaWQpIGFyZykKICAgICAgICAgICAgICAgICAgICAgcmMgPSAt RUlOVkFMOwogICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAg Y2FzZSBIVk1fUEFSQU1fTkVTVEVESFZNOgorICAgICAgICAgICAgICAgIGlm ICggIUlTX1BSSVYoY3VycmVudC0+ZG9tYWluKSApCisgICAgICAgICAgICAg ICAgeworICAgICAgICAgICAgICAgICAgICByYyA9IC1FUEVSTTsKKyAgICAg ICAgICAgICAgICAgICAgYnJlYWs7CisgICAgICAgICAgICAgICAgfQogICAg ICAgICAgICAgICAgIGlmICggYS52YWx1ZSA+IDEgKQogICAgICAgICAgICAg ICAgICAgICByYyA9IC1FSU5WQUw7CiAgICAgICAgICAgICAgICAgaWYgKCAh aXNfaHZtX2RvbWFpbihkKSApCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Jan 22 12:05:05 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 22 Jan 2013 12:05:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TxcYs-0001Ut-5n; Tue, 22 Jan 2013 12:02:42 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TxcYq-0001UK-HZ; Tue, 22 Jan 2013 12:02:40 +0000 Received: from [85.158.137.99:61859] by server-6.bemta-3.messagelabs.com id BB/25-25504-FDF7EF05; Tue, 22 Jan 2013 12:02:39 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-2.tower-217.messagelabs.com!1358856156!17896873!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.7; banners=-,-,- X-VirusChecked: Checked Received: (qmail 27119 invoked from network); 22 Jan 2013 12:02:37 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-2.tower-217.messagelabs.com with AES256-SHA encrypted SMTP; 22 Jan 2013 12:02:37 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TxcYa-000583-Av; Tue, 22 Jan 2013 12:02:24 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TxcYZ-0007Gd-LA; Tue, 22 Jan 2013 12:02:23 +0000 Date: Tue, 22 Jan 2013 12:02:23 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 34 (CVE-2013-0151) - nested virtualization on 32-bit exposes host crash X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-0151 / XSA-34 version 2 nested virtualization on 32-bit exposes host crash UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= When performing nested virtualisation Xen would incorrectly map guest pages for extended periods using an interface which is only intended for transient mappings. In some configurations there are a limited number of slots available for these transient mappings and exhausting them leads to a host crash and therefore a Denial of Service attack. IMPACT ====== A malicious guest administrator can, by enabling nested virtualisation from within the guest, trigger the issue. Their ability to do this will depend on the number of VCPUs the domain is configured with. Domains with smaller numbers of VCPUs (e.g. less than 16) are not able to create sufficient mappings via this method to trigger the issue. VULNERABLE SYSTEMS ================== 32 bit hypervisors running HVM guests on either Intel or AMD are vulnerable. Only Xen version 4.2.x is vulnerable. Nested virtualisation was introduced as an experimental feature in Xen 4.2 and therefore versions of Xen prior to that are not vulnerable. The 32 bit hypervisor has been removed in Xen unstable and therefore is not vulnerable. MITIGATION ========== Running a 64 bit hypervisor or avoiding running HVM guests with untrusted administrators can avoid the issue. We strongly recommend running a 64 bit hypervisor on any processor which supports it. Note that this does not require running a 64 bit domain 0. Ensuring that HVM guests with untrusted administrators do not have more than 16 VCPUs will also avoid the issue. RESOLUTION ========== The attached patch avoids this issue by disabling nested HVM support when running a 32-bit hypervisor. xsa34-4.2.patch Xen 4.2.x $ sha256sum xsa34*.patch ef75cdcf934003aaced57698a2441c4ba058b968956925eec2d5a100a28db0ae xsa34-4.2.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ/ny6AAoJEIP+FMlX6CvZU20IAKVSD/ymPr/xXxVa+QHCPCeQ MceHY8JE7mRsy1+houbsmQyzq4ASgdrxN70E3QIxUDKXJjJsUEs/0Ju5hhbgZltp OazXgg+qICgjqjEklRZOCs9iymepjjDYXWhwUccUleTO/2E9/j8znLQGoUqitHrk APycEQ26+YbmWQAUTuvXcL5ST7oByPH8Ax0bjOnMWpQFY8G2ZBbgczmw3uMnHMRN NVE8akGv45ey5qEraL+Qe3S5cauVdVPxPodavlDIV0628em9+gFbG4+P5Sgn5TeY Kv3u8LjWDWRtZEVcHGRUkIYrlgeWD2TGFkqdGCTd7vf3lKMAopNjIGrH80kNmrc= =gW3M -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa34-4.2.patch" Content-Disposition: attachment; filename="xsa34-4.2.patch" Content-Transfer-Encoding: base64 eDg2XzMyOiBkb24ndCBhbGxvdyB1c2Ugb2YgbmVzdGVkIEhWTQoKVGhlcmUg YXJlIChpbmRpcmVjdCkgdXNlcyBvZiBtYXBfZG9tYWluX3BhZ2UoKSBpbiB0 aGUgbmVzdGVkIEhWTSBjb2RlCnRoYXQgYXJlIHVuc2FmZSB3aGVuIG5vdCBq dXN0IHVzaW5nIHRoZSAxOjEgbWFwcGluZy4KClRoaXMgaXMgWFNBLTM0IC8g Q1ZFLTIwMTMtMDE1MS4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxq YmV1bGljaEBzdXNlLmNvbT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vaHZt LmMKKysrIGIveGVuL2FyY2gveDg2L2h2bS9odm0uYwpAQCAtMzkyNiw2ICsz OTI2LDEwIEBAIGxvbmcgZG9faHZtX29wKHVuc2lnbmVkIGxvbmcgb3AsIFhF Tl9HVUUKICAgICAgICAgICAgICAgICAgICAgcmMgPSAtRUlOVkFMOwogICAg ICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAgY2FzZSBIVk1fUEFS QU1fTkVTVEVESFZNOgorI2lmZGVmIF9faTM4Nl9fCisgICAgICAgICAgICAg ICAgaWYgKCBhLnZhbHVlICkKKyAgICAgICAgICAgICAgICAgICAgcmMgPSAt RUlOVkFMOworI2Vsc2UKICAgICAgICAgICAgICAgICBpZiAoIGEudmFsdWUg PiAxICkKICAgICAgICAgICAgICAgICAgICAgcmMgPSAtRUlOVkFMOwogICAg ICAgICAgICAgICAgIGlmICggIWlzX2h2bV9kb21haW4oZCkgKQpAQCAtMzk0 MCw2ICszOTQ0LDcgQEAgbG9uZyBkb19odm1fb3AodW5zaWduZWQgbG9uZyBv cCwgWEVOX0dVRQogICAgICAgICAgICAgICAgICAgICBmb3JfZWFjaF92Y3B1 KGQsIHYpCiAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoIHJjID09IDAg KQogICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJjID0gbmVzdGVkaHZt X3ZjcHVfaW5pdGlhbGlzZSh2KTsKKyNlbmRpZgogICAgICAgICAgICAgICAg IGJyZWFrOwogICAgICAgICAgICAgY2FzZSBIVk1fUEFSQU1fQlVGSU9SRVFf RVZUQ0hOOgogICAgICAgICAgICAgICAgIHJjID0gLUVJTlZBTDsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Jan 22 12:05:05 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 22 Jan 2013 12:05:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TxcYs-0001Ut-5n; Tue, 22 Jan 2013 12:02:42 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TxcYq-0001UK-HZ; Tue, 22 Jan 2013 12:02:40 +0000 Received: from [85.158.137.99:61859] by server-6.bemta-3.messagelabs.com id BB/25-25504-FDF7EF05; Tue, 22 Jan 2013 12:02:39 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-2.tower-217.messagelabs.com!1358856156!17896873!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.7; banners=-,-,- X-VirusChecked: Checked Received: (qmail 27119 invoked from network); 22 Jan 2013 12:02:37 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-2.tower-217.messagelabs.com with AES256-SHA encrypted SMTP; 22 Jan 2013 12:02:37 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TxcYa-000583-Av; Tue, 22 Jan 2013 12:02:24 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1TxcYZ-0007Gd-LA; Tue, 22 Jan 2013 12:02:23 +0000 Date: Tue, 22 Jan 2013 12:02:23 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 34 (CVE-2013-0151) - nested virtualization on 32-bit exposes host crash X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-0151 / XSA-34 version 2 nested virtualization on 32-bit exposes host crash UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= When performing nested virtualisation Xen would incorrectly map guest pages for extended periods using an interface which is only intended for transient mappings. In some configurations there are a limited number of slots available for these transient mappings and exhausting them leads to a host crash and therefore a Denial of Service attack. IMPACT ====== A malicious guest administrator can, by enabling nested virtualisation from within the guest, trigger the issue. Their ability to do this will depend on the number of VCPUs the domain is configured with. Domains with smaller numbers of VCPUs (e.g. less than 16) are not able to create sufficient mappings via this method to trigger the issue. VULNERABLE SYSTEMS ================== 32 bit hypervisors running HVM guests on either Intel or AMD are vulnerable. Only Xen version 4.2.x is vulnerable. Nested virtualisation was introduced as an experimental feature in Xen 4.2 and therefore versions of Xen prior to that are not vulnerable. The 32 bit hypervisor has been removed in Xen unstable and therefore is not vulnerable. MITIGATION ========== Running a 64 bit hypervisor or avoiding running HVM guests with untrusted administrators can avoid the issue. We strongly recommend running a 64 bit hypervisor on any processor which supports it. Note that this does not require running a 64 bit domain 0. Ensuring that HVM guests with untrusted administrators do not have more than 16 VCPUs will also avoid the issue. RESOLUTION ========== The attached patch avoids this issue by disabling nested HVM support when running a 32-bit hypervisor. xsa34-4.2.patch Xen 4.2.x $ sha256sum xsa34*.patch ef75cdcf934003aaced57698a2441c4ba058b968956925eec2d5a100a28db0ae xsa34-4.2.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ/ny6AAoJEIP+FMlX6CvZU20IAKVSD/ymPr/xXxVa+QHCPCeQ MceHY8JE7mRsy1+houbsmQyzq4ASgdrxN70E3QIxUDKXJjJsUEs/0Ju5hhbgZltp OazXgg+qICgjqjEklRZOCs9iymepjjDYXWhwUccUleTO/2E9/j8znLQGoUqitHrk APycEQ26+YbmWQAUTuvXcL5ST7oByPH8Ax0bjOnMWpQFY8G2ZBbgczmw3uMnHMRN NVE8akGv45ey5qEraL+Qe3S5cauVdVPxPodavlDIV0628em9+gFbG4+P5Sgn5TeY Kv3u8LjWDWRtZEVcHGRUkIYrlgeWD2TGFkqdGCTd7vf3lKMAopNjIGrH80kNmrc= =gW3M -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa34-4.2.patch" Content-Disposition: attachment; filename="xsa34-4.2.patch" Content-Transfer-Encoding: base64 eDg2XzMyOiBkb24ndCBhbGxvdyB1c2Ugb2YgbmVzdGVkIEhWTQoKVGhlcmUg YXJlIChpbmRpcmVjdCkgdXNlcyBvZiBtYXBfZG9tYWluX3BhZ2UoKSBpbiB0 aGUgbmVzdGVkIEhWTSBjb2RlCnRoYXQgYXJlIHVuc2FmZSB3aGVuIG5vdCBq dXN0IHVzaW5nIHRoZSAxOjEgbWFwcGluZy4KClRoaXMgaXMgWFNBLTM0IC8g Q1ZFLTIwMTMtMDE1MS4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxq YmV1bGljaEBzdXNlLmNvbT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vaHZt LmMKKysrIGIveGVuL2FyY2gveDg2L2h2bS9odm0uYwpAQCAtMzkyNiw2ICsz OTI2LDEwIEBAIGxvbmcgZG9faHZtX29wKHVuc2lnbmVkIGxvbmcgb3AsIFhF Tl9HVUUKICAgICAgICAgICAgICAgICAgICAgcmMgPSAtRUlOVkFMOwogICAg ICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAgY2FzZSBIVk1fUEFS QU1fTkVTVEVESFZNOgorI2lmZGVmIF9faTM4Nl9fCisgICAgICAgICAgICAg ICAgaWYgKCBhLnZhbHVlICkKKyAgICAgICAgICAgICAgICAgICAgcmMgPSAt RUlOVkFMOworI2Vsc2UKICAgICAgICAgICAgICAgICBpZiAoIGEudmFsdWUg PiAxICkKICAgICAgICAgICAgICAgICAgICAgcmMgPSAtRUlOVkFMOwogICAg ICAgICAgICAgICAgIGlmICggIWlzX2h2bV9kb21haW4oZCkgKQpAQCAtMzk0 MCw2ICszOTQ0LDcgQEAgbG9uZyBkb19odm1fb3AodW5zaWduZWQgbG9uZyBv cCwgWEVOX0dVRQogICAgICAgICAgICAgICAgICAgICBmb3JfZWFjaF92Y3B1 KGQsIHYpCiAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoIHJjID09IDAg KQogICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJjID0gbmVzdGVkaHZt X3ZjcHVfaW5pdGlhbGlzZSh2KTsKKyNlbmRpZgogICAgICAgICAgICAgICAg IGJyZWFrOwogICAgICAgICAgICAgY2FzZSBIVk1fUEFSQU1fQlVGSU9SRVFf RVZUQ0hOOgogICAgICAgICAgICAgICAgIHJjID0gLUVJTlZBTDsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Jan 23 18:31:49 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 23 Jan 2013 18:31:49 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ty54V-0004Oc-4e; Wed, 23 Jan 2013 18:29:15 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ty54T-0004OB-F7; Wed, 23 Jan 2013 18:29:13 +0000 Received: from [85.158.139.211:28795] by server-6.bemta-5.messagelabs.com id 9B/0C-25043-8FB20015; Wed, 23 Jan 2013 18:29:12 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-10.tower-206.messagelabs.com!1358965750!19352654!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.7; banners=-,-,- X-VirusChecked: Checked Received: (qmail 13335 invoked from network); 23 Jan 2013 18:29:11 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-10.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 23 Jan 2013 18:29:11 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ty54J-0008TL-ST; Wed, 23 Jan 2013 18:29:03 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1Ty54I-0003Fr-SW; Wed, 23 Jan 2013 18:29:03 +0000 Date: Wed, 23 Jan 2013 18:29:03 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 35 (CVE-2013-0152) - Nested HVM exposes host to being driven out of memory by guest X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-0152 / XSA-35 version 4 Nested HVM exposes host to being driven out of memory by guest UPDATES IN VERSION 4 ==================== Fix corrupt patch xsa35-4.2-with-xsa34.patch. ISSUE DESCRIPTION ================= Guests are currently permitted to enable nested virtualization on themselves. Missing error handling cleanup in the handling code makes it possible for a guest, particularly a multi-vCPU one, to repeatedly invoke this operation, thus causing a leak of - over time - unbounded amounts of memory. IMPACT ====== A malicious domain can mount a denial of service attack affecting the whole system. VULNERABLE SYSTEMS ================== Only Xen 4.2 and Xen unstable are vulnerable. Xen 4.1 and earlier are not vulnerable. The vulnerability is only exposed by HVM guests. MITIGATION ========== Running only PV guests will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. To fix both XSA 34 and XSA 35, first apply xsa34-4.2.patch from XSA 34 and then *also* apply xsa35-4.2-with-xsa34.patch from this advisory. To fix this issue without addressing XSA 34, use xsa35.patch. $ sha256sum xsa35*.patch 4a103bf14dd060f702289db539a8c6c69496bdfd1de5d0c0468c3aab7b34f6a5 xsa35-4.2-with-xsa34.patch e69b01033b0fa4c3d175697566d2f0b161337e8d206654919937f77721dbf866 xsa35.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRACvBAAoJEIP+FMlX6CvZhWgH/AmojPzrSnLIPmP+kyphQeYk Yg00TDSm+rV8cmG6CE66r1WMibi1S/19yEkE6fJ1bgJtSBgcIqGls8NULPD+JvnH 6WmjktyH85LWcVbqNsjaPYAqyYOQJMMfmLDmW+ksc/SQgEH0zV4xAiA1iLIGJYRT oEjIXg/m76hjsq9u/njprxHNIJH81K84Jh4wZkR7LIdZUxJgdIRHFcNIPhjNAEfP k9jsfscuudU1bH7qJc/bJBbZFEnd6mw2zqn+M8UsLwow7A70x2JCAjCbplU1Zbxf pe1P+E9upNFrsWXQ8O365ve6owaQP/CCcEDS9o2V+Fxc8ZjJ0nYJo3WWKIxQgqk= =jAmO -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa35-4.2-with-xsa34.patch" Content-Disposition: attachment; filename="xsa35-4.2-with-xsa34.patch" Content-Transfer-Encoding: base64 eGVuOiBEbyBub3QgYWxsb3cgZ3Vlc3RzIHRvIGVuYWJsZSBuZXN0ZWQgSFZN IG9uIHRoZW1zZWx2ZXMKClRoZXJlIGlzIG5vIHJlYXNvbiBmb3IgdGhpcyBh bmQgZG9pbmcgc28gZXhwb3NlcyBhIG1lbW9yeSBsZWFrIHRvCmd1ZXN0cy4g T25seSB0b29sc3RhY2tzIG5lZWQgd3JpdGUgYWNjZXNzIHRvIHRoaXMgSFZN IHBhcmFtLgoKVGhpcyBpcyBYU0EtMzUgLyBDVkUtMjAxMy0wMTUyLgoKU2ln bmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJlbGxAY2l0cml4 LmNvbT4KQWNrZWQtYnk6IEphbiBCZXVsaWNoIDxKQmV1bGljaEBzdXNlLmNv bT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vaHZtLmMKKysrIGIveGVuL2Fy Y2gveDg2L2h2bS9odm0uYwpAQCAtMzg2Miw2ICszODYyLDExIEBAIGxvbmcg ZG9faHZtX29wKHVuc2lnbmVkIGxvbmcgb3AsIFhFTl9HVUVTVF9IQU5ETEUo dm9pZCkgYXJnKQogICAgICAgICAgICAgICAgICAgICByYyA9IC1FSU5WQUw7 CiAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICBjYXNlIEhW TV9QQVJBTV9ORVNURURIVk06CisgICAgICAgICAgICAgICAgaWYgKCAhSVNf UFJJVihjdXJyZW50LT5kb21haW4pICkKKyAgICAgICAgICAgICAgICB7Cisg ICAgICAgICAgICAgICAgICAgIHJjID0gLUVQRVJNOworICAgICAgICAgICAg ICAgICAgICBicmVhazsKKyAgICAgICAgICAgICAgICB9CiAjaWZkZWYgX19p Mzg2X18KICAgICAgICAgICAgICAgICBpZiAoIGEudmFsdWUgKQogICAgICAg ICAgICAgICAgICAgICByYyA9IC1FSU5WQUw7Cg== --=separator Content-Type: application/octet-stream; name="xsa35.patch" Content-Disposition: attachment; filename="xsa35.patch" Content-Transfer-Encoding: base64 eGVuOiBEbyBub3QgYWxsb3cgZ3Vlc3RzIHRvIGVuYWJsZSBuZXN0ZWQgSFZN IG9uIHRoZW1zZWx2ZXMKClRoZXJlIGlzIG5vIHJlYXNvbiBmb3IgdGhpcyBh bmQgZG9pbmcgc28gZXhwb3NlcyBhIG1lbW9yeSBsZWFrIHRvCmd1ZXN0cy4g T25seSB0b29sc3RhY2tzIG5lZWQgd3JpdGUgYWNjZXNzIHRvIHRoaXMgSFZN IHBhcmFtLgoKVGhpcyBpcyBYU0EtMzUgLyBDVkUtMjAxMy0wMTUyLgoKU2ln bmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJlbGxAY2l0cml4 LmNvbT4KQWNrZWQtYnk6IEphbiBCZXVsaWNoIDxKQmV1bGljaEBzdXNlLmNv bT4KCmRpZmYgLS1naXQgYS94ZW4vYXJjaC94ODYvaHZtL2h2bS5jIGIveGVu L2FyY2gveDg2L2h2bS9odm0uYwppbmRleCA0MGMxYWIyLi44MjY0ZGE3IDEw MDY0NAotLS0gYS94ZW4vYXJjaC94ODYvaHZtL2h2bS5jCisrKyBiL3hlbi9h cmNoL3g4Ni9odm0vaHZtLmMKQEAgLTM4NzEsNiArMzg3MSwxMSBAQCBsb25n IGRvX2h2bV9vcCh1bnNpZ25lZCBsb25nIG9wLCBYRU5fR1VFU1RfSEFORExF X1BBUkFNKHZvaWQpIGFyZykKICAgICAgICAgICAgICAgICAgICAgcmMgPSAt RUlOVkFMOwogICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAg Y2FzZSBIVk1fUEFSQU1fTkVTVEVESFZNOgorICAgICAgICAgICAgICAgIGlm ICggIUlTX1BSSVYoY3VycmVudC0+ZG9tYWluKSApCisgICAgICAgICAgICAg ICAgeworICAgICAgICAgICAgICAgICAgICByYyA9IC1FUEVSTTsKKyAgICAg ICAgICAgICAgICAgICAgYnJlYWs7CisgICAgICAgICAgICAgICAgfQogICAg ICAgICAgICAgICAgIGlmICggYS52YWx1ZSA+IDEgKQogICAgICAgICAgICAg ICAgICAgICByYyA9IC1FSU5WQUw7CiAgICAgICAgICAgICAgICAgaWYgKCAh aXNfaHZtX2RvbWFpbihkKSApCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Jan 23 18:31:49 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 23 Jan 2013 18:31:49 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ty54V-0004Oc-4e; Wed, 23 Jan 2013 18:29:15 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ty54T-0004OB-F7; Wed, 23 Jan 2013 18:29:13 +0000 Received: from [85.158.139.211:28795] by server-6.bemta-5.messagelabs.com id 9B/0C-25043-8FB20015; Wed, 23 Jan 2013 18:29:12 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-10.tower-206.messagelabs.com!1358965750!19352654!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.7; banners=-,-,- X-VirusChecked: Checked Received: (qmail 13335 invoked from network); 23 Jan 2013 18:29:11 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-10.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 23 Jan 2013 18:29:11 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ty54J-0008TL-ST; Wed, 23 Jan 2013 18:29:03 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1Ty54I-0003Fr-SW; Wed, 23 Jan 2013 18:29:03 +0000 Date: Wed, 23 Jan 2013 18:29:03 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 35 (CVE-2013-0152) - Nested HVM exposes host to being driven out of memory by guest X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-0152 / XSA-35 version 4 Nested HVM exposes host to being driven out of memory by guest UPDATES IN VERSION 4 ==================== Fix corrupt patch xsa35-4.2-with-xsa34.patch. ISSUE DESCRIPTION ================= Guests are currently permitted to enable nested virtualization on themselves. Missing error handling cleanup in the handling code makes it possible for a guest, particularly a multi-vCPU one, to repeatedly invoke this operation, thus causing a leak of - over time - unbounded amounts of memory. IMPACT ====== A malicious domain can mount a denial of service attack affecting the whole system. VULNERABLE SYSTEMS ================== Only Xen 4.2 and Xen unstable are vulnerable. Xen 4.1 and earlier are not vulnerable. The vulnerability is only exposed by HVM guests. MITIGATION ========== Running only PV guests will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. To fix both XSA 34 and XSA 35, first apply xsa34-4.2.patch from XSA 34 and then *also* apply xsa35-4.2-with-xsa34.patch from this advisory. To fix this issue without addressing XSA 34, use xsa35.patch. $ sha256sum xsa35*.patch 4a103bf14dd060f702289db539a8c6c69496bdfd1de5d0c0468c3aab7b34f6a5 xsa35-4.2-with-xsa34.patch e69b01033b0fa4c3d175697566d2f0b161337e8d206654919937f77721dbf866 xsa35.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRACvBAAoJEIP+FMlX6CvZhWgH/AmojPzrSnLIPmP+kyphQeYk Yg00TDSm+rV8cmG6CE66r1WMibi1S/19yEkE6fJ1bgJtSBgcIqGls8NULPD+JvnH 6WmjktyH85LWcVbqNsjaPYAqyYOQJMMfmLDmW+ksc/SQgEH0zV4xAiA1iLIGJYRT oEjIXg/m76hjsq9u/njprxHNIJH81K84Jh4wZkR7LIdZUxJgdIRHFcNIPhjNAEfP k9jsfscuudU1bH7qJc/bJBbZFEnd6mw2zqn+M8UsLwow7A70x2JCAjCbplU1Zbxf pe1P+E9upNFrsWXQ8O365ve6owaQP/CCcEDS9o2V+Fxc8ZjJ0nYJo3WWKIxQgqk= =jAmO -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa35-4.2-with-xsa34.patch" Content-Disposition: attachment; filename="xsa35-4.2-with-xsa34.patch" Content-Transfer-Encoding: base64 eGVuOiBEbyBub3QgYWxsb3cgZ3Vlc3RzIHRvIGVuYWJsZSBuZXN0ZWQgSFZN IG9uIHRoZW1zZWx2ZXMKClRoZXJlIGlzIG5vIHJlYXNvbiBmb3IgdGhpcyBh bmQgZG9pbmcgc28gZXhwb3NlcyBhIG1lbW9yeSBsZWFrIHRvCmd1ZXN0cy4g T25seSB0b29sc3RhY2tzIG5lZWQgd3JpdGUgYWNjZXNzIHRvIHRoaXMgSFZN IHBhcmFtLgoKVGhpcyBpcyBYU0EtMzUgLyBDVkUtMjAxMy0wMTUyLgoKU2ln bmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJlbGxAY2l0cml4 LmNvbT4KQWNrZWQtYnk6IEphbiBCZXVsaWNoIDxKQmV1bGljaEBzdXNlLmNv bT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vaHZtLmMKKysrIGIveGVuL2Fy Y2gveDg2L2h2bS9odm0uYwpAQCAtMzg2Miw2ICszODYyLDExIEBAIGxvbmcg ZG9faHZtX29wKHVuc2lnbmVkIGxvbmcgb3AsIFhFTl9HVUVTVF9IQU5ETEUo dm9pZCkgYXJnKQogICAgICAgICAgICAgICAgICAgICByYyA9IC1FSU5WQUw7 CiAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICBjYXNlIEhW TV9QQVJBTV9ORVNURURIVk06CisgICAgICAgICAgICAgICAgaWYgKCAhSVNf UFJJVihjdXJyZW50LT5kb21haW4pICkKKyAgICAgICAgICAgICAgICB7Cisg ICAgICAgICAgICAgICAgICAgIHJjID0gLUVQRVJNOworICAgICAgICAgICAg ICAgICAgICBicmVhazsKKyAgICAgICAgICAgICAgICB9CiAjaWZkZWYgX19p Mzg2X18KICAgICAgICAgICAgICAgICBpZiAoIGEudmFsdWUgKQogICAgICAg ICAgICAgICAgICAgICByYyA9IC1FSU5WQUw7Cg== --=separator Content-Type: application/octet-stream; name="xsa35.patch" Content-Disposition: attachment; filename="xsa35.patch" Content-Transfer-Encoding: base64 eGVuOiBEbyBub3QgYWxsb3cgZ3Vlc3RzIHRvIGVuYWJsZSBuZXN0ZWQgSFZN IG9uIHRoZW1zZWx2ZXMKClRoZXJlIGlzIG5vIHJlYXNvbiBmb3IgdGhpcyBh bmQgZG9pbmcgc28gZXhwb3NlcyBhIG1lbW9yeSBsZWFrIHRvCmd1ZXN0cy4g T25seSB0b29sc3RhY2tzIG5lZWQgd3JpdGUgYWNjZXNzIHRvIHRoaXMgSFZN IHBhcmFtLgoKVGhpcyBpcyBYU0EtMzUgLyBDVkUtMjAxMy0wMTUyLgoKU2ln bmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJlbGxAY2l0cml4 LmNvbT4KQWNrZWQtYnk6IEphbiBCZXVsaWNoIDxKQmV1bGljaEBzdXNlLmNv bT4KCmRpZmYgLS1naXQgYS94ZW4vYXJjaC94ODYvaHZtL2h2bS5jIGIveGVu L2FyY2gveDg2L2h2bS9odm0uYwppbmRleCA0MGMxYWIyLi44MjY0ZGE3IDEw MDY0NAotLS0gYS94ZW4vYXJjaC94ODYvaHZtL2h2bS5jCisrKyBiL3hlbi9h cmNoL3g4Ni9odm0vaHZtLmMKQEAgLTM4NzEsNiArMzg3MSwxMSBAQCBsb25n IGRvX2h2bV9vcCh1bnNpZ25lZCBsb25nIG9wLCBYRU5fR1VFU1RfSEFORExF X1BBUkFNKHZvaWQpIGFyZykKICAgICAgICAgICAgICAgICAgICAgcmMgPSAt RUlOVkFMOwogICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAg Y2FzZSBIVk1fUEFSQU1fTkVTVEVESFZNOgorICAgICAgICAgICAgICAgIGlm ICggIUlTX1BSSVYoY3VycmVudC0+ZG9tYWluKSApCisgICAgICAgICAgICAg ICAgeworICAgICAgICAgICAgICAgICAgICByYyA9IC1FUEVSTTsKKyAgICAg ICAgICAgICAgICAgICAgYnJlYWs7CisgICAgICAgICAgICAgICAgfQogICAg ICAgICAgICAgICAgIGlmICggYS52YWx1ZSA+IDEgKQogICAgICAgICAgICAg ICAgICAgICByYyA9IC1FSU5WQUw7CiAgICAgICAgICAgICAgICAgaWYgKCAh aXNfaHZtX2RvbWFpbihkKSApCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator--