From xen-announce-bounces@lists.xen.org Mon Sep 09 15:50:29 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 09 Sep 2013 15:50:29 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VJ3hP-0001tG-NZ; Mon, 09 Sep 2013 15:48:23 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VJ3Ju-0000xn-Ns for xen-announce@lists.xen.org; Mon, 09 Sep 2013 15:24:07 +0000 Received: from [85.158.139.211:58373] by server-8.bemta-5.messagelabs.com id 64/7A-17437-618ED225; Mon, 09 Sep 2013 15:24:06 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-12.tower-206.messagelabs.com!1378740244!1495532!1 X-Originating-IP: [209.85.214.47] X-SpamReason: No, hits=1.1 required=7.0 tests=BODY_RANDOM_LONG, HTML_40_50,HTML_MESSAGE X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 29486 invoked from network); 9 Sep 2013 15:24:04 -0000 Received: from mail-bk0-f47.google.com (HELO mail-bk0-f47.google.com) (209.85.214.47) by server-12.tower-206.messagelabs.com with RC4-SHA encrypted SMTP; 9 Sep 2013 15:24:04 -0000 Received: by mail-bk0-f47.google.com with SMTP id mx12so2367149bkb.6 for ; Mon, 09 Sep 2013 08:24:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:reply-to:user-agent:mime-version:to :subject:references:in-reply-to:content-type; bh=DLijc61wBxzjiwn5q9bT0XyAawhmYRGxLTXRyFE+wZA=; b=t84VMDO5lkcGPjSWHNh56RE4xbK9DYs0qLfr5lGjXkSzqiX7XjP+8gDGdJi6GVWwl8 frxuHOVKdnexTJ0gipBprPqKP74j7ygkdmBhyeyVUHXuj+kAXB90XSccMvmXepchh8l2 KaezAP1XN6zrj5d72sTwrpxQ4ipZInzxYrhM9SN0Y/uWG9yQb2kGBl2Pn91DZIp3CzLK tzMGB29xyMuSnZrAD9CozeCs7HH36RCzLyYPio/YZwc8nmU076WrYaQzOVxBXRBXesp1 Yg1nqx8t8hvd7+jc4FXO0r0pl7hjQdujuy/zOSGhCiuE4UT1hWR8eUVG86hicfGDgKJB iJiQ== X-Received: by 10.205.68.137 with SMTP id xy9mr2329555bkb.28.1378740244162; Mon, 09 Sep 2013 08:24:04 -0700 (PDT) Received: from [172.16.26.11] (97e26746.skybroadband.com. [151.226.103.70]) by mx.google.com with ESMTPSA id jt14sm3454676bkb.0.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 09 Sep 2013 08:24:03 -0700 (PDT) Message-ID: <522DE811.1000701@xen.org> Date: Mon, 09 Sep 2013 16:24:01 +0100 From: Lars Kurth User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 MIME-Version: 1.0 To: xen-announce@lists.xen.org References: <522DFCC802000078000F1972@nat28.tlf.novell.com> In-Reply-To: <522DFCC802000078000F1972@nat28.tlf.novell.com> X-Forwarded-Message-Id: <522DFCC802000078000F1972@nat28.tlf.novell.com> X-Mailman-Approved-At: Mon, 09 Sep 2013 15:48:22 +0000 Subject: [Xen-announce] Xen 4.2.3 released X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list Reply-To: lars.kurth@xen.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============4715258996417887772==" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org This is a multi-part message in MIME format. --===============4715258996417887772== Content-Type: multipart/alternative; boundary="------------080606070104060704060504" This is a multi-part message in MIME format. --------------080606070104060704060504 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit -------- Original Message -------- Subject: [Xen-devel] [ANNOUNCE] Xen 4.2.3 released Date: Mon, 09 Sep 2013 15:52:24 +0100 From: Jan Beulich To: xen-devel All, I am pleased to announce the release of Xen 4.2.3. This is available immediately from its git repository http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.2 (tag RELEASE-4.2.3) or from the XenProject download page http://www.xenproject.org/downloads/xen-archives/supported-xen-42-series/xen-423.html This fixes the following critical vulnerabilities: * CVE-2013-1918 / XSA-45: Several long latency operations are not preemptible * CVE-2013-1952 / XSA-49: VT-d interrupt remapping source validation flaw for bridges * CVE-2013-2076 / XSA-52: Information leak on XSAVE/XRSTOR capable AMD CPUs * CVE-2013-2077 / XSA-53: Hypervisor crash due to missing exception recovery on XRSTOR * CVE-2013-2078 / XSA-54: Hypervisor crash due to missing exception recovery on XSETBV * CVE-2013-2194, CVE-2013-2195, CVE-2013-2196 / XSA-55: Multiple vulnerabilities in libelf PV kernel handling * CVE-2013-2072 / XSA-56: Buffer overflow in xencontrol Python bindings affecting xend * CVE-2013-2211 / XSA-57: libxl allows guest write access to sensitive console related xenstore keys * CVE-2013-1432 / XSA-58: Page reference counting error due to XSA-45/CVE-2013-1918 fixes * XSA-61: libxl partially sets up HVM passthrough even with disabled iommu The following minor vulnerability is also being addressed: * CVE-2013-2007 / XSA-51 qemu guest agent (qga) insecure file permissions We recommend all users of the 4.2 stable series to update to this latest point release. Among many bug fixes and improvements: * addressing a regression from the fix for XSA-46 * bug fixes to low level system state handling, including certain hardware errata workarounds Regards, Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --------------080606070104060704060504 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
-------- Original Message --------
Subject: [Xen-devel] [ANNOUNCE] Xen 4.2.3 released
Date: Mon, 09 Sep 2013 15:52:24 +0100
From: Jan Beulich <JBeulich@suse.com>
To: xen-devel <xen-devel@lists.xenproject.org> 


All,

I am pleased to announce the release of Xen 4.2.3. This is
available immediately from its git repository
http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.2 
(tag RELEASE-4.2.3) or from the XenProject download page
http://www.xenproject.org/downloads/xen-archives/supported-xen-42-series/xen-423.html 

This fixes the following critical vulnerabilities:
 * CVE-2013-1918 / XSA-45:
    Several long latency operations are not preemptible
 * CVE-2013-1952 / XSA-49:
    VT-d interrupt remapping source validation flaw for bridges
 * CVE-2013-2076 / XSA-52:
    Information leak on XSAVE/XRSTOR capable AMD CPUs
 * CVE-2013-2077 / XSA-53:
    Hypervisor crash due to missing exception recovery on XRSTOR
 * CVE-2013-2078 / XSA-54:
    Hypervisor crash due to missing exception recovery on XSETBV
 * CVE-2013-2194, CVE-2013-2195, CVE-2013-2196 / XSA-55:
    Multiple vulnerabilities in libelf PV kernel handling
 * CVE-2013-2072 / XSA-56:
    Buffer overflow in xencontrol Python bindings affecting xend
 * CVE-2013-2211 / XSA-57:
    libxl allows guest write access to sensitive console related xenstore keys
 * CVE-2013-1432 / XSA-58:
    Page reference counting error due to XSA-45/CVE-2013-1918 fixes
 * XSA-61:
    libxl partially sets up HVM passthrough even with disabled iommu

The following minor vulnerability is also being addressed:
 * CVE-2013-2007 / XSA-51
    qemu guest agent (qga) insecure file permissions

We recommend all users of the 4.2 stable series to update to this
latest point release.

Among many bug fixes and improvements:
 * addressing a regression from the fix for XSA-46
 * bug fixes to low level system state handling, including certain
    hardware errata workarounds

Regards,
Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel


--------------080606070104060704060504-- --===============4715258996417887772== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --===============4715258996417887772==-- From xen-announce-bounces@lists.xen.org Mon Sep 09 15:50:29 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 09 Sep 2013 15:50:29 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VJ3hP-0001tG-NZ; Mon, 09 Sep 2013 15:48:23 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VJ3Ju-0000xn-Ns for xen-announce@lists.xen.org; Mon, 09 Sep 2013 15:24:07 +0000 Received: from [85.158.139.211:58373] by server-8.bemta-5.messagelabs.com id 64/7A-17437-618ED225; Mon, 09 Sep 2013 15:24:06 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-12.tower-206.messagelabs.com!1378740244!1495532!1 X-Originating-IP: [209.85.214.47] X-SpamReason: No, hits=1.1 required=7.0 tests=BODY_RANDOM_LONG, HTML_40_50,HTML_MESSAGE X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 29486 invoked from network); 9 Sep 2013 15:24:04 -0000 Received: from mail-bk0-f47.google.com (HELO mail-bk0-f47.google.com) (209.85.214.47) by server-12.tower-206.messagelabs.com with RC4-SHA encrypted SMTP; 9 Sep 2013 15:24:04 -0000 Received: by mail-bk0-f47.google.com with SMTP id mx12so2367149bkb.6 for ; Mon, 09 Sep 2013 08:24:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:reply-to:user-agent:mime-version:to :subject:references:in-reply-to:content-type; bh=DLijc61wBxzjiwn5q9bT0XyAawhmYRGxLTXRyFE+wZA=; b=t84VMDO5lkcGPjSWHNh56RE4xbK9DYs0qLfr5lGjXkSzqiX7XjP+8gDGdJi6GVWwl8 frxuHOVKdnexTJ0gipBprPqKP74j7ygkdmBhyeyVUHXuj+kAXB90XSccMvmXepchh8l2 KaezAP1XN6zrj5d72sTwrpxQ4ipZInzxYrhM9SN0Y/uWG9yQb2kGBl2Pn91DZIp3CzLK tzMGB29xyMuSnZrAD9CozeCs7HH36RCzLyYPio/YZwc8nmU076WrYaQzOVxBXRBXesp1 Yg1nqx8t8hvd7+jc4FXO0r0pl7hjQdujuy/zOSGhCiuE4UT1hWR8eUVG86hicfGDgKJB iJiQ== X-Received: by 10.205.68.137 with SMTP id xy9mr2329555bkb.28.1378740244162; Mon, 09 Sep 2013 08:24:04 -0700 (PDT) Received: from [172.16.26.11] (97e26746.skybroadband.com. [151.226.103.70]) by mx.google.com with ESMTPSA id jt14sm3454676bkb.0.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 09 Sep 2013 08:24:03 -0700 (PDT) Message-ID: <522DE811.1000701@xen.org> Date: Mon, 09 Sep 2013 16:24:01 +0100 From: Lars Kurth User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 MIME-Version: 1.0 To: xen-announce@lists.xen.org References: <522DFCC802000078000F1972@nat28.tlf.novell.com> In-Reply-To: <522DFCC802000078000F1972@nat28.tlf.novell.com> X-Forwarded-Message-Id: <522DFCC802000078000F1972@nat28.tlf.novell.com> X-Mailman-Approved-At: Mon, 09 Sep 2013 15:48:22 +0000 Subject: [Xen-announce] Xen 4.2.3 released X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list Reply-To: lars.kurth@xen.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============4715258996417887772==" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org This is a multi-part message in MIME format. --===============4715258996417887772== Content-Type: multipart/alternative; boundary="------------080606070104060704060504" This is a multi-part message in MIME format. --------------080606070104060704060504 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit -------- Original Message -------- Subject: [Xen-devel] [ANNOUNCE] Xen 4.2.3 released Date: Mon, 09 Sep 2013 15:52:24 +0100 From: Jan Beulich To: xen-devel All, I am pleased to announce the release of Xen 4.2.3. This is available immediately from its git repository http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.2 (tag RELEASE-4.2.3) or from the XenProject download page http://www.xenproject.org/downloads/xen-archives/supported-xen-42-series/xen-423.html This fixes the following critical vulnerabilities: * CVE-2013-1918 / XSA-45: Several long latency operations are not preemptible * CVE-2013-1952 / XSA-49: VT-d interrupt remapping source validation flaw for bridges * CVE-2013-2076 / XSA-52: Information leak on XSAVE/XRSTOR capable AMD CPUs * CVE-2013-2077 / XSA-53: Hypervisor crash due to missing exception recovery on XRSTOR * CVE-2013-2078 / XSA-54: Hypervisor crash due to missing exception recovery on XSETBV * CVE-2013-2194, CVE-2013-2195, CVE-2013-2196 / XSA-55: Multiple vulnerabilities in libelf PV kernel handling * CVE-2013-2072 / XSA-56: Buffer overflow in xencontrol Python bindings affecting xend * CVE-2013-2211 / XSA-57: libxl allows guest write access to sensitive console related xenstore keys * CVE-2013-1432 / XSA-58: Page reference counting error due to XSA-45/CVE-2013-1918 fixes * XSA-61: libxl partially sets up HVM passthrough even with disabled iommu The following minor vulnerability is also being addressed: * CVE-2013-2007 / XSA-51 qemu guest agent (qga) insecure file permissions We recommend all users of the 4.2 stable series to update to this latest point release. Among many bug fixes and improvements: * addressing a regression from the fix for XSA-46 * bug fixes to low level system state handling, including certain hardware errata workarounds Regards, Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --------------080606070104060704060504 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
-------- Original Message --------
Subject: [Xen-devel] [ANNOUNCE] Xen 4.2.3 released
Date: Mon, 09 Sep 2013 15:52:24 +0100
From: Jan Beulich <JBeulich@suse.com>
To: xen-devel <xen-devel@lists.xenproject.org> 


All,

I am pleased to announce the release of Xen 4.2.3. This is
available immediately from its git repository
http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.2 
(tag RELEASE-4.2.3) or from the XenProject download page
http://www.xenproject.org/downloads/xen-archives/supported-xen-42-series/xen-423.html 

This fixes the following critical vulnerabilities:
 * CVE-2013-1918 / XSA-45:
    Several long latency operations are not preemptible
 * CVE-2013-1952 / XSA-49:
    VT-d interrupt remapping source validation flaw for bridges
 * CVE-2013-2076 / XSA-52:
    Information leak on XSAVE/XRSTOR capable AMD CPUs
 * CVE-2013-2077 / XSA-53:
    Hypervisor crash due to missing exception recovery on XRSTOR
 * CVE-2013-2078 / XSA-54:
    Hypervisor crash due to missing exception recovery on XSETBV
 * CVE-2013-2194, CVE-2013-2195, CVE-2013-2196 / XSA-55:
    Multiple vulnerabilities in libelf PV kernel handling
 * CVE-2013-2072 / XSA-56:
    Buffer overflow in xencontrol Python bindings affecting xend
 * CVE-2013-2211 / XSA-57:
    libxl allows guest write access to sensitive console related xenstore keys
 * CVE-2013-1432 / XSA-58:
    Page reference counting error due to XSA-45/CVE-2013-1918 fixes
 * XSA-61:
    libxl partially sets up HVM passthrough even with disabled iommu

The following minor vulnerability is also being addressed:
 * CVE-2013-2007 / XSA-51
    qemu guest agent (qga) insecure file permissions

We recommend all users of the 4.2 stable series to update to this
latest point release.

Among many bug fixes and improvements:
 * addressing a regression from the fix for XSA-46
 * bug fixes to low level system state handling, including certain
    hardware errata workarounds

Regards,
Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel


--------------080606070104060704060504-- --===============4715258996417887772== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --===============4715258996417887772==-- From xen-announce-bounces@lists.xen.org Tue Sep 10 10:58:09 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 10 Sep 2013 10:58:09 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VJLce-0004Af-Jf; Tue, 10 Sep 2013 10:56:40 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VJLcc-00049e-JY; Tue, 10 Sep 2013 10:56:38 +0000 Received: from [85.158.139.211:34861] by server-2.bemta-5.messagelabs.com id A8/67-26841-5EAFE225; Tue, 10 Sep 2013 10:56:37 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-8.tower-206.messagelabs.com!1378810595!1668776!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 13195 invoked from network); 10 Sep 2013 10:56:36 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-8.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 10 Sep 2013 10:56:36 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VJLcT-0005rx-P4; Tue, 10 Sep 2013 10:56:29 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VJLcT-0004k4-LQ; Tue, 10 Sep 2013 10:56:29 +0000 Date: Tue, 10 Sep 2013 10:56:29 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 61 - libxl partially sets up HVM passthrough even with disabled iommu X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-61 libxl partially sets up HVM passthrough even with disabled iommu ISSUE DESCRIPTION ================= With HVM domains, libxl's setup of PCI passthrough devices does the IOMMU setup after giving (via the device model) the guest access to the hardware and advertising it to the guest. If the IOMMU is disabled the overall setup fails, but after the device has been made available to the guest; subsequent DMA instructions from the guest to the device will cause wild DMA. IMPACT ====== A HVM domain, given access to a device which bus mastering capable in the absence of a functioning IOMMU, can mount a privilege escalation or denial of service attack affecting the whole system. VULNERABLE SYSTEMS ================== 1. Only systems which pass busmastering-capable PCI devices through to untrusted guests are vulnerable. (Most PCI devices are busmastering-capable.) 2. Only systems which use libxl as part of the toolstack are vulnerable. The major consumer of libxl functionality is the xl toolstack which became the default in Xen 4.2. In addition to this libvirt can optionally make use of libxl. This can be queried with # virsh version which will report "xenlight" if libxl is in use. libvirt currently prefers the xend backend if xend is running. The xend and xapi toolstacks do not currently use libxl. 3. Only Xen versions 4.0.x through 4.2.x are vulnerable. 4. Only HVM domains can take advantage of this vulnerability. 5. Systems which have a functioning IOMMU are NOT vulnerable. MITIGATION ========== This issue can be avoided by not assigning PCI devices to HVM guests when there is no functioning IOMMU. NOTE REGARDING LACK OF EMBARGO ============================== This issue was disclosed publicly on xen-devel; the person reporting it did not appreciate that it was a security issue. Additionally the patch to fix the issue was already applied to the respective branches (in particular resulting in Xen 4.3 not being vulnerable). Under the circumstances the Xen.org security team do not consider that this advisory should be embargoed. Also, we apologise for the delay to this advisory message, which was due to an oversight by us. CREDITS ======= George Dunlap found the issue as a bug, which on examination by the Xenproject.org Security Team turned out to be a security problem. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa61-4.1.patch Xen 4.1.x xsa61-4.2-unstable.patch Xen 4.2.x, xen-unstable $ sha256sum xsa61*.patch 19caa5f1ce91ebc908c899b8be216034dc67c3e890f59597f659caed41d468f6 xsa61-4.1.patch 5898926de86dd6a27f8e34a2c103e3d0c6267b1d7d947434f294423ed3b0eefd xsa61-4.2-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSLvrIAAoJEIP+FMlX6CvZDy4H/09N5lJYfQBEjYtFKsYTRRL3 hQC2SyH5oXeRguHpCEYLy5EXJ5k0+lrrQ/Kpgf8yP9xUlfkZ19e+Zm20XpcTzRDL yi0VTLv12lNF02Iraml7OfK15FJbCk5BkwgL9aKdiNJX/42IeC49/LOWgAHpuen1 YUEC7fTtwrbr5AER45jVNCcw94OccBzXOiEPA56nJBYzSFPD/iWjrNWTuto5BTOg nzf9JFtvoX40LyXy/p5qMmgu1veIiwUvVuMl8UUudwH0h03hDm1v2hRGtT1/BbQB bJRzaw1a/x6HmpkbHqWC2jq63S6FIrigpv+f9HmiRGmNxpm8DR6aCFMa4OquXiY= =Ag3V -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa61-4.1.patch" Content-Disposition: attachment; filename="xsa61-4.1.patch" Content-Transfer-Encoding: base64 bGlieGw6IHN1cHByZXNzIGRldmljZSBhc3NpZ25tZW50IHRvIEhWTSBndWVz dCB3aGVuIHRoZXJlIGlzIG5vIElPTU1VCgpUaGlzIGluIGVmZmVjdCBjb3Bp ZXMgc2ltaWxhciBsb2dpYyBmcm9tIHhlbmQ6IFdoaWxlIHRoZXJlJ3Mgbm8g d2F5IHRvCmNoZWNrIHdoZXRoZXIgYSBkZXZpY2UgaXMgYXNzaWduZWQgdG8g YSBwYXJ0aWN1bGFyIGd1ZXN0LApYRU5fRE9NQ1RMX3Rlc3RfYXNzaWduX2Rl dmljZSBhdCBsZWFzdCBhbGxvd3MgY2hlY2tpbmcgd2hldGhlciBhbgpJT01N VSBpcyB0aGVyZSBhbmQgd2hldGhlciBhIGRldmljZSBoYXMgYmVlbiBhc3Np Z24gdG8gX3NvbWVfCmd1ZXN0LgoKRm9yIHRoZSB0aW1lIGJlaW5nLCB0aGlz IHNob3VsZCBiZSBlbm91Z2ggdG8gY292ZXIgZm9yIHRoZSBtaXNzaW5nCmVy cm9yIGNoZWNraW5nL3JlY292ZXJ5IGluIG90aGVyIHBhcnRzIG9mIGxpYnhs J3MgZGV2aWNlIGFzc2lnbm1lbnQKcGF0aHMuCgpUaGVyZSByZW1haW5zIGEg KGZ1bmN0aW9uYWxpdHktLCBidXQgbm90IHNlY3VyaXR5LXJlbGF0ZWQpIHJh Y2UgaW4KdGhhdCB0aGUgaW9tbXUgc2hvdWxkIGJlIHNldCB1cCBlYXJsaWVy LCBidXQgdGhpcyBpcyB0b28gcmlza3kgYQpjaGFuZ2UgZm9yIHRoaXMgc3Rh Z2Ugb2YgdGhlIDQuMyByZWxlYXNlLgoKVGhpcyBpcyBhIHNlY3VyaXR5IGlz c3VlLCBYU0EtNjEuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+ClRlc3RlZC1ieTogR2VvcmdlIER1bmxhcCA8Z2Vv cmdlLmR1bmxhcEBldS5jaXRyaXguY29tPgpBY2tlZC1ieTogR2VvcmdlIER1 bmxhcCA8Z2VvcmdlLmR1bmxhcEBldS5jaXRyaXguY29tPgpBY2tlZC1ieTog SWFuIEphY2tzb24gPGlhbi5qYWNrc29uQGV1LmNpdHJpeC5jb20+CgotLS0g YS90b29scy9saWJ4bC9saWJ4bF9wY2kuYworKysgYi90b29scy9saWJ4bC9s aWJ4bF9wY2kuYwpAQCAtNzg0LDYgKzc4NCwxOCBAQCBpbnQgbGlieGxfX2Rl dmljZV9wY2lfYWRkKGxpYnhsX2N0eCAqY3R4CiAgICAgaW50IG51bV9hc3Np Z25lZCwgaSwgcmM7CiAgICAgaW50IHN0dWJkb21pZCA9IDA7CiAKKyAgICBp ZiAobGlieGxfX2RvbWFpbl9pc19odm0oY3R4LCBkb21pZCkpIHsKKyAgICAg ICAgcmMgPSB4Y190ZXN0X2Fzc2lnbl9kZXZpY2UoY3R4LT54Y2gsIGRvbWlk LCBwY2lkZXZfdmFsdWUocGNpZGV2KSk7CisgICAgICAgIGlmIChyYykgewor ICAgICAgICAgICAgTElCWExfX0xPRyhjdHgsIExJQlhMX19MT0dfRVJST1Is CisgICAgICAgICAgICAgICAgICAgICAgICJQQ0kgZGV2aWNlICUwNHg6JTAy eDolMDJ4LiV1ICVzPyIsCisgICAgICAgICAgICAgICAgICAgICAgIHBjaWRl di0+ZG9tYWluLCBwY2lkZXYtPmJ1cywgcGNpZGV2LT5kZXYsIHBjaWRldi0+ ZnVuYywKKyAgICAgICAgICAgICAgICAgICAgICAgZXJybm8gPT0gRU5PU1lT ID8gImNhbm5vdCBiZSBhc3NpZ25lZCAtIG5vIElPTU1VIgorICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgOiAiYWxyZWFkeSBhc3Np Z25lZCB0byBhIGRpZmZlcmVudCBndWVzdCIpOworICAgICAgICAgICAgZ290 byBvdXQ7CisgICAgICAgIH0KKyAgICB9CisKICAgICBpZiAoIWxpYnhsX3Bj aWRldl9hc3NpZ25hYmxlKGN0eCwgcGNpZGV2KSkgewogICAgICAgICBMSUJY TF9fTE9HKGN0eCwgTElCWExfX0xPR19FUlJPUiwgIlBDSSBkZXZpY2UgJXg6 JXg6JXguJXggaXMgbm90IGFzc2lnbmFibGUiLAogICAgICAgICAgICAgICAg ICAgIHBjaWRldi0+ZG9tYWluLCBwY2lkZXYtPmJ1cywgcGNpZGV2LT5kZXYs IHBjaWRldi0+ZnVuYyk7Cg== --=separator Content-Type: application/octet-stream; name="xsa61-4.2-unstable.patch" Content-Disposition: attachment; filename="xsa61-4.2-unstable.patch" Content-Transfer-Encoding: base64 bGlieGw6IHN1cHByZXNzIGRldmljZSBhc3NpZ25tZW50IHRvIEhWTSBndWVz dCB3aGVuIHRoZXJlIGlzIG5vIElPTU1VCgpUaGlzIGluIGVmZmVjdCBjb3Bp ZXMgc2ltaWxhciBsb2dpYyBmcm9tIHhlbmQ6IFdoaWxlIHRoZXJlJ3Mgbm8g d2F5IHRvCmNoZWNrIHdoZXRoZXIgYSBkZXZpY2UgaXMgYXNzaWduZWQgdG8g YSBwYXJ0aWN1bGFyIGd1ZXN0LApYRU5fRE9NQ1RMX3Rlc3RfYXNzaWduX2Rl dmljZSBhdCBsZWFzdCBhbGxvd3MgY2hlY2tpbmcgd2hldGhlciBhbgpJT01N VSBpcyB0aGVyZSBhbmQgd2hldGhlciBhIGRldmljZSBoYXMgYmVlbiBhc3Np Z24gdG8gX3NvbWVfCmd1ZXN0LgoKRm9yIHRoZSB0aW1lIGJlaW5nLCB0aGlz IHNob3VsZCBiZSBlbm91Z2ggdG8gY292ZXIgZm9yIHRoZSBtaXNzaW5nCmVy cm9yIGNoZWNraW5nL3JlY292ZXJ5IGluIG90aGVyIHBhcnRzIG9mIGxpYnhs J3MgZGV2aWNlIGFzc2lnbm1lbnQKcGF0aHMuCgpUaGVyZSByZW1haW5zIGEg KGZ1bmN0aW9uYWxpdHktLCBidXQgbm90IHNlY3VyaXR5LXJlbGF0ZWQpIHJh Y2UgaW4KdGhhdCB0aGUgaW9tbXUgc2hvdWxkIGJlIHNldCB1cCBlYXJsaWVy LCBidXQgdGhpcyBpcyB0b28gcmlza3kgYQpjaGFuZ2UgZm9yIHRoaXMgc3Rh Z2Ugb2YgdGhlIDQuMyByZWxlYXNlLgoKVGhpcyBpcyBhIHNlY3VyaXR5IGlz c3VlLCBYU0EtNjEuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+ClRlc3RlZC1ieTogR2VvcmdlIER1bmxhcCA8Z2Vv cmdlLmR1bmxhcEBldS5jaXRyaXguY29tPgpBY2tlZC1ieTogR2VvcmdlIER1 bmxhcCA8Z2VvcmdlLmR1bmxhcEBldS5jaXRyaXguY29tPgpBY2tlZC1ieTog SWFuIEphY2tzb24gPGlhbi5qYWNrc29uQGV1LmNpdHJpeC5jb20+CgotLS0g YS90b29scy9saWJ4bC9saWJ4bF9wY2kuYworKysgYi90b29scy9saWJ4bC9s aWJ4bF9wY2kuYwpAQCAtMTAzNiw2ICsxMDM2LDE4IEBAIGludCBsaWJ4bF9f ZGV2aWNlX3BjaV9hZGQobGlieGxfX2djICpnYywgdWludDMyX3QgZG9taWQs IGxpYnhsX2RldmljZV9wY2kgKnBjaWRlCiAgICAgaW50IG51bV9hc3NpZ25l ZCwgaSwgcmM7CiAgICAgaW50IHN0dWJkb21pZCA9IDA7CiAKKyAgICBpZiAo bGlieGxfX2RvbWFpbl90eXBlKGdjLCBkb21pZCkgPT0gTElCWExfRE9NQUlO X1RZUEVfSFZNKSB7CisgICAgICAgIHJjID0geGNfdGVzdF9hc3NpZ25fZGV2 aWNlKGN0eC0+eGNoLCBkb21pZCwgcGNpZGV2X2VuY29kZV9iZGYocGNpZGV2 KSk7CisgICAgICAgIGlmIChyYykgeworICAgICAgICAgICAgTElCWExfX0xP RyhjdHgsIExJQlhMX19MT0dfRVJST1IsCisgICAgICAgICAgICAgICAgICAg ICAgICJQQ0kgZGV2aWNlICUwNHg6JTAyeDolMDJ4LiV1ICVzPyIsCisgICAg ICAgICAgICAgICAgICAgICAgIHBjaWRldi0+ZG9tYWluLCBwY2lkZXYtPmJ1 cywgcGNpZGV2LT5kZXYsIHBjaWRldi0+ZnVuYywKKyAgICAgICAgICAgICAg ICAgICAgICAgZXJybm8gPT0gRU5PU1lTID8gImNhbm5vdCBiZSBhc3NpZ25l ZCAtIG5vIElPTU1VIgorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgOiAiYWxyZWFkeSBhc3NpZ25lZCB0byBhIGRpZmZlcmVudCBn dWVzdCIpOworICAgICAgICAgICAgZ290byBvdXQ7CisgICAgICAgIH0KKyAg ICB9CisKICAgICByYyA9IGxpYnhsX19kZXZpY2VfcGNpX3NldGRlZmF1bHQo Z2MsIHBjaWRldik7CiAgICAgaWYgKHJjKSBnb3RvIG91dDsKIAo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Sep 10 10:58:09 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 10 Sep 2013 10:58:09 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VJLce-0004Af-Jf; Tue, 10 Sep 2013 10:56:40 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VJLcc-00049e-JY; Tue, 10 Sep 2013 10:56:38 +0000 Received: from [85.158.139.211:34861] by server-2.bemta-5.messagelabs.com id A8/67-26841-5EAFE225; Tue, 10 Sep 2013 10:56:37 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-8.tower-206.messagelabs.com!1378810595!1668776!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 13195 invoked from network); 10 Sep 2013 10:56:36 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-8.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 10 Sep 2013 10:56:36 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VJLcT-0005rx-P4; Tue, 10 Sep 2013 10:56:29 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VJLcT-0004k4-LQ; Tue, 10 Sep 2013 10:56:29 +0000 Date: Tue, 10 Sep 2013 10:56:29 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 61 - libxl partially sets up HVM passthrough even with disabled iommu X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-61 libxl partially sets up HVM passthrough even with disabled iommu ISSUE DESCRIPTION ================= With HVM domains, libxl's setup of PCI passthrough devices does the IOMMU setup after giving (via the device model) the guest access to the hardware and advertising it to the guest. If the IOMMU is disabled the overall setup fails, but after the device has been made available to the guest; subsequent DMA instructions from the guest to the device will cause wild DMA. IMPACT ====== A HVM domain, given access to a device which bus mastering capable in the absence of a functioning IOMMU, can mount a privilege escalation or denial of service attack affecting the whole system. VULNERABLE SYSTEMS ================== 1. Only systems which pass busmastering-capable PCI devices through to untrusted guests are vulnerable. (Most PCI devices are busmastering-capable.) 2. Only systems which use libxl as part of the toolstack are vulnerable. The major consumer of libxl functionality is the xl toolstack which became the default in Xen 4.2. In addition to this libvirt can optionally make use of libxl. This can be queried with # virsh version which will report "xenlight" if libxl is in use. libvirt currently prefers the xend backend if xend is running. The xend and xapi toolstacks do not currently use libxl. 3. Only Xen versions 4.0.x through 4.2.x are vulnerable. 4. Only HVM domains can take advantage of this vulnerability. 5. Systems which have a functioning IOMMU are NOT vulnerable. MITIGATION ========== This issue can be avoided by not assigning PCI devices to HVM guests when there is no functioning IOMMU. NOTE REGARDING LACK OF EMBARGO ============================== This issue was disclosed publicly on xen-devel; the person reporting it did not appreciate that it was a security issue. Additionally the patch to fix the issue was already applied to the respective branches (in particular resulting in Xen 4.3 not being vulnerable). Under the circumstances the Xen.org security team do not consider that this advisory should be embargoed. Also, we apologise for the delay to this advisory message, which was due to an oversight by us. CREDITS ======= George Dunlap found the issue as a bug, which on examination by the Xenproject.org Security Team turned out to be a security problem. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa61-4.1.patch Xen 4.1.x xsa61-4.2-unstable.patch Xen 4.2.x, xen-unstable $ sha256sum xsa61*.patch 19caa5f1ce91ebc908c899b8be216034dc67c3e890f59597f659caed41d468f6 xsa61-4.1.patch 5898926de86dd6a27f8e34a2c103e3d0c6267b1d7d947434f294423ed3b0eefd xsa61-4.2-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSLvrIAAoJEIP+FMlX6CvZDy4H/09N5lJYfQBEjYtFKsYTRRL3 hQC2SyH5oXeRguHpCEYLy5EXJ5k0+lrrQ/Kpgf8yP9xUlfkZ19e+Zm20XpcTzRDL yi0VTLv12lNF02Iraml7OfK15FJbCk5BkwgL9aKdiNJX/42IeC49/LOWgAHpuen1 YUEC7fTtwrbr5AER45jVNCcw94OccBzXOiEPA56nJBYzSFPD/iWjrNWTuto5BTOg nzf9JFtvoX40LyXy/p5qMmgu1veIiwUvVuMl8UUudwH0h03hDm1v2hRGtT1/BbQB bJRzaw1a/x6HmpkbHqWC2jq63S6FIrigpv+f9HmiRGmNxpm8DR6aCFMa4OquXiY= =Ag3V -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa61-4.1.patch" Content-Disposition: attachment; filename="xsa61-4.1.patch" Content-Transfer-Encoding: base64 bGlieGw6IHN1cHByZXNzIGRldmljZSBhc3NpZ25tZW50IHRvIEhWTSBndWVz dCB3aGVuIHRoZXJlIGlzIG5vIElPTU1VCgpUaGlzIGluIGVmZmVjdCBjb3Bp ZXMgc2ltaWxhciBsb2dpYyBmcm9tIHhlbmQ6IFdoaWxlIHRoZXJlJ3Mgbm8g d2F5IHRvCmNoZWNrIHdoZXRoZXIgYSBkZXZpY2UgaXMgYXNzaWduZWQgdG8g YSBwYXJ0aWN1bGFyIGd1ZXN0LApYRU5fRE9NQ1RMX3Rlc3RfYXNzaWduX2Rl dmljZSBhdCBsZWFzdCBhbGxvd3MgY2hlY2tpbmcgd2hldGhlciBhbgpJT01N VSBpcyB0aGVyZSBhbmQgd2hldGhlciBhIGRldmljZSBoYXMgYmVlbiBhc3Np Z24gdG8gX3NvbWVfCmd1ZXN0LgoKRm9yIHRoZSB0aW1lIGJlaW5nLCB0aGlz IHNob3VsZCBiZSBlbm91Z2ggdG8gY292ZXIgZm9yIHRoZSBtaXNzaW5nCmVy cm9yIGNoZWNraW5nL3JlY292ZXJ5IGluIG90aGVyIHBhcnRzIG9mIGxpYnhs J3MgZGV2aWNlIGFzc2lnbm1lbnQKcGF0aHMuCgpUaGVyZSByZW1haW5zIGEg KGZ1bmN0aW9uYWxpdHktLCBidXQgbm90IHNlY3VyaXR5LXJlbGF0ZWQpIHJh Y2UgaW4KdGhhdCB0aGUgaW9tbXUgc2hvdWxkIGJlIHNldCB1cCBlYXJsaWVy LCBidXQgdGhpcyBpcyB0b28gcmlza3kgYQpjaGFuZ2UgZm9yIHRoaXMgc3Rh Z2Ugb2YgdGhlIDQuMyByZWxlYXNlLgoKVGhpcyBpcyBhIHNlY3VyaXR5IGlz c3VlLCBYU0EtNjEuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+ClRlc3RlZC1ieTogR2VvcmdlIER1bmxhcCA8Z2Vv cmdlLmR1bmxhcEBldS5jaXRyaXguY29tPgpBY2tlZC1ieTogR2VvcmdlIER1 bmxhcCA8Z2VvcmdlLmR1bmxhcEBldS5jaXRyaXguY29tPgpBY2tlZC1ieTog SWFuIEphY2tzb24gPGlhbi5qYWNrc29uQGV1LmNpdHJpeC5jb20+CgotLS0g YS90b29scy9saWJ4bC9saWJ4bF9wY2kuYworKysgYi90b29scy9saWJ4bC9s aWJ4bF9wY2kuYwpAQCAtNzg0LDYgKzc4NCwxOCBAQCBpbnQgbGlieGxfX2Rl dmljZV9wY2lfYWRkKGxpYnhsX2N0eCAqY3R4CiAgICAgaW50IG51bV9hc3Np Z25lZCwgaSwgcmM7CiAgICAgaW50IHN0dWJkb21pZCA9IDA7CiAKKyAgICBp ZiAobGlieGxfX2RvbWFpbl9pc19odm0oY3R4LCBkb21pZCkpIHsKKyAgICAg ICAgcmMgPSB4Y190ZXN0X2Fzc2lnbl9kZXZpY2UoY3R4LT54Y2gsIGRvbWlk LCBwY2lkZXZfdmFsdWUocGNpZGV2KSk7CisgICAgICAgIGlmIChyYykgewor ICAgICAgICAgICAgTElCWExfX0xPRyhjdHgsIExJQlhMX19MT0dfRVJST1Is CisgICAgICAgICAgICAgICAgICAgICAgICJQQ0kgZGV2aWNlICUwNHg6JTAy eDolMDJ4LiV1ICVzPyIsCisgICAgICAgICAgICAgICAgICAgICAgIHBjaWRl di0+ZG9tYWluLCBwY2lkZXYtPmJ1cywgcGNpZGV2LT5kZXYsIHBjaWRldi0+ ZnVuYywKKyAgICAgICAgICAgICAgICAgICAgICAgZXJybm8gPT0gRU5PU1lT ID8gImNhbm5vdCBiZSBhc3NpZ25lZCAtIG5vIElPTU1VIgorICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgOiAiYWxyZWFkeSBhc3Np Z25lZCB0byBhIGRpZmZlcmVudCBndWVzdCIpOworICAgICAgICAgICAgZ290 byBvdXQ7CisgICAgICAgIH0KKyAgICB9CisKICAgICBpZiAoIWxpYnhsX3Bj aWRldl9hc3NpZ25hYmxlKGN0eCwgcGNpZGV2KSkgewogICAgICAgICBMSUJY TF9fTE9HKGN0eCwgTElCWExfX0xPR19FUlJPUiwgIlBDSSBkZXZpY2UgJXg6 JXg6JXguJXggaXMgbm90IGFzc2lnbmFibGUiLAogICAgICAgICAgICAgICAg ICAgIHBjaWRldi0+ZG9tYWluLCBwY2lkZXYtPmJ1cywgcGNpZGV2LT5kZXYs IHBjaWRldi0+ZnVuYyk7Cg== --=separator Content-Type: application/octet-stream; name="xsa61-4.2-unstable.patch" Content-Disposition: attachment; filename="xsa61-4.2-unstable.patch" Content-Transfer-Encoding: base64 bGlieGw6IHN1cHByZXNzIGRldmljZSBhc3NpZ25tZW50IHRvIEhWTSBndWVz dCB3aGVuIHRoZXJlIGlzIG5vIElPTU1VCgpUaGlzIGluIGVmZmVjdCBjb3Bp ZXMgc2ltaWxhciBsb2dpYyBmcm9tIHhlbmQ6IFdoaWxlIHRoZXJlJ3Mgbm8g d2F5IHRvCmNoZWNrIHdoZXRoZXIgYSBkZXZpY2UgaXMgYXNzaWduZWQgdG8g YSBwYXJ0aWN1bGFyIGd1ZXN0LApYRU5fRE9NQ1RMX3Rlc3RfYXNzaWduX2Rl dmljZSBhdCBsZWFzdCBhbGxvd3MgY2hlY2tpbmcgd2hldGhlciBhbgpJT01N VSBpcyB0aGVyZSBhbmQgd2hldGhlciBhIGRldmljZSBoYXMgYmVlbiBhc3Np Z24gdG8gX3NvbWVfCmd1ZXN0LgoKRm9yIHRoZSB0aW1lIGJlaW5nLCB0aGlz IHNob3VsZCBiZSBlbm91Z2ggdG8gY292ZXIgZm9yIHRoZSBtaXNzaW5nCmVy cm9yIGNoZWNraW5nL3JlY292ZXJ5IGluIG90aGVyIHBhcnRzIG9mIGxpYnhs J3MgZGV2aWNlIGFzc2lnbm1lbnQKcGF0aHMuCgpUaGVyZSByZW1haW5zIGEg KGZ1bmN0aW9uYWxpdHktLCBidXQgbm90IHNlY3VyaXR5LXJlbGF0ZWQpIHJh Y2UgaW4KdGhhdCB0aGUgaW9tbXUgc2hvdWxkIGJlIHNldCB1cCBlYXJsaWVy LCBidXQgdGhpcyBpcyB0b28gcmlza3kgYQpjaGFuZ2UgZm9yIHRoaXMgc3Rh Z2Ugb2YgdGhlIDQuMyByZWxlYXNlLgoKVGhpcyBpcyBhIHNlY3VyaXR5IGlz c3VlLCBYU0EtNjEuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+ClRlc3RlZC1ieTogR2VvcmdlIER1bmxhcCA8Z2Vv cmdlLmR1bmxhcEBldS5jaXRyaXguY29tPgpBY2tlZC1ieTogR2VvcmdlIER1 bmxhcCA8Z2VvcmdlLmR1bmxhcEBldS5jaXRyaXguY29tPgpBY2tlZC1ieTog SWFuIEphY2tzb24gPGlhbi5qYWNrc29uQGV1LmNpdHJpeC5jb20+CgotLS0g YS90b29scy9saWJ4bC9saWJ4bF9wY2kuYworKysgYi90b29scy9saWJ4bC9s aWJ4bF9wY2kuYwpAQCAtMTAzNiw2ICsxMDM2LDE4IEBAIGludCBsaWJ4bF9f ZGV2aWNlX3BjaV9hZGQobGlieGxfX2djICpnYywgdWludDMyX3QgZG9taWQs IGxpYnhsX2RldmljZV9wY2kgKnBjaWRlCiAgICAgaW50IG51bV9hc3NpZ25l ZCwgaSwgcmM7CiAgICAgaW50IHN0dWJkb21pZCA9IDA7CiAKKyAgICBpZiAo bGlieGxfX2RvbWFpbl90eXBlKGdjLCBkb21pZCkgPT0gTElCWExfRE9NQUlO X1RZUEVfSFZNKSB7CisgICAgICAgIHJjID0geGNfdGVzdF9hc3NpZ25fZGV2 aWNlKGN0eC0+eGNoLCBkb21pZCwgcGNpZGV2X2VuY29kZV9iZGYocGNpZGV2 KSk7CisgICAgICAgIGlmIChyYykgeworICAgICAgICAgICAgTElCWExfX0xP RyhjdHgsIExJQlhMX19MT0dfRVJST1IsCisgICAgICAgICAgICAgICAgICAg ICAgICJQQ0kgZGV2aWNlICUwNHg6JTAyeDolMDJ4LiV1ICVzPyIsCisgICAg ICAgICAgICAgICAgICAgICAgIHBjaWRldi0+ZG9tYWluLCBwY2lkZXYtPmJ1 cywgcGNpZGV2LT5kZXYsIHBjaWRldi0+ZnVuYywKKyAgICAgICAgICAgICAg ICAgICAgICAgZXJybm8gPT0gRU5PU1lTID8gImNhbm5vdCBiZSBhc3NpZ25l ZCAtIG5vIElPTU1VIgorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgOiAiYWxyZWFkeSBhc3NpZ25lZCB0byBhIGRpZmZlcmVudCBn dWVzdCIpOworICAgICAgICAgICAgZ290byBvdXQ7CisgICAgICAgIH0KKyAg ICB9CisKICAgICByYyA9IGxpYnhsX19kZXZpY2VfcGNpX3NldGRlZmF1bHQo Z2MsIHBjaWRldik7CiAgICAgaWYgKHJjKSBnb3RvIG91dDsKIAo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Sep 10 14:29:04 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 10 Sep 2013 14:29:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VJOuK-0000aH-Mf; Tue, 10 Sep 2013 14:27:08 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VJOsy-0000Xy-K1 for xen-announce@lists.xen.org; Tue, 10 Sep 2013 14:25:44 +0000 Received: from [85.158.143.35:64608] by server-2.bemta-4.messagelabs.com id 4C/E5-26052-7EB2F225; Tue, 10 Sep 2013 14:25:43 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-13.tower-21.messagelabs.com!1378823142!2693926!1 X-Originating-IP: [74.125.82.170] X-SpamReason: No, hits=1.3 required=7.0 tests=BODY_RANDOM_LONG, HTML_40_50,HTML_MESSAGE,RCVD_ILLEGAL_IP X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 10834 invoked from network); 10 Sep 2013 14:25:42 -0000 Received: from mail-we0-f170.google.com (HELO mail-we0-f170.google.com) (74.125.82.170) by server-13.tower-21.messagelabs.com with RC4-SHA encrypted SMTP; 10 Sep 2013 14:25:42 -0000 Received: by mail-we0-f170.google.com with SMTP id w62so5750782wes.29 for ; Tue, 10 Sep 2013 07:25:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:reply-to:user-agent:mime-version:to :subject:references:in-reply-to:content-type; bh=AHCJlzVj742uJy6UCPil6T9VJUJ6VoJKzcWNNGBckW0=; b=j+SeqhDNMiEhKeYixmFRiTwPzjf1NXgiUAcmlQ42f1eoVMRgZvH6w/kdxaGLqWKvWl 9KDDn3VsAzuTGwY+NJCYmjLtDpvK/miJVuP4RGFb1vpyBdQTHnIRfx9yR3dnT0ssGZ+m LfRoM5tnWo8G4zXmm/QJA44wqgH6JulAtsJz8NLh2CuwrJzUeeH//crz0fhxLB3TjHzu Mh9/zNQtnp8Uy67uZ6Sg8haOvbAz1Y9SK9qpexMjGcct21XOcN5rIJ8Y9UIJQVgEFJJq wbL47Rq/HdgeYhW5kKN2/Q+YbFve8yrQe0CqCz4BJQxtwZAzJEpZJI8lSd/Eb2CrQCVH vYMA== X-Received: by 10.194.120.68 with SMTP id la4mr6850188wjb.33.1378823142686; Tue, 10 Sep 2013 07:25:42 -0700 (PDT) Received: from [172.16.26.11] (0541943c.skybroadband.com. [5.65.148.60]) by mx.google.com with ESMTPSA id jf2sm3895166wic.2.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 10 Sep 2013 07:25:41 -0700 (PDT) Message-ID: <522F2BE4.1060404@xen.org> Date: Tue, 10 Sep 2013 15:25:40 +0100 From: Lars Kurth User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 MIME-Version: 1.0 To: xen-announce@lists.xen.org References: <522F440B02000078000F1F1B@nat28.tlf.novell.com> In-Reply-To: <522F440B02000078000F1F1B@nat28.tlf.novell.com> X-Forwarded-Message-Id: <522F440B02000078000F1F1B@nat28.tlf.novell.com> X-Mailman-Approved-At: Tue, 10 Sep 2013 14:27:07 +0000 Subject: [Xen-announce] Xen 4.1.6.1 released X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list Reply-To: lars.kurth@xen.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============6078407645604904775==" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org This is a multi-part message in MIME format. --===============6078407645604904775== Content-Type: multipart/alternative; boundary="------------070509060601060108050702" This is a multi-part message in MIME format. --------------070509060601060108050702 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit -------- Original Message -------- Subject: [Xen-devel] [ANNOUNCE] Xen 4.1.6.1 released Date: Tue, 10 Sep 2013 15:08:43 +0100 From: Jan Beulich To: xen-devel All, I am pleased to announce the release of Xen 4.1.6.1. This is available immediately from its git repository: http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.1 (tag RELEASE-4.1.6.1) or from the XenProject download page http://www.xenproject.org/downloads/xen-archives/supported-xen-41-series/xen-4161.html Note that 4.1.6 didn't get released, as a build issue was found late in the release process, when the 4.1.6 version number was already irreversibly applied. Note further that this is expected to be the last release of the 4.1 stable series. This fixes the following critical vulnerabilities: * CVE-2013-1918 / XSA-45: Several long latency operations are not preemptible * CVE-2013-1952 / XSA-49: VT-d interrupt remapping source validation flaw for bridges * CVE-2013-2076 / XSA-52: Information leak on XSAVE/XRSTOR capable AMD CPUs * CVE-2013-2077 / XSA-53: Hypervisor crash due to missing exception recovery on XRSTOR * CVE-2013-2078 / XSA-54: Hypervisor crash due to missing exception recovery on XSETBV * CVE-2013-2194, CVE-2013-2195, CVE-2013-2196 / XSA-55: Multiple vulnerabilities in libelf PV kernel handling * CVE-2013-2072 / XSA-56: Buffer overflow in xencontrol Python bindings affecting xend * CVE-2013-2211 / XSA-57: libxl allows guest write access to sensitive console related xenstore keys * CVE-2013-1432 / XSA-58: Page reference counting error due to XSA-45/CVE-2013-1918 fixes * XSA-61: libxl partially sets up HVM passthrough even with disabled iommu We recommend all users of the 4.1 stable series to update to this latest point release. Among many bug fixes and improvements: * addressing a regression from the fix for XSA-21 * addressing a regression from the fix for XSA-46 * bug fixes to low level system state handling, including certain hardware errata workarounds Regards, Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --------------070509060601060108050702 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
-------- Original Message --------
Subject: [Xen-devel] [ANNOUNCE] Xen 4.1.6.1 released
Date: Tue, 10 Sep 2013 15:08:43 +0100
From: Jan Beulich <JBeulich@suse.com>
To: xen-devel <xen-devel@lists.xenproject.org> 


All,

I am pleased to announce the release of Xen 4.1.6.1. This is
available immediately from its git repository:
http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.1 
(tag RELEASE-4.1.6.1) or from the XenProject download page
http://www.xenproject.org/downloads/xen-archives/supported-xen-41-series/xen-4161.html 

Note that 4.1.6 didn't get released, as a build issue was found late
in the release process, when the 4.1.6 version number was already
irreversibly applied.

Note further that this is expected to be the last release of the 4.1
stable series.

This fixes the following critical vulnerabilities:
 * CVE-2013-1918 / XSA-45:
    Several long latency operations are not preemptible
 * CVE-2013-1952 / XSA-49:
    VT-d interrupt remapping source validation flaw for bridges
 * CVE-2013-2076 / XSA-52:
    Information leak on XSAVE/XRSTOR capable AMD CPUs
 * CVE-2013-2077 / XSA-53:
    Hypervisor crash due to missing exception recovery on XRSTOR
 * CVE-2013-2078 / XSA-54:
    Hypervisor crash due to missing exception recovery on XSETBV
 * CVE-2013-2194, CVE-2013-2195, CVE-2013-2196 / XSA-55:
    Multiple vulnerabilities in libelf PV kernel handling
 * CVE-2013-2072 / XSA-56:
    Buffer overflow in xencontrol Python bindings affecting xend
 * CVE-2013-2211 / XSA-57:
    libxl allows guest write access to sensitive console related xenstore keys
 * CVE-2013-1432 / XSA-58:
    Page reference counting error due to XSA-45/CVE-2013-1918 fixes
 * XSA-61:
    libxl partially sets up HVM passthrough even with disabled iommu

We recommend all users of the 4.1 stable series to update to this
latest point release.

Among many bug fixes and improvements:
 * addressing a regression from the fix for XSA-21
 * addressing a regression from the fix for XSA-46
 * bug fixes to low level system state handling, including certain
    hardware errata workarounds

Regards,
Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel


--------------070509060601060108050702-- --===============6078407645604904775== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --===============6078407645604904775==-- From xen-announce-bounces@lists.xen.org Tue Sep 10 14:29:04 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 10 Sep 2013 14:29:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VJOuK-0000aH-Mf; Tue, 10 Sep 2013 14:27:08 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VJOsy-0000Xy-K1 for xen-announce@lists.xen.org; Tue, 10 Sep 2013 14:25:44 +0000 Received: from [85.158.143.35:64608] by server-2.bemta-4.messagelabs.com id 4C/E5-26052-7EB2F225; Tue, 10 Sep 2013 14:25:43 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-13.tower-21.messagelabs.com!1378823142!2693926!1 X-Originating-IP: [74.125.82.170] X-SpamReason: No, hits=1.3 required=7.0 tests=BODY_RANDOM_LONG, HTML_40_50,HTML_MESSAGE,RCVD_ILLEGAL_IP X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 10834 invoked from network); 10 Sep 2013 14:25:42 -0000 Received: from mail-we0-f170.google.com (HELO mail-we0-f170.google.com) (74.125.82.170) by server-13.tower-21.messagelabs.com with RC4-SHA encrypted SMTP; 10 Sep 2013 14:25:42 -0000 Received: by mail-we0-f170.google.com with SMTP id w62so5750782wes.29 for ; Tue, 10 Sep 2013 07:25:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:reply-to:user-agent:mime-version:to :subject:references:in-reply-to:content-type; bh=AHCJlzVj742uJy6UCPil6T9VJUJ6VoJKzcWNNGBckW0=; b=j+SeqhDNMiEhKeYixmFRiTwPzjf1NXgiUAcmlQ42f1eoVMRgZvH6w/kdxaGLqWKvWl 9KDDn3VsAzuTGwY+NJCYmjLtDpvK/miJVuP4RGFb1vpyBdQTHnIRfx9yR3dnT0ssGZ+m LfRoM5tnWo8G4zXmm/QJA44wqgH6JulAtsJz8NLh2CuwrJzUeeH//crz0fhxLB3TjHzu Mh9/zNQtnp8Uy67uZ6Sg8haOvbAz1Y9SK9qpexMjGcct21XOcN5rIJ8Y9UIJQVgEFJJq wbL47Rq/HdgeYhW5kKN2/Q+YbFve8yrQe0CqCz4BJQxtwZAzJEpZJI8lSd/Eb2CrQCVH vYMA== X-Received: by 10.194.120.68 with SMTP id la4mr6850188wjb.33.1378823142686; Tue, 10 Sep 2013 07:25:42 -0700 (PDT) Received: from [172.16.26.11] (0541943c.skybroadband.com. [5.65.148.60]) by mx.google.com with ESMTPSA id jf2sm3895166wic.2.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 10 Sep 2013 07:25:41 -0700 (PDT) Message-ID: <522F2BE4.1060404@xen.org> Date: Tue, 10 Sep 2013 15:25:40 +0100 From: Lars Kurth User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 MIME-Version: 1.0 To: xen-announce@lists.xen.org References: <522F440B02000078000F1F1B@nat28.tlf.novell.com> In-Reply-To: <522F440B02000078000F1F1B@nat28.tlf.novell.com> X-Forwarded-Message-Id: <522F440B02000078000F1F1B@nat28.tlf.novell.com> X-Mailman-Approved-At: Tue, 10 Sep 2013 14:27:07 +0000 Subject: [Xen-announce] Xen 4.1.6.1 released X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list Reply-To: lars.kurth@xen.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============6078407645604904775==" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org This is a multi-part message in MIME format. --===============6078407645604904775== Content-Type: multipart/alternative; boundary="------------070509060601060108050702" This is a multi-part message in MIME format. --------------070509060601060108050702 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit -------- Original Message -------- Subject: [Xen-devel] [ANNOUNCE] Xen 4.1.6.1 released Date: Tue, 10 Sep 2013 15:08:43 +0100 From: Jan Beulich To: xen-devel All, I am pleased to announce the release of Xen 4.1.6.1. This is available immediately from its git repository: http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.1 (tag RELEASE-4.1.6.1) or from the XenProject download page http://www.xenproject.org/downloads/xen-archives/supported-xen-41-series/xen-4161.html Note that 4.1.6 didn't get released, as a build issue was found late in the release process, when the 4.1.6 version number was already irreversibly applied. Note further that this is expected to be the last release of the 4.1 stable series. This fixes the following critical vulnerabilities: * CVE-2013-1918 / XSA-45: Several long latency operations are not preemptible * CVE-2013-1952 / XSA-49: VT-d interrupt remapping source validation flaw for bridges * CVE-2013-2076 / XSA-52: Information leak on XSAVE/XRSTOR capable AMD CPUs * CVE-2013-2077 / XSA-53: Hypervisor crash due to missing exception recovery on XRSTOR * CVE-2013-2078 / XSA-54: Hypervisor crash due to missing exception recovery on XSETBV * CVE-2013-2194, CVE-2013-2195, CVE-2013-2196 / XSA-55: Multiple vulnerabilities in libelf PV kernel handling * CVE-2013-2072 / XSA-56: Buffer overflow in xencontrol Python bindings affecting xend * CVE-2013-2211 / XSA-57: libxl allows guest write access to sensitive console related xenstore keys * CVE-2013-1432 / XSA-58: Page reference counting error due to XSA-45/CVE-2013-1918 fixes * XSA-61: libxl partially sets up HVM passthrough even with disabled iommu We recommend all users of the 4.1 stable series to update to this latest point release. Among many bug fixes and improvements: * addressing a regression from the fix for XSA-21 * addressing a regression from the fix for XSA-46 * bug fixes to low level system state handling, including certain hardware errata workarounds Regards, Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --------------070509060601060108050702 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
-------- Original Message --------
Subject: [Xen-devel] [ANNOUNCE] Xen 4.1.6.1 released
Date: Tue, 10 Sep 2013 15:08:43 +0100
From: Jan Beulich <JBeulich@suse.com>
To: xen-devel <xen-devel@lists.xenproject.org> 


All,

I am pleased to announce the release of Xen 4.1.6.1. This is
available immediately from its git repository:
http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.1 
(tag RELEASE-4.1.6.1) or from the XenProject download page
http://www.xenproject.org/downloads/xen-archives/supported-xen-41-series/xen-4161.html 

Note that 4.1.6 didn't get released, as a build issue was found late
in the release process, when the 4.1.6 version number was already
irreversibly applied.

Note further that this is expected to be the last release of the 4.1
stable series.

This fixes the following critical vulnerabilities:
 * CVE-2013-1918 / XSA-45:
    Several long latency operations are not preemptible
 * CVE-2013-1952 / XSA-49:
    VT-d interrupt remapping source validation flaw for bridges
 * CVE-2013-2076 / XSA-52:
    Information leak on XSAVE/XRSTOR capable AMD CPUs
 * CVE-2013-2077 / XSA-53:
    Hypervisor crash due to missing exception recovery on XRSTOR
 * CVE-2013-2078 / XSA-54:
    Hypervisor crash due to missing exception recovery on XSETBV
 * CVE-2013-2194, CVE-2013-2195, CVE-2013-2196 / XSA-55:
    Multiple vulnerabilities in libelf PV kernel handling
 * CVE-2013-2072 / XSA-56:
    Buffer overflow in xencontrol Python bindings affecting xend
 * CVE-2013-2211 / XSA-57:
    libxl allows guest write access to sensitive console related xenstore keys
 * CVE-2013-1432 / XSA-58:
    Page reference counting error due to XSA-45/CVE-2013-1918 fixes
 * XSA-61:
    libxl partially sets up HVM passthrough even with disabled iommu

We recommend all users of the 4.1 stable series to update to this
latest point release.

Among many bug fixes and improvements:
 * addressing a regression from the fix for XSA-21
 * addressing a regression from the fix for XSA-46
 * bug fixes to low level system state handling, including certain
    hardware errata workarounds

Regards,
Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel


--------------070509060601060108050702-- --===============6078407645604904775== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --===============6078407645604904775==-- From xen-announce-bounces@lists.xen.org Wed Sep 11 12:15:57 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 11 Sep 2013 12:15:57 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VJjJS-00041M-Fg; Wed, 11 Sep 2013 12:14:26 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VJjJQ-00040y-Vx; Wed, 11 Sep 2013 12:14:25 +0000 Received: from [85.158.137.68:26505] by server-7.bemta-3.messagelabs.com id B2/3C-24536-F9E50325; Wed, 11 Sep 2013 12:14:23 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-14.tower-31.messagelabs.com!1378901661!1467893!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 21664 invoked from network); 11 Sep 2013 12:14:22 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-14.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 11 Sep 2013 12:14:22 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VJjJH-0005Pp-1R; Wed, 11 Sep 2013 12:14:15 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VJjJF-0001yY-UR; Wed, 11 Sep 2013 12:14:14 +0000 Date: Wed, 11 Sep 2013 12:14:14 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 61 (CVE-2013-4329) - libxl partially sets up HVM passthrough even with disabled iommu X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4329 / XSA-61 version 2 libxl partially sets up HVM passthrough even with disabled iommu UPDATES IN VERSION 2 ==================== CVE number assigned. Clarified fixed status of Xen 4.2.3 and 4.1.6.1. ISSUE DESCRIPTION ================= With HVM domains, libxl's setup of PCI passthrough devices does the IOMMU setup after giving (via the device model) the guest access to the hardware and advertising it to the guest. If the IOMMU is disabled the overall setup fails, but after the device has been made available to the guest; subsequent DMA instructions from the guest to the device will cause wild DMA. IMPACT ====== A HVM domain, given access to a device which bus mastering capable in the absence of a functioning IOMMU, can mount a privilege escalation or denial of service attack affecting the whole system. VULNERABLE SYSTEMS ================== 1. Only systems which pass busmastering-capable PCI devices through to untrusted guests are vulnerable. (Most PCI devices are busmastering-capable.) 2. Only systems which use libxl as part of the toolstack are vulnerable. The major consumer of libxl functionality is the xl toolstack which became the default in Xen 4.2. In addition to this libvirt can optionally make use of libxl. This can be queried with # virsh version which will report "xenlight" if libxl is in use. libvirt currently prefers the xend backend if xend is running. The xend and xapi toolstacks do not currently use libxl. 3. Only Xen versions 4.0.x through 4.2.x are vulnerable. Xen 4.1.6.1 and 4.2.3, however, have the issue already fixed. 4. Only HVM domains can take advantage of this vulnerability. 5. Systems which have a functioning IOMMU are NOT vulnerable. MITIGATION ========== This issue can be avoided by not assigning PCI devices to HVM guests when there is no functioning IOMMU. NOTE REGARDING LACK OF EMBARGO ============================== This issue was disclosed publicly on xen-devel; the person reporting it did not appreciate that it was a security issue. Additionally the patch to fix the issue was already applied to the respective branches (in particular resulting in Xen 4.3 not being vulnerable). Under the circumstances the Xen.org security team do not consider that this advisory should be embargoed. Also, we apologise for the delay to this advisory message, which was due to an oversight by us. CREDITS ======= George Dunlap found the issue as a bug, which on examination by the Xenproject.org Security Team turned out to be a security problem. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa61-4.1.patch Xen 4.1.x xsa61-4.2-unstable.patch Xen 4.2.x, xen-unstable $ sha256sum xsa61*.patch 19caa5f1ce91ebc908c899b8be216034dc67c3e890f59597f659caed41d468f6 xsa61-4.1.patch 5898926de86dd6a27f8e34a2c103e3d0c6267b1d7d947434f294423ed3b0eefd xsa61-4.2-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSMF5dAAoJEIP+FMlX6CvZODQH/36rIjMga0UcOVZhSp5ORRQw ImLuSKW9Mh0ZIc0hxtiRUx7YaLI4nQYw/x2w48IIdg/70QN1ukdPCFGWJ/y1bnBZ eL2VMA/zqoStVKF5hlwUTXJFsaa7b9zDawrG6ewkf0p5F84LkZl/T8vVwIZglK+l 3Cq6PK2dDcWz56DJ/pdDOgGgJa6yzkCH1uMfUHRR5DcbtQSFvKmmlb062tjB5Im+ FFxctUZiH+BldDTDQh73dfw6zvoWt8hYADD8hB/m+YB+8HsTFSLmtTfSQ5HTFq1j vWsVshjneWxIcyV9bj3vhVoCLn/VhtW+uPlmU/QFItqpbvMI+BucPdiww+Y3f40= =cL0+ -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa61-4.1.patch" Content-Disposition: attachment; filename="xsa61-4.1.patch" Content-Transfer-Encoding: base64 bGlieGw6IHN1cHByZXNzIGRldmljZSBhc3NpZ25tZW50IHRvIEhWTSBndWVz dCB3aGVuIHRoZXJlIGlzIG5vIElPTU1VCgpUaGlzIGluIGVmZmVjdCBjb3Bp ZXMgc2ltaWxhciBsb2dpYyBmcm9tIHhlbmQ6IFdoaWxlIHRoZXJlJ3Mgbm8g d2F5IHRvCmNoZWNrIHdoZXRoZXIgYSBkZXZpY2UgaXMgYXNzaWduZWQgdG8g YSBwYXJ0aWN1bGFyIGd1ZXN0LApYRU5fRE9NQ1RMX3Rlc3RfYXNzaWduX2Rl dmljZSBhdCBsZWFzdCBhbGxvd3MgY2hlY2tpbmcgd2hldGhlciBhbgpJT01N VSBpcyB0aGVyZSBhbmQgd2hldGhlciBhIGRldmljZSBoYXMgYmVlbiBhc3Np Z24gdG8gX3NvbWVfCmd1ZXN0LgoKRm9yIHRoZSB0aW1lIGJlaW5nLCB0aGlz IHNob3VsZCBiZSBlbm91Z2ggdG8gY292ZXIgZm9yIHRoZSBtaXNzaW5nCmVy cm9yIGNoZWNraW5nL3JlY292ZXJ5IGluIG90aGVyIHBhcnRzIG9mIGxpYnhs J3MgZGV2aWNlIGFzc2lnbm1lbnQKcGF0aHMuCgpUaGVyZSByZW1haW5zIGEg KGZ1bmN0aW9uYWxpdHktLCBidXQgbm90IHNlY3VyaXR5LXJlbGF0ZWQpIHJh Y2UgaW4KdGhhdCB0aGUgaW9tbXUgc2hvdWxkIGJlIHNldCB1cCBlYXJsaWVy LCBidXQgdGhpcyBpcyB0b28gcmlza3kgYQpjaGFuZ2UgZm9yIHRoaXMgc3Rh Z2Ugb2YgdGhlIDQuMyByZWxlYXNlLgoKVGhpcyBpcyBhIHNlY3VyaXR5IGlz c3VlLCBYU0EtNjEuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+ClRlc3RlZC1ieTogR2VvcmdlIER1bmxhcCA8Z2Vv cmdlLmR1bmxhcEBldS5jaXRyaXguY29tPgpBY2tlZC1ieTogR2VvcmdlIER1 bmxhcCA8Z2VvcmdlLmR1bmxhcEBldS5jaXRyaXguY29tPgpBY2tlZC1ieTog SWFuIEphY2tzb24gPGlhbi5qYWNrc29uQGV1LmNpdHJpeC5jb20+CgotLS0g YS90b29scy9saWJ4bC9saWJ4bF9wY2kuYworKysgYi90b29scy9saWJ4bC9s aWJ4bF9wY2kuYwpAQCAtNzg0LDYgKzc4NCwxOCBAQCBpbnQgbGlieGxfX2Rl dmljZV9wY2lfYWRkKGxpYnhsX2N0eCAqY3R4CiAgICAgaW50IG51bV9hc3Np Z25lZCwgaSwgcmM7CiAgICAgaW50IHN0dWJkb21pZCA9IDA7CiAKKyAgICBp ZiAobGlieGxfX2RvbWFpbl9pc19odm0oY3R4LCBkb21pZCkpIHsKKyAgICAg ICAgcmMgPSB4Y190ZXN0X2Fzc2lnbl9kZXZpY2UoY3R4LT54Y2gsIGRvbWlk LCBwY2lkZXZfdmFsdWUocGNpZGV2KSk7CisgICAgICAgIGlmIChyYykgewor ICAgICAgICAgICAgTElCWExfX0xPRyhjdHgsIExJQlhMX19MT0dfRVJST1Is CisgICAgICAgICAgICAgICAgICAgICAgICJQQ0kgZGV2aWNlICUwNHg6JTAy eDolMDJ4LiV1ICVzPyIsCisgICAgICAgICAgICAgICAgICAgICAgIHBjaWRl di0+ZG9tYWluLCBwY2lkZXYtPmJ1cywgcGNpZGV2LT5kZXYsIHBjaWRldi0+ ZnVuYywKKyAgICAgICAgICAgICAgICAgICAgICAgZXJybm8gPT0gRU5PU1lT ID8gImNhbm5vdCBiZSBhc3NpZ25lZCAtIG5vIElPTU1VIgorICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgOiAiYWxyZWFkeSBhc3Np Z25lZCB0byBhIGRpZmZlcmVudCBndWVzdCIpOworICAgICAgICAgICAgZ290 byBvdXQ7CisgICAgICAgIH0KKyAgICB9CisKICAgICBpZiAoIWxpYnhsX3Bj aWRldl9hc3NpZ25hYmxlKGN0eCwgcGNpZGV2KSkgewogICAgICAgICBMSUJY TF9fTE9HKGN0eCwgTElCWExfX0xPR19FUlJPUiwgIlBDSSBkZXZpY2UgJXg6 JXg6JXguJXggaXMgbm90IGFzc2lnbmFibGUiLAogICAgICAgICAgICAgICAg ICAgIHBjaWRldi0+ZG9tYWluLCBwY2lkZXYtPmJ1cywgcGNpZGV2LT5kZXYs IHBjaWRldi0+ZnVuYyk7Cg== --=separator Content-Type: application/octet-stream; name="xsa61-4.2-unstable.patch" Content-Disposition: attachment; filename="xsa61-4.2-unstable.patch" Content-Transfer-Encoding: base64 bGlieGw6IHN1cHByZXNzIGRldmljZSBhc3NpZ25tZW50IHRvIEhWTSBndWVz dCB3aGVuIHRoZXJlIGlzIG5vIElPTU1VCgpUaGlzIGluIGVmZmVjdCBjb3Bp ZXMgc2ltaWxhciBsb2dpYyBmcm9tIHhlbmQ6IFdoaWxlIHRoZXJlJ3Mgbm8g d2F5IHRvCmNoZWNrIHdoZXRoZXIgYSBkZXZpY2UgaXMgYXNzaWduZWQgdG8g YSBwYXJ0aWN1bGFyIGd1ZXN0LApYRU5fRE9NQ1RMX3Rlc3RfYXNzaWduX2Rl dmljZSBhdCBsZWFzdCBhbGxvd3MgY2hlY2tpbmcgd2hldGhlciBhbgpJT01N VSBpcyB0aGVyZSBhbmQgd2hldGhlciBhIGRldmljZSBoYXMgYmVlbiBhc3Np Z24gdG8gX3NvbWVfCmd1ZXN0LgoKRm9yIHRoZSB0aW1lIGJlaW5nLCB0aGlz IHNob3VsZCBiZSBlbm91Z2ggdG8gY292ZXIgZm9yIHRoZSBtaXNzaW5nCmVy cm9yIGNoZWNraW5nL3JlY292ZXJ5IGluIG90aGVyIHBhcnRzIG9mIGxpYnhs J3MgZGV2aWNlIGFzc2lnbm1lbnQKcGF0aHMuCgpUaGVyZSByZW1haW5zIGEg KGZ1bmN0aW9uYWxpdHktLCBidXQgbm90IHNlY3VyaXR5LXJlbGF0ZWQpIHJh Y2UgaW4KdGhhdCB0aGUgaW9tbXUgc2hvdWxkIGJlIHNldCB1cCBlYXJsaWVy LCBidXQgdGhpcyBpcyB0b28gcmlza3kgYQpjaGFuZ2UgZm9yIHRoaXMgc3Rh Z2Ugb2YgdGhlIDQuMyByZWxlYXNlLgoKVGhpcyBpcyBhIHNlY3VyaXR5IGlz c3VlLCBYU0EtNjEuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+ClRlc3RlZC1ieTogR2VvcmdlIER1bmxhcCA8Z2Vv cmdlLmR1bmxhcEBldS5jaXRyaXguY29tPgpBY2tlZC1ieTogR2VvcmdlIER1 bmxhcCA8Z2VvcmdlLmR1bmxhcEBldS5jaXRyaXguY29tPgpBY2tlZC1ieTog SWFuIEphY2tzb24gPGlhbi5qYWNrc29uQGV1LmNpdHJpeC5jb20+CgotLS0g YS90b29scy9saWJ4bC9saWJ4bF9wY2kuYworKysgYi90b29scy9saWJ4bC9s aWJ4bF9wY2kuYwpAQCAtMTAzNiw2ICsxMDM2LDE4IEBAIGludCBsaWJ4bF9f ZGV2aWNlX3BjaV9hZGQobGlieGxfX2djICpnYywgdWludDMyX3QgZG9taWQs IGxpYnhsX2RldmljZV9wY2kgKnBjaWRlCiAgICAgaW50IG51bV9hc3NpZ25l ZCwgaSwgcmM7CiAgICAgaW50IHN0dWJkb21pZCA9IDA7CiAKKyAgICBpZiAo bGlieGxfX2RvbWFpbl90eXBlKGdjLCBkb21pZCkgPT0gTElCWExfRE9NQUlO X1RZUEVfSFZNKSB7CisgICAgICAgIHJjID0geGNfdGVzdF9hc3NpZ25fZGV2 aWNlKGN0eC0+eGNoLCBkb21pZCwgcGNpZGV2X2VuY29kZV9iZGYocGNpZGV2 KSk7CisgICAgICAgIGlmIChyYykgeworICAgICAgICAgICAgTElCWExfX0xP RyhjdHgsIExJQlhMX19MT0dfRVJST1IsCisgICAgICAgICAgICAgICAgICAg ICAgICJQQ0kgZGV2aWNlICUwNHg6JTAyeDolMDJ4LiV1ICVzPyIsCisgICAg ICAgICAgICAgICAgICAgICAgIHBjaWRldi0+ZG9tYWluLCBwY2lkZXYtPmJ1 cywgcGNpZGV2LT5kZXYsIHBjaWRldi0+ZnVuYywKKyAgICAgICAgICAgICAg ICAgICAgICAgZXJybm8gPT0gRU5PU1lTID8gImNhbm5vdCBiZSBhc3NpZ25l ZCAtIG5vIElPTU1VIgorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgOiAiYWxyZWFkeSBhc3NpZ25lZCB0byBhIGRpZmZlcmVudCBn dWVzdCIpOworICAgICAgICAgICAgZ290byBvdXQ7CisgICAgICAgIH0KKyAg ICB9CisKICAgICByYyA9IGxpYnhsX19kZXZpY2VfcGNpX3NldGRlZmF1bHQo Z2MsIHBjaWRldik7CiAgICAgaWYgKHJjKSBnb3RvIG91dDsKIAo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Sep 11 12:15:57 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 11 Sep 2013 12:15:57 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VJjJS-00041M-Fg; Wed, 11 Sep 2013 12:14:26 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VJjJQ-00040y-Vx; Wed, 11 Sep 2013 12:14:25 +0000 Received: from [85.158.137.68:26505] by server-7.bemta-3.messagelabs.com id B2/3C-24536-F9E50325; Wed, 11 Sep 2013 12:14:23 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-14.tower-31.messagelabs.com!1378901661!1467893!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 21664 invoked from network); 11 Sep 2013 12:14:22 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-14.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 11 Sep 2013 12:14:22 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VJjJH-0005Pp-1R; Wed, 11 Sep 2013 12:14:15 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VJjJF-0001yY-UR; Wed, 11 Sep 2013 12:14:14 +0000 Date: Wed, 11 Sep 2013 12:14:14 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 61 (CVE-2013-4329) - libxl partially sets up HVM passthrough even with disabled iommu X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4329 / XSA-61 version 2 libxl partially sets up HVM passthrough even with disabled iommu UPDATES IN VERSION 2 ==================== CVE number assigned. Clarified fixed status of Xen 4.2.3 and 4.1.6.1. ISSUE DESCRIPTION ================= With HVM domains, libxl's setup of PCI passthrough devices does the IOMMU setup after giving (via the device model) the guest access to the hardware and advertising it to the guest. If the IOMMU is disabled the overall setup fails, but after the device has been made available to the guest; subsequent DMA instructions from the guest to the device will cause wild DMA. IMPACT ====== A HVM domain, given access to a device which bus mastering capable in the absence of a functioning IOMMU, can mount a privilege escalation or denial of service attack affecting the whole system. VULNERABLE SYSTEMS ================== 1. Only systems which pass busmastering-capable PCI devices through to untrusted guests are vulnerable. (Most PCI devices are busmastering-capable.) 2. Only systems which use libxl as part of the toolstack are vulnerable. The major consumer of libxl functionality is the xl toolstack which became the default in Xen 4.2. In addition to this libvirt can optionally make use of libxl. This can be queried with # virsh version which will report "xenlight" if libxl is in use. libvirt currently prefers the xend backend if xend is running. The xend and xapi toolstacks do not currently use libxl. 3. Only Xen versions 4.0.x through 4.2.x are vulnerable. Xen 4.1.6.1 and 4.2.3, however, have the issue already fixed. 4. Only HVM domains can take advantage of this vulnerability. 5. Systems which have a functioning IOMMU are NOT vulnerable. MITIGATION ========== This issue can be avoided by not assigning PCI devices to HVM guests when there is no functioning IOMMU. NOTE REGARDING LACK OF EMBARGO ============================== This issue was disclosed publicly on xen-devel; the person reporting it did not appreciate that it was a security issue. Additionally the patch to fix the issue was already applied to the respective branches (in particular resulting in Xen 4.3 not being vulnerable). Under the circumstances the Xen.org security team do not consider that this advisory should be embargoed. Also, we apologise for the delay to this advisory message, which was due to an oversight by us. CREDITS ======= George Dunlap found the issue as a bug, which on examination by the Xenproject.org Security Team turned out to be a security problem. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa61-4.1.patch Xen 4.1.x xsa61-4.2-unstable.patch Xen 4.2.x, xen-unstable $ sha256sum xsa61*.patch 19caa5f1ce91ebc908c899b8be216034dc67c3e890f59597f659caed41d468f6 xsa61-4.1.patch 5898926de86dd6a27f8e34a2c103e3d0c6267b1d7d947434f294423ed3b0eefd xsa61-4.2-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSMF5dAAoJEIP+FMlX6CvZODQH/36rIjMga0UcOVZhSp5ORRQw ImLuSKW9Mh0ZIc0hxtiRUx7YaLI4nQYw/x2w48IIdg/70QN1ukdPCFGWJ/y1bnBZ eL2VMA/zqoStVKF5hlwUTXJFsaa7b9zDawrG6ewkf0p5F84LkZl/T8vVwIZglK+l 3Cq6PK2dDcWz56DJ/pdDOgGgJa6yzkCH1uMfUHRR5DcbtQSFvKmmlb062tjB5Im+ FFxctUZiH+BldDTDQh73dfw6zvoWt8hYADD8hB/m+YB+8HsTFSLmtTfSQ5HTFq1j vWsVshjneWxIcyV9bj3vhVoCLn/VhtW+uPlmU/QFItqpbvMI+BucPdiww+Y3f40= =cL0+ -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa61-4.1.patch" Content-Disposition: attachment; filename="xsa61-4.1.patch" Content-Transfer-Encoding: base64 bGlieGw6IHN1cHByZXNzIGRldmljZSBhc3NpZ25tZW50IHRvIEhWTSBndWVz dCB3aGVuIHRoZXJlIGlzIG5vIElPTU1VCgpUaGlzIGluIGVmZmVjdCBjb3Bp ZXMgc2ltaWxhciBsb2dpYyBmcm9tIHhlbmQ6IFdoaWxlIHRoZXJlJ3Mgbm8g d2F5IHRvCmNoZWNrIHdoZXRoZXIgYSBkZXZpY2UgaXMgYXNzaWduZWQgdG8g YSBwYXJ0aWN1bGFyIGd1ZXN0LApYRU5fRE9NQ1RMX3Rlc3RfYXNzaWduX2Rl dmljZSBhdCBsZWFzdCBhbGxvd3MgY2hlY2tpbmcgd2hldGhlciBhbgpJT01N VSBpcyB0aGVyZSBhbmQgd2hldGhlciBhIGRldmljZSBoYXMgYmVlbiBhc3Np Z24gdG8gX3NvbWVfCmd1ZXN0LgoKRm9yIHRoZSB0aW1lIGJlaW5nLCB0aGlz IHNob3VsZCBiZSBlbm91Z2ggdG8gY292ZXIgZm9yIHRoZSBtaXNzaW5nCmVy cm9yIGNoZWNraW5nL3JlY292ZXJ5IGluIG90aGVyIHBhcnRzIG9mIGxpYnhs J3MgZGV2aWNlIGFzc2lnbm1lbnQKcGF0aHMuCgpUaGVyZSByZW1haW5zIGEg KGZ1bmN0aW9uYWxpdHktLCBidXQgbm90IHNlY3VyaXR5LXJlbGF0ZWQpIHJh Y2UgaW4KdGhhdCB0aGUgaW9tbXUgc2hvdWxkIGJlIHNldCB1cCBlYXJsaWVy LCBidXQgdGhpcyBpcyB0b28gcmlza3kgYQpjaGFuZ2UgZm9yIHRoaXMgc3Rh Z2Ugb2YgdGhlIDQuMyByZWxlYXNlLgoKVGhpcyBpcyBhIHNlY3VyaXR5IGlz c3VlLCBYU0EtNjEuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+ClRlc3RlZC1ieTogR2VvcmdlIER1bmxhcCA8Z2Vv cmdlLmR1bmxhcEBldS5jaXRyaXguY29tPgpBY2tlZC1ieTogR2VvcmdlIER1 bmxhcCA8Z2VvcmdlLmR1bmxhcEBldS5jaXRyaXguY29tPgpBY2tlZC1ieTog SWFuIEphY2tzb24gPGlhbi5qYWNrc29uQGV1LmNpdHJpeC5jb20+CgotLS0g YS90b29scy9saWJ4bC9saWJ4bF9wY2kuYworKysgYi90b29scy9saWJ4bC9s aWJ4bF9wY2kuYwpAQCAtNzg0LDYgKzc4NCwxOCBAQCBpbnQgbGlieGxfX2Rl dmljZV9wY2lfYWRkKGxpYnhsX2N0eCAqY3R4CiAgICAgaW50IG51bV9hc3Np Z25lZCwgaSwgcmM7CiAgICAgaW50IHN0dWJkb21pZCA9IDA7CiAKKyAgICBp ZiAobGlieGxfX2RvbWFpbl9pc19odm0oY3R4LCBkb21pZCkpIHsKKyAgICAg ICAgcmMgPSB4Y190ZXN0X2Fzc2lnbl9kZXZpY2UoY3R4LT54Y2gsIGRvbWlk LCBwY2lkZXZfdmFsdWUocGNpZGV2KSk7CisgICAgICAgIGlmIChyYykgewor ICAgICAgICAgICAgTElCWExfX0xPRyhjdHgsIExJQlhMX19MT0dfRVJST1Is CisgICAgICAgICAgICAgICAgICAgICAgICJQQ0kgZGV2aWNlICUwNHg6JTAy eDolMDJ4LiV1ICVzPyIsCisgICAgICAgICAgICAgICAgICAgICAgIHBjaWRl di0+ZG9tYWluLCBwY2lkZXYtPmJ1cywgcGNpZGV2LT5kZXYsIHBjaWRldi0+ ZnVuYywKKyAgICAgICAgICAgICAgICAgICAgICAgZXJybm8gPT0gRU5PU1lT ID8gImNhbm5vdCBiZSBhc3NpZ25lZCAtIG5vIElPTU1VIgorICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgOiAiYWxyZWFkeSBhc3Np Z25lZCB0byBhIGRpZmZlcmVudCBndWVzdCIpOworICAgICAgICAgICAgZ290 byBvdXQ7CisgICAgICAgIH0KKyAgICB9CisKICAgICBpZiAoIWxpYnhsX3Bj aWRldl9hc3NpZ25hYmxlKGN0eCwgcGNpZGV2KSkgewogICAgICAgICBMSUJY TF9fTE9HKGN0eCwgTElCWExfX0xPR19FUlJPUiwgIlBDSSBkZXZpY2UgJXg6 JXg6JXguJXggaXMgbm90IGFzc2lnbmFibGUiLAogICAgICAgICAgICAgICAg ICAgIHBjaWRldi0+ZG9tYWluLCBwY2lkZXYtPmJ1cywgcGNpZGV2LT5kZXYs IHBjaWRldi0+ZnVuYyk7Cg== --=separator Content-Type: application/octet-stream; name="xsa61-4.2-unstable.patch" Content-Disposition: attachment; filename="xsa61-4.2-unstable.patch" Content-Transfer-Encoding: base64 bGlieGw6IHN1cHByZXNzIGRldmljZSBhc3NpZ25tZW50IHRvIEhWTSBndWVz dCB3aGVuIHRoZXJlIGlzIG5vIElPTU1VCgpUaGlzIGluIGVmZmVjdCBjb3Bp ZXMgc2ltaWxhciBsb2dpYyBmcm9tIHhlbmQ6IFdoaWxlIHRoZXJlJ3Mgbm8g d2F5IHRvCmNoZWNrIHdoZXRoZXIgYSBkZXZpY2UgaXMgYXNzaWduZWQgdG8g YSBwYXJ0aWN1bGFyIGd1ZXN0LApYRU5fRE9NQ1RMX3Rlc3RfYXNzaWduX2Rl dmljZSBhdCBsZWFzdCBhbGxvd3MgY2hlY2tpbmcgd2hldGhlciBhbgpJT01N VSBpcyB0aGVyZSBhbmQgd2hldGhlciBhIGRldmljZSBoYXMgYmVlbiBhc3Np Z24gdG8gX3NvbWVfCmd1ZXN0LgoKRm9yIHRoZSB0aW1lIGJlaW5nLCB0aGlz IHNob3VsZCBiZSBlbm91Z2ggdG8gY292ZXIgZm9yIHRoZSBtaXNzaW5nCmVy cm9yIGNoZWNraW5nL3JlY292ZXJ5IGluIG90aGVyIHBhcnRzIG9mIGxpYnhs J3MgZGV2aWNlIGFzc2lnbm1lbnQKcGF0aHMuCgpUaGVyZSByZW1haW5zIGEg KGZ1bmN0aW9uYWxpdHktLCBidXQgbm90IHNlY3VyaXR5LXJlbGF0ZWQpIHJh Y2UgaW4KdGhhdCB0aGUgaW9tbXUgc2hvdWxkIGJlIHNldCB1cCBlYXJsaWVy LCBidXQgdGhpcyBpcyB0b28gcmlza3kgYQpjaGFuZ2UgZm9yIHRoaXMgc3Rh Z2Ugb2YgdGhlIDQuMyByZWxlYXNlLgoKVGhpcyBpcyBhIHNlY3VyaXR5IGlz c3VlLCBYU0EtNjEuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+ClRlc3RlZC1ieTogR2VvcmdlIER1bmxhcCA8Z2Vv cmdlLmR1bmxhcEBldS5jaXRyaXguY29tPgpBY2tlZC1ieTogR2VvcmdlIER1 bmxhcCA8Z2VvcmdlLmR1bmxhcEBldS5jaXRyaXguY29tPgpBY2tlZC1ieTog SWFuIEphY2tzb24gPGlhbi5qYWNrc29uQGV1LmNpdHJpeC5jb20+CgotLS0g YS90b29scy9saWJ4bC9saWJ4bF9wY2kuYworKysgYi90b29scy9saWJ4bC9s aWJ4bF9wY2kuYwpAQCAtMTAzNiw2ICsxMDM2LDE4IEBAIGludCBsaWJ4bF9f ZGV2aWNlX3BjaV9hZGQobGlieGxfX2djICpnYywgdWludDMyX3QgZG9taWQs IGxpYnhsX2RldmljZV9wY2kgKnBjaWRlCiAgICAgaW50IG51bV9hc3NpZ25l ZCwgaSwgcmM7CiAgICAgaW50IHN0dWJkb21pZCA9IDA7CiAKKyAgICBpZiAo bGlieGxfX2RvbWFpbl90eXBlKGdjLCBkb21pZCkgPT0gTElCWExfRE9NQUlO X1RZUEVfSFZNKSB7CisgICAgICAgIHJjID0geGNfdGVzdF9hc3NpZ25fZGV2 aWNlKGN0eC0+eGNoLCBkb21pZCwgcGNpZGV2X2VuY29kZV9iZGYocGNpZGV2 KSk7CisgICAgICAgIGlmIChyYykgeworICAgICAgICAgICAgTElCWExfX0xP RyhjdHgsIExJQlhMX19MT0dfRVJST1IsCisgICAgICAgICAgICAgICAgICAg ICAgICJQQ0kgZGV2aWNlICUwNHg6JTAyeDolMDJ4LiV1ICVzPyIsCisgICAg ICAgICAgICAgICAgICAgICAgIHBjaWRldi0+ZG9tYWluLCBwY2lkZXYtPmJ1 cywgcGNpZGV2LT5kZXYsIHBjaWRldi0+ZnVuYywKKyAgICAgICAgICAgICAg ICAgICAgICAgZXJybm8gPT0gRU5PU1lTID8gImNhbm5vdCBiZSBhc3NpZ25l ZCAtIG5vIElPTU1VIgorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgOiAiYWxyZWFkeSBhc3NpZ25lZCB0byBhIGRpZmZlcmVudCBn dWVzdCIpOworICAgICAgICAgICAgZ290byBvdXQ7CisgICAgICAgIH0KKyAg ICB9CisKICAgICByYyA9IGxpYnhsX19kZXZpY2VfcGNpX3NldGRlZmF1bHQo Z2MsIHBjaWRldik7CiAgICAgaWYgKHJjKSBnb3RvIG91dDsKIAo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Sep 24 12:33:56 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 24 Sep 2013 12:33:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VORmi-0001kP-LM; Tue, 24 Sep 2013 12:32:08 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VORjs-00018l-LG for xen-announce@lists.xenproject.org; Tue, 24 Sep 2013 12:29:12 +0000 Received: from [85.158.137.68:60027] by server-9.bemta-3.messagelabs.com id 02/06-15303-79581425; Tue, 24 Sep 2013 12:29:11 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-9.tower-31.messagelabs.com!1380025750!4412056!1 X-Originating-IP: [74.125.82.181] X-SpamReason: No, hits=0.0 required=7.0 tests=ML_RADAR_SPEW_LINKS_23, spamassassin: X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 22134 invoked from network); 24 Sep 2013 12:29:11 -0000 Received: from mail-we0-f181.google.com (HELO mail-we0-f181.google.com) (74.125.82.181) by server-9.tower-31.messagelabs.com with RC4-SHA encrypted SMTP; 24 Sep 2013 12:29:11 -0000 Received: by mail-we0-f181.google.com with SMTP id p61so4542906wes.12 for ; Tue, 24 Sep 2013 05:29:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:reply-to:user-agent:mime-version:to :subject:content-type:content-transfer-encoding; bh=Oy17OOGvrMwvS9rZfwoqd3s80UavoLkvb6Dz1iGAtRo=; b=bizSGNtm1WS3eINPaNrdWnQg2zCrO4BuLbjlVPcouOBDbpqrUb4hVqAAFDVXshBWku N9xTvNoAuQmtncuS1R/0tZ0Km2dhWHbOvg2LNZEk1zDvl2OBCFpmgc/W1CLRRIEgO0Cx uHyyzV2CCHI1pjtCSfrwxDxE2HQH4OSwwFMv8G3j9jtqb1fgaP3eCpVyu0cCkc/LXuWv QUHiVFHru6+ud8AGaQ6jdlARRE3itjSW9sgqWoC5xpGo/DUW5IeZ1C4Apa71q7mw2BTU fuCNmxG54WPzwVtWSgZ64MwxDUVC3dYSUbQB7B0HSItI0dFltGdiH6wBrpoVeVMkL7h5 UlWg== X-Received: by 10.180.160.203 with SMTP id xm11mr17784654wib.17.1380025750598; Tue, 24 Sep 2013 05:29:10 -0700 (PDT) Received: from [172.16.26.11] ([90.198.229.53]) by mx.google.com with ESMTPSA id fb9sm7131937wid.7.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 24 Sep 2013 05:29:09 -0700 (PDT) Message-ID: <52418594.4000105@xen.org> Date: Tue, 24 Sep 2013 07:29:08 -0500 From: Lars Kurth User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 MIME-Version: 1.0 To: xen-announce@lists.xenproject.org X-Mailman-Approved-At: Tue, 24 Sep 2013 12:32:07 +0000 Subject: [Xen-announce] Xen Developer Summit Schedule is available X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list Reply-To: lars.kurth@xen.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org Dear Community Member, the schedule for the Xen Project Developer Summit is finally available at: http://xendevelopersummit2013.sched.org/ ... the event websites will be updated shortly. Do register at http://events.linuxfoundation.org//events/xen-project-developer-summit/attend/register and book your hotel rooms as soon as you can! Xen Dev Summit is already half sold out! == Hotels == We added another room block at the Crowne Plaza and added other options to http://events.linuxfoundation.org/events/xen-project-developer-summit/attend/hoteltravel. For example the Sheraton has still rooms at good pre-paid rates: the info is also on the website. == BoFs == We do still have a number of BoF slots available in the schedule. BoFs are small discussion groups for specific topics. If you do want a BoF, please send me an e-mail with a BoF title, a short description and your name and a short bio. BoF organizers will get 3-5 minutes (depending on the number of BoFs a day) in the BoF announcement slot after lunch to pitch for their BoF - no slides are allowed for the pitch. == Xen Project Developer Meeting == Also, if you want to attend the Developer Meeting before the summit, see http://wiki.xen.org/wiki/Developer_Meeting_XS13 ... I have talked to the organizers of the KVM Forum last week, who are holding a Hackathon at the same time as the Dev meeting takes place. We are trying to get both events co-located (rooms next to each other), such that if QEMU related topics are discussed at the Developer Meeting, you can walk over to the Hackathon and pull the relevant people. I will confirm later, whether we managed to co-locate rooms. Hope to see you at the event Best Regards Lars _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce From xen-announce-bounces@lists.xen.org Tue Sep 24 12:33:56 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 24 Sep 2013 12:33:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VORmi-0001kP-LM; Tue, 24 Sep 2013 12:32:08 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VORjs-00018l-LG for xen-announce@lists.xenproject.org; Tue, 24 Sep 2013 12:29:12 +0000 Received: from [85.158.137.68:60027] by server-9.bemta-3.messagelabs.com id 02/06-15303-79581425; Tue, 24 Sep 2013 12:29:11 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-9.tower-31.messagelabs.com!1380025750!4412056!1 X-Originating-IP: [74.125.82.181] X-SpamReason: No, hits=0.0 required=7.0 tests=ML_RADAR_SPEW_LINKS_23, spamassassin: X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 22134 invoked from network); 24 Sep 2013 12:29:11 -0000 Received: from mail-we0-f181.google.com (HELO mail-we0-f181.google.com) (74.125.82.181) by server-9.tower-31.messagelabs.com with RC4-SHA encrypted SMTP; 24 Sep 2013 12:29:11 -0000 Received: by mail-we0-f181.google.com with SMTP id p61so4542906wes.12 for ; Tue, 24 Sep 2013 05:29:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:reply-to:user-agent:mime-version:to :subject:content-type:content-transfer-encoding; bh=Oy17OOGvrMwvS9rZfwoqd3s80UavoLkvb6Dz1iGAtRo=; b=bizSGNtm1WS3eINPaNrdWnQg2zCrO4BuLbjlVPcouOBDbpqrUb4hVqAAFDVXshBWku N9xTvNoAuQmtncuS1R/0tZ0Km2dhWHbOvg2LNZEk1zDvl2OBCFpmgc/W1CLRRIEgO0Cx uHyyzV2CCHI1pjtCSfrwxDxE2HQH4OSwwFMv8G3j9jtqb1fgaP3eCpVyu0cCkc/LXuWv QUHiVFHru6+ud8AGaQ6jdlARRE3itjSW9sgqWoC5xpGo/DUW5IeZ1C4Apa71q7mw2BTU fuCNmxG54WPzwVtWSgZ64MwxDUVC3dYSUbQB7B0HSItI0dFltGdiH6wBrpoVeVMkL7h5 UlWg== X-Received: by 10.180.160.203 with SMTP id xm11mr17784654wib.17.1380025750598; Tue, 24 Sep 2013 05:29:10 -0700 (PDT) Received: from [172.16.26.11] ([90.198.229.53]) by mx.google.com with ESMTPSA id fb9sm7131937wid.7.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 24 Sep 2013 05:29:09 -0700 (PDT) Message-ID: <52418594.4000105@xen.org> Date: Tue, 24 Sep 2013 07:29:08 -0500 From: Lars Kurth User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 MIME-Version: 1.0 To: xen-announce@lists.xenproject.org X-Mailman-Approved-At: Tue, 24 Sep 2013 12:32:07 +0000 Subject: [Xen-announce] Xen Developer Summit Schedule is available X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list Reply-To: lars.kurth@xen.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org Dear Community Member, the schedule for the Xen Project Developer Summit is finally available at: http://xendevelopersummit2013.sched.org/ ... the event websites will be updated shortly. Do register at http://events.linuxfoundation.org//events/xen-project-developer-summit/attend/register and book your hotel rooms as soon as you can! Xen Dev Summit is already half sold out! == Hotels == We added another room block at the Crowne Plaza and added other options to http://events.linuxfoundation.org/events/xen-project-developer-summit/attend/hoteltravel. For example the Sheraton has still rooms at good pre-paid rates: the info is also on the website. == BoFs == We do still have a number of BoF slots available in the schedule. BoFs are small discussion groups for specific topics. If you do want a BoF, please send me an e-mail with a BoF title, a short description and your name and a short bio. BoF organizers will get 3-5 minutes (depending on the number of BoFs a day) in the BoF announcement slot after lunch to pitch for their BoF - no slides are allowed for the pitch. == Xen Project Developer Meeting == Also, if you want to attend the Developer Meeting before the summit, see http://wiki.xen.org/wiki/Developer_Meeting_XS13 ... I have talked to the organizers of the KVM Forum last week, who are holding a Hackathon at the same time as the Dev meeting takes place. We are trying to get both events co-located (rooms next to each other), such that if QEMU related topics are discussed at the Developer Meeting, you can walk over to the Hackathon and pull the relevant people. I will confirm later, whether we managed to co-locate rooms. Hope to see you at the event Best Regards Lars _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce From xen-announce-bounces@lists.xen.org Wed Sep 25 08:32:57 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 25 Sep 2013 08:32:57 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VOkVH-0006oi-8R; Wed, 25 Sep 2013 08:31:23 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VOkVF-0006oL-NO; Wed, 25 Sep 2013 08:31:22 +0000 Received: from [85.158.139.211:23512] by server-16.bemta-5.messagelabs.com id 83/5F-03533-85F92425; Wed, 25 Sep 2013 08:31:20 +0000 X-Env-Sender: ianc@xenbits.xen.org X-Msg-Ref: server-2.tower-206.messagelabs.com!1380097878!4485967!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 12612 invoked from network); 25 Sep 2013 08:31:19 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-2.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 25 Sep 2013 08:31:19 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VOkV5-0006lx-Tz; Wed, 25 Sep 2013 08:31:11 +0000 Received: from ianc by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VOkV5-0005Sa-KJ; Wed, 25 Sep 2013 08:31:11 +0000 Date: Wed, 25 Sep 2013 08:31:11 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 62 (CVE-2013-1442) - Information leak on AVX and/or LWP capable CPUs X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-1442 / XSA-62 version 2 Information leak on AVX and/or LWP capable CPUs UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= When a guest increases the set of extended state components for a vCPU saved/ restored via XSAVE/XRSTOR (to date this can only be the upper halves of YMM registers, or AMD's LWP state) after already having touched other extended registers restored via XRSTOR (e.g. floating point or XMM ones) during its current scheduled CPU quantum, the hypervisor would make those registers accessible without discarding the values an earlier scheduled vCPU may have left in them. IMPACT ====== A malicious domain may be able to leverage this to obtain sensitive information such as cryptographic keys from another domain. VULNERABLE SYSTEMS ================== Xen 4.0 and onwards are vulnerable when run on systems with processors supporting AVX and/or LWP. Any kind of guest can exploit the vulnerability. In Xen 4.0.2 through 4.0.4 as well as in Xen 4.1.x XSAVE support is disabled by default; therefore systems running these versions are not vulnerable unless support is explicitly enabled using the "xsave" hypervisor command line option. Systems using processors supporting neither AVX nor LWP are not vulnerable. Xen 3.x and earlier are not vulnerable. MITIGATION ========== Turning off XSAVE support via the "no-xsave" hypervisor command line option will avoid the vulnerability. CREDITS ======= Jan Beulich discovered this issue. RESOLUTION ========== Applying the attached patch resolves this issue. xsa62.patch Xen 4.2.x, 4.3.x, and unstable xsa62-4.1.patch Xen 4.1.x $ sha256sum xsa62*.patch 3cec8ec26552f2142c044422f1bc0f77892e681d789d1f360ecc06e1d714b6bb xsa62-4.1.patch 364577f317a714099c068eb1ab771643ada99b5067fdd1eb5149fa5db649b856 xsa62.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSQp1tAAoJEIP+FMlX6CvZvMYIAKe6fyuMdVlP3gJVqAnttQb7 E/TuXwIKBgUFNu34SdkGd6g1l13pfSeiovDD56SqNj5kwCD0rb6+LgHu/uqVsxSn w+JtPGFXQpAfNzEcDPqYP9ArJIp63ogC9CLwk9KcDoy0FnxpHFD3Ke5C62G83DAJ qhjEpknTQCwjXBG6fYXjYKhFR8kzkWHGRpECE3EwlLo1gWxQj8/p/TopY8kzmA5m ssDuM/XzBHjI+7NwiB5oNuZfS8Om+UVQUilv+bjarh9zJy55FGSL1gJzdcXGhFx5 sXw/PcciIAcCC8k8f2+tYY1eN9Orthw81YMh9Q/n6JC4RMgBYK3tkZ9AsOR7H9s= =Qbk6 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa62-4.1.patch" Content-Disposition: attachment; filename="xsa62-4.1.patch" Content-Transfer-Encoding: base64 eDg2L3hzYXZlOiBpbml0aWFsaXplIHVudXNlZCByZWdpc3RlciBzdGF0ZSB3 aGVuIHJlc3RvcmluZyBmb3IgZ3Vlc3QKCkluIG9yZGVyIHRvIGF2b2lkIGxl YWtpbmcgcmVnaXN0ZXIgY29udGVudHMgZnJvbSB0aGUgcHJpb3IgdXNlIG9m IHRoZQpyZWdpc3RlcnMgcmVzdG9yZWQgdGhyb3VnaCB4cnN0b3IgZHVlIHRv IGEgZ3Vlc3QgZW5hYmxpbmcgY2VydGFpbiB4Y3IwCmJpdHMgbGF0ZSAocGFy dGljdWxhcmx5IGFmdGVyIHRoZSBjb250ZXh0IHJlc3RvciBpbiBxdWVzdGlv biksIGZvcmNlCnJlc3RvcmluZyBvZiBhbGwga25vd24gcmVnaXN0ZXJzICh0 aGUgb25lcyB0aGF0IG5ldmVyIGdvdCBzYXZlZCB3b3VsZApiZSBmb3JjZWQg dG8gdGhlaXIgaW5pdCBzdGF0ZSkuCgpUaGlzIGlzIENWRS0yMDEzLTE0NDIg LyBYU0EtNjIuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxp Y2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRy ZXcuY29vcGVyM0BjaXRyaXguY29tPgoKLS0tIGEveGVuL2FyY2gveDg2L2kz ODcuYworKysgYi94ZW4vYXJjaC94ODYvaTM4Ny5jCkBAIC0xMDMsOSArMTAz LDkgQEAgdm9pZCBzZXR1cF9mcHUoc3RydWN0IHZjcHUgKnYpCiAgICAgewog ICAgICAgICAvKgogICAgICAgICAgKiBYQ1IwIG5vcm1hbGx5IHJlcHJlc2Vu dHMgd2hhdCBndWVzdCBPUyBzZXQuIEluIGNhc2Ugb2YgWGVuIGl0c2VsZiwg Ci0gICAgICAgICAqIHdlIHNldCBhbGwgc3VwcG9ydGVkIGZlYXR1cmUgbWFz ayBiZWZvcmUgZG9pbmcgc2F2ZS9yZXN0b3JlLgorICAgICAgICAgKiB3ZSBz ZXQgYWxsIHN1cHBvcnRlZCBmZWF0dXJlIG1hc2sgYmVmb3JlIHJlc3Rvcmlu Zy4KICAgICAgICAgICovCi0gICAgICAgIHNldF94Y3IwKHYtPmFyY2gueGNy MF9hY2N1bSk7CisgICAgICAgIHNldF94Y3IwKHhmZWF0dXJlX21hc2spOwog ICAgICAgICB4cnN0b3Iodik7CiAgICAgICAgIHNldF94Y3IwKHYtPmFyY2gu eGNyMCk7CiAgICAgfQpAQCAtMTQ5LDcgKzE0OSw3IEBAIHZvaWQgc2F2ZV9p bml0X2ZwdShzdHJ1Y3QgdmNwdSAqdikKICAgICBpZiAoIHhzYXZlX2VuYWJs ZWQodikgKQogICAgIHsKICAgICAgICAgLyogWENSMCBub3JtYWxseSByZXBy ZXNlbnRzIHdoYXQgZ3Vlc3QgT1Mgc2V0LiBJbiBjYXNlIG9mIFhlbiBpdHNl bGYsCi0gICAgICAgICAqIHdlIHNldCBhbGwgYWNjdW11bGF0ZWQgZmVhdHVy ZSBtYXNrIGJlZm9yZSBkb2luZyBzYXZlL3Jlc3RvcmUuCisgICAgICAgICAq IHdlIHNldCBhbGwgYWNjdW11bGF0ZWQgZmVhdHVyZSBtYXNrIGJlZm9yZSBz YXZpbmcuCiAgICAgICAgICAqLwogICAgICAgICBzZXRfeGNyMCh2LT5hcmNo LnhjcjBfYWNjdW0pOwogICAgICAgICBpZiAoIGNwdV9oYXNfeHNhdmVvcHQg KQo= --=separator Content-Type: application/octet-stream; name="xsa62.patch" Content-Disposition: attachment; filename="xsa62.patch" Content-Transfer-Encoding: base64 eDg2L3hzYXZlOiBpbml0aWFsaXplIGV4dGVuZGVkIHJlZ2lzdGVyIHN0YXRl IHdoZW4gZ3Vlc3RzIGVuYWJsZSBpdAoKVGlsbCBub3csIHdoZW4gc2V0dGlu ZyBwcmV2aW91c2x5IHVuc2V0IGJpdHMgaW4gWENSMCB3ZSB3b3VsZG4ndCB0 b3VjaAp0aGUgYWN0aXZlIHJlZ2lzdGVyIHN0YXRlLCB0aHVzIGxlYXZpbmcg aW4gdGhlIG5ld2x5IGVuYWJsZWQgcmVnaXN0ZXJzCndoYXRldmVyIGEgcHJp b3IgdXNlciBvZiBpdCBsZWZ0IHRoZXJlLCBpLmUuIHBvdGVudGlhbGx5IGxl YWtpbmcKaW5mb3JtYXRpb24gYmV0d2VlbiBndWVzdHMuCgpUaGlzIGlzIENW RS0yMDEzLTE0NDIgLyBYU0EtNjIuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1 bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBBbmRyZXcg Q29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgoKLS0tIGEveGVu L2FyY2gveDg2L3hzdGF0ZS5jCisrKyBiL3hlbi9hcmNoL3g4Ni94c3RhdGUu YwpAQCAtMzA3LDYgKzMwNyw3IEBAIGludCB2YWxpZGF0ZV94c3RhdGUodTY0 IHhjcjAsIHU2NCB4Y3IwX2EKIGludCBoYW5kbGVfeHNldGJ2KHUzMiBpbmRl eCwgdTY0IG5ld19idikKIHsKICAgICBzdHJ1Y3QgdmNwdSAqY3VyciA9IGN1 cnJlbnQ7CisgICAgdTY0IG1hc2s7CiAKICAgICBpZiAoIGluZGV4ICE9IFhD Ul9YRkVBVFVSRV9FTkFCTEVEX01BU0sgKQogICAgICAgICByZXR1cm4gLUVP UE5PVFNVUFA7CkBAIC0zMjAsOSArMzIxLDIzIEBAIGludCBoYW5kbGVfeHNl dGJ2KHUzMiBpbmRleCwgdTY0IG5ld19idikKICAgICBpZiAoICFzZXRfeGNy MChuZXdfYnYpICkKICAgICAgICAgcmV0dXJuIC1FRkFVTFQ7CiAKKyAgICBt YXNrID0gbmV3X2J2ICYgfmN1cnItPmFyY2gueGNyMF9hY2N1bTsKICAgICBj dXJyLT5hcmNoLnhjcjAgPSBuZXdfYnY7CiAgICAgY3Vyci0+YXJjaC54Y3Iw X2FjY3VtIHw9IG5ld19idjsKIAorICAgIG1hc2sgJj0gY3Vyci0+ZnB1X2Rp cnRpZWQgPyB+WFNUQVRFX0ZQX1NTRSA6IFhTVEFURV9OT05MQVpZOworICAg IGlmICggbWFzayApCisgICAgeworICAgICAgICB1bnNpZ25lZCBsb25nIGNy MCA9IHJlYWRfY3IwKCk7CisKKyAgICAgICAgY2x0cygpOworICAgICAgICBp ZiAoIGN1cnItPmZwdV9kaXJ0aWVkICkKKyAgICAgICAgICAgIGFzbSAoICJz dG14Y3NyICUwIiA6ICI9bSIgKGN1cnItPmFyY2gueHNhdmVfYXJlYS0+ZnB1 X3NzZS5teGNzcikgKTsKKyAgICAgICAgeHJzdG9yKGN1cnIsIG1hc2spOwor ICAgICAgICBpZiAoIGNyMCAmIFg4Nl9DUjBfVFMgKQorICAgICAgICAgICAg d3JpdGVfY3IwKGNyMCk7CisgICAgfQorCiAgICAgcmV0dXJuIDA7CiB9CiAK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Sep 25 08:32:57 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 25 Sep 2013 08:32:57 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VOkVH-0006oi-8R; Wed, 25 Sep 2013 08:31:23 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VOkVF-0006oL-NO; Wed, 25 Sep 2013 08:31:22 +0000 Received: from [85.158.139.211:23512] by server-16.bemta-5.messagelabs.com id 83/5F-03533-85F92425; Wed, 25 Sep 2013 08:31:20 +0000 X-Env-Sender: ianc@xenbits.xen.org X-Msg-Ref: server-2.tower-206.messagelabs.com!1380097878!4485967!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 12612 invoked from network); 25 Sep 2013 08:31:19 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-2.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 25 Sep 2013 08:31:19 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VOkV5-0006lx-Tz; Wed, 25 Sep 2013 08:31:11 +0000 Received: from ianc by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VOkV5-0005Sa-KJ; Wed, 25 Sep 2013 08:31:11 +0000 Date: Wed, 25 Sep 2013 08:31:11 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 62 (CVE-2013-1442) - Information leak on AVX and/or LWP capable CPUs X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-1442 / XSA-62 version 2 Information leak on AVX and/or LWP capable CPUs UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= When a guest increases the set of extended state components for a vCPU saved/ restored via XSAVE/XRSTOR (to date this can only be the upper halves of YMM registers, or AMD's LWP state) after already having touched other extended registers restored via XRSTOR (e.g. floating point or XMM ones) during its current scheduled CPU quantum, the hypervisor would make those registers accessible without discarding the values an earlier scheduled vCPU may have left in them. IMPACT ====== A malicious domain may be able to leverage this to obtain sensitive information such as cryptographic keys from another domain. VULNERABLE SYSTEMS ================== Xen 4.0 and onwards are vulnerable when run on systems with processors supporting AVX and/or LWP. Any kind of guest can exploit the vulnerability. In Xen 4.0.2 through 4.0.4 as well as in Xen 4.1.x XSAVE support is disabled by default; therefore systems running these versions are not vulnerable unless support is explicitly enabled using the "xsave" hypervisor command line option. Systems using processors supporting neither AVX nor LWP are not vulnerable. Xen 3.x and earlier are not vulnerable. MITIGATION ========== Turning off XSAVE support via the "no-xsave" hypervisor command line option will avoid the vulnerability. CREDITS ======= Jan Beulich discovered this issue. RESOLUTION ========== Applying the attached patch resolves this issue. xsa62.patch Xen 4.2.x, 4.3.x, and unstable xsa62-4.1.patch Xen 4.1.x $ sha256sum xsa62*.patch 3cec8ec26552f2142c044422f1bc0f77892e681d789d1f360ecc06e1d714b6bb xsa62-4.1.patch 364577f317a714099c068eb1ab771643ada99b5067fdd1eb5149fa5db649b856 xsa62.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSQp1tAAoJEIP+FMlX6CvZvMYIAKe6fyuMdVlP3gJVqAnttQb7 E/TuXwIKBgUFNu34SdkGd6g1l13pfSeiovDD56SqNj5kwCD0rb6+LgHu/uqVsxSn w+JtPGFXQpAfNzEcDPqYP9ArJIp63ogC9CLwk9KcDoy0FnxpHFD3Ke5C62G83DAJ qhjEpknTQCwjXBG6fYXjYKhFR8kzkWHGRpECE3EwlLo1gWxQj8/p/TopY8kzmA5m ssDuM/XzBHjI+7NwiB5oNuZfS8Om+UVQUilv+bjarh9zJy55FGSL1gJzdcXGhFx5 sXw/PcciIAcCC8k8f2+tYY1eN9Orthw81YMh9Q/n6JC4RMgBYK3tkZ9AsOR7H9s= =Qbk6 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa62-4.1.patch" Content-Disposition: attachment; filename="xsa62-4.1.patch" Content-Transfer-Encoding: base64 eDg2L3hzYXZlOiBpbml0aWFsaXplIHVudXNlZCByZWdpc3RlciBzdGF0ZSB3 aGVuIHJlc3RvcmluZyBmb3IgZ3Vlc3QKCkluIG9yZGVyIHRvIGF2b2lkIGxl YWtpbmcgcmVnaXN0ZXIgY29udGVudHMgZnJvbSB0aGUgcHJpb3IgdXNlIG9m IHRoZQpyZWdpc3RlcnMgcmVzdG9yZWQgdGhyb3VnaCB4cnN0b3IgZHVlIHRv IGEgZ3Vlc3QgZW5hYmxpbmcgY2VydGFpbiB4Y3IwCmJpdHMgbGF0ZSAocGFy dGljdWxhcmx5IGFmdGVyIHRoZSBjb250ZXh0IHJlc3RvciBpbiBxdWVzdGlv biksIGZvcmNlCnJlc3RvcmluZyBvZiBhbGwga25vd24gcmVnaXN0ZXJzICh0 aGUgb25lcyB0aGF0IG5ldmVyIGdvdCBzYXZlZCB3b3VsZApiZSBmb3JjZWQg dG8gdGhlaXIgaW5pdCBzdGF0ZSkuCgpUaGlzIGlzIENWRS0yMDEzLTE0NDIg LyBYU0EtNjIuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxp Y2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRy ZXcuY29vcGVyM0BjaXRyaXguY29tPgoKLS0tIGEveGVuL2FyY2gveDg2L2kz ODcuYworKysgYi94ZW4vYXJjaC94ODYvaTM4Ny5jCkBAIC0xMDMsOSArMTAz LDkgQEAgdm9pZCBzZXR1cF9mcHUoc3RydWN0IHZjcHUgKnYpCiAgICAgewog ICAgICAgICAvKgogICAgICAgICAgKiBYQ1IwIG5vcm1hbGx5IHJlcHJlc2Vu dHMgd2hhdCBndWVzdCBPUyBzZXQuIEluIGNhc2Ugb2YgWGVuIGl0c2VsZiwg Ci0gICAgICAgICAqIHdlIHNldCBhbGwgc3VwcG9ydGVkIGZlYXR1cmUgbWFz ayBiZWZvcmUgZG9pbmcgc2F2ZS9yZXN0b3JlLgorICAgICAgICAgKiB3ZSBz ZXQgYWxsIHN1cHBvcnRlZCBmZWF0dXJlIG1hc2sgYmVmb3JlIHJlc3Rvcmlu Zy4KICAgICAgICAgICovCi0gICAgICAgIHNldF94Y3IwKHYtPmFyY2gueGNy MF9hY2N1bSk7CisgICAgICAgIHNldF94Y3IwKHhmZWF0dXJlX21hc2spOwog ICAgICAgICB4cnN0b3Iodik7CiAgICAgICAgIHNldF94Y3IwKHYtPmFyY2gu eGNyMCk7CiAgICAgfQpAQCAtMTQ5LDcgKzE0OSw3IEBAIHZvaWQgc2F2ZV9p bml0X2ZwdShzdHJ1Y3QgdmNwdSAqdikKICAgICBpZiAoIHhzYXZlX2VuYWJs ZWQodikgKQogICAgIHsKICAgICAgICAgLyogWENSMCBub3JtYWxseSByZXBy ZXNlbnRzIHdoYXQgZ3Vlc3QgT1Mgc2V0LiBJbiBjYXNlIG9mIFhlbiBpdHNl bGYsCi0gICAgICAgICAqIHdlIHNldCBhbGwgYWNjdW11bGF0ZWQgZmVhdHVy ZSBtYXNrIGJlZm9yZSBkb2luZyBzYXZlL3Jlc3RvcmUuCisgICAgICAgICAq IHdlIHNldCBhbGwgYWNjdW11bGF0ZWQgZmVhdHVyZSBtYXNrIGJlZm9yZSBz YXZpbmcuCiAgICAgICAgICAqLwogICAgICAgICBzZXRfeGNyMCh2LT5hcmNo LnhjcjBfYWNjdW0pOwogICAgICAgICBpZiAoIGNwdV9oYXNfeHNhdmVvcHQg KQo= --=separator Content-Type: application/octet-stream; name="xsa62.patch" Content-Disposition: attachment; filename="xsa62.patch" Content-Transfer-Encoding: base64 eDg2L3hzYXZlOiBpbml0aWFsaXplIGV4dGVuZGVkIHJlZ2lzdGVyIHN0YXRl IHdoZW4gZ3Vlc3RzIGVuYWJsZSBpdAoKVGlsbCBub3csIHdoZW4gc2V0dGlu ZyBwcmV2aW91c2x5IHVuc2V0IGJpdHMgaW4gWENSMCB3ZSB3b3VsZG4ndCB0 b3VjaAp0aGUgYWN0aXZlIHJlZ2lzdGVyIHN0YXRlLCB0aHVzIGxlYXZpbmcg aW4gdGhlIG5ld2x5IGVuYWJsZWQgcmVnaXN0ZXJzCndoYXRldmVyIGEgcHJp b3IgdXNlciBvZiBpdCBsZWZ0IHRoZXJlLCBpLmUuIHBvdGVudGlhbGx5IGxl YWtpbmcKaW5mb3JtYXRpb24gYmV0d2VlbiBndWVzdHMuCgpUaGlzIGlzIENW RS0yMDEzLTE0NDIgLyBYU0EtNjIuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1 bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBBbmRyZXcg Q29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgoKLS0tIGEveGVu L2FyY2gveDg2L3hzdGF0ZS5jCisrKyBiL3hlbi9hcmNoL3g4Ni94c3RhdGUu YwpAQCAtMzA3LDYgKzMwNyw3IEBAIGludCB2YWxpZGF0ZV94c3RhdGUodTY0 IHhjcjAsIHU2NCB4Y3IwX2EKIGludCBoYW5kbGVfeHNldGJ2KHUzMiBpbmRl eCwgdTY0IG5ld19idikKIHsKICAgICBzdHJ1Y3QgdmNwdSAqY3VyciA9IGN1 cnJlbnQ7CisgICAgdTY0IG1hc2s7CiAKICAgICBpZiAoIGluZGV4ICE9IFhD Ul9YRkVBVFVSRV9FTkFCTEVEX01BU0sgKQogICAgICAgICByZXR1cm4gLUVP UE5PVFNVUFA7CkBAIC0zMjAsOSArMzIxLDIzIEBAIGludCBoYW5kbGVfeHNl dGJ2KHUzMiBpbmRleCwgdTY0IG5ld19idikKICAgICBpZiAoICFzZXRfeGNy MChuZXdfYnYpICkKICAgICAgICAgcmV0dXJuIC1FRkFVTFQ7CiAKKyAgICBt YXNrID0gbmV3X2J2ICYgfmN1cnItPmFyY2gueGNyMF9hY2N1bTsKICAgICBj dXJyLT5hcmNoLnhjcjAgPSBuZXdfYnY7CiAgICAgY3Vyci0+YXJjaC54Y3Iw X2FjY3VtIHw9IG5ld19idjsKIAorICAgIG1hc2sgJj0gY3Vyci0+ZnB1X2Rp cnRpZWQgPyB+WFNUQVRFX0ZQX1NTRSA6IFhTVEFURV9OT05MQVpZOworICAg IGlmICggbWFzayApCisgICAgeworICAgICAgICB1bnNpZ25lZCBsb25nIGNy MCA9IHJlYWRfY3IwKCk7CisKKyAgICAgICAgY2x0cygpOworICAgICAgICBp ZiAoIGN1cnItPmZwdV9kaXJ0aWVkICkKKyAgICAgICAgICAgIGFzbSAoICJz dG14Y3NyICUwIiA6ICI9bSIgKGN1cnItPmFyY2gueHNhdmVfYXJlYS0+ZnB1 X3NzZS5teGNzcikgKTsKKyAgICAgICAgeHJzdG9yKGN1cnIsIG1hc2spOwor ICAgICAgICBpZiAoIGNyMCAmIFg4Nl9DUjBfVFMgKQorICAgICAgICAgICAg d3JpdGVfY3IwKGNyMCk7CisgICAgfQorCiAgICAgcmV0dXJuIDA7CiB9CiAK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Sep 30 12:05:57 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 30 Sep 2013 12:05:57 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VQcDM-0006GE-Ln; Mon, 30 Sep 2013 12:04:36 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VQcDL-0006Fj-6U; Mon, 30 Sep 2013 12:04:35 +0000 Received: from [193.109.254.147:21904] by server-15.bemta-14.messagelabs.com id 95/7B-10716-2D869425; Mon, 30 Sep 2013 12:04:34 +0000 X-Env-Sender: ianc@xenbits.xen.org X-Msg-Ref: server-2.tower-27.messagelabs.com!1380542672!2392095!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 8487 invoked from network); 30 Sep 2013 12:04:33 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-2.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 30 Sep 2013 12:04:33 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VQcDB-0000wp-H0; Mon, 30 Sep 2013 12:04:25 +0000 Received: from ianc by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VQcDB-0000Pk-DR; Mon, 30 Sep 2013 12:04:25 +0000 Date: Mon, 30 Sep 2013 12:04:25 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 66 (CVE-2013-4361) - Information leak through fbld instruction emulation X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4361 / XSA-66 version 3 Information leak through fbld instruction emulation UPDATES IN VERSION 3 ==================== Public Release. ISSUE DESCRIPTION ================= The emulation of the fbld instruction (which is used during I/O emulation) uses the wrong variable for the source effective address. As a result, the actual address used is an uninitialised bit pattern from the stack. A malicious guest might be able to find out information about the contents of the hypervisor stack, by observing which values are actually being used by fbld and inferring what the address must have been. Depending on the actual values on the stack this attack might be very difficult to carry out. IMPACT ====== A malicious guest might conceivably gain access to sensitive data relating to other guests. VULNERABLE SYSTEMS ================== Xen 3.3.x and later are vulnerable. Only HVM guests can take advantage of this vulnerability. MITIGATION ========== Running only PV guests will avoid this issue. There is no mitigation available for HVM guests. We believe this vulnerability would require significant research to exploit. CREDITS ======= Jan Beulich discovered this issue. RESOLUTION ========== Applying the attached patch resolves this issue. xsa66.patch Xen 4.2.x, Xen 4.3.x, xen-unstable $ sha256sum xsa66.patch 3a9b6bf114eb19d708b68dd5973763ac83b57840bc0f6fbd1fe487797eaffed4 xsa66.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSSUhOAAoJEIP+FMlX6CvZdTsIAISzxoVv5PVKcT3RlikuDPdS AN4b5d/AJHGUcVg0K8CAd5UpvP0y5UfVhMFc+LCNDoeTE6a+4PsS/2V49HX259tT oX1HDZUxzfDbNTgZL5/hS3RUNZvTlWxVS0E5SMRW5jDrScPFUOqliD9hNj2cyvlq Ne362V5VFFb9AcZsMPnl2V4FerUyyuTCncxcvsvDshFIhBaqBY8G/LBqIHE7CKZF qCK9688RIMlwgNag7fbSloCLOifC7Jrfp9k+wfhAUdLj6R6l2SuyItYa7KufTAof /bWddQVFxhxcapYMDiNExZNxbHoM51rAeSkC3eYn6BGWKjqfIetA4X+uzfP3LNc= =PSEF -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa66.patch" Content-Disposition: attachment; filename="xsa66.patch" Content-Transfer-Encoding: base64 eDg2OiBwcm9wZXJseSBzZXQgdXAgZmJsZCBlbXVsYXRpb24gb3BlcmFuZCBh ZGRyZXNzCgpUaGlzIGlzIENWRS0yMDEzLTQzNjEgLyBYU0EtNjYuCgpTaWdu ZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CkFj a2VkLWJ5OiBJYW4gSmFja3NvbiA8aWFuLmphY2tzb25AZXUuY2l0cml4LmNv bT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni94ODZfZW11bGF0ZS94ODZfZW11bGF0 ZS5jCisrKyBiL3hlbi9hcmNoL3g4Ni94ODZfZW11bGF0ZS94ODZfZW11bGF0 ZS5jCkBAIC0zMTU2LDExICszMTU2LDExIEBAIHg4Nl9lbXVsYXRlKAogICAg ICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAgY2FzZSA0OiAvKiBm YmxkIG04MGRlYyAqLwogICAgICAgICAgICAgICAgIGVhLmJ5dGVzID0gMTA7 Ci0gICAgICAgICAgICAgICAgZHN0ID0gZWE7CisgICAgICAgICAgICAgICAg c3JjID0gZWE7CiAgICAgICAgICAgICAgICAgaWYgKCAocmMgPSBvcHMtPnJl YWQoc3JjLm1lbS5zZWcsIHNyYy5tZW0ub2ZmLAogICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICZzcmMudmFsLCBzcmMuYnl0ZXMsIGN0 eHQpKSAhPSAwICkKICAgICAgICAgICAgICAgICAgICAgZ290byBkb25lOwot ICAgICAgICAgICAgICAgIGVtdWxhdGVfZnB1X2luc25fbWVtZHN0KCJmYmxk Iiwgc3JjLnZhbCk7CisgICAgICAgICAgICAgICAgZW11bGF0ZV9mcHVfaW5z bl9tZW1zcmMoImZibGQiLCBzcmMudmFsKTsKICAgICAgICAgICAgICAgICBi cmVhazsKICAgICAgICAgICAgIGNhc2UgNTogLyogZmlsZCBtNjRpICovCiAg ICAgICAgICAgICAgICAgZWEuYnl0ZXMgPSA4Owo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Sep 30 12:05:57 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 30 Sep 2013 12:05:57 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VQcDM-0006GE-Ln; Mon, 30 Sep 2013 12:04:36 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VQcDL-0006Fj-6U; Mon, 30 Sep 2013 12:04:35 +0000 Received: from [193.109.254.147:21904] by server-15.bemta-14.messagelabs.com id 95/7B-10716-2D869425; Mon, 30 Sep 2013 12:04:34 +0000 X-Env-Sender: ianc@xenbits.xen.org X-Msg-Ref: server-2.tower-27.messagelabs.com!1380542672!2392095!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 8487 invoked from network); 30 Sep 2013 12:04:33 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-2.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 30 Sep 2013 12:04:33 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VQcDB-0000wp-H0; Mon, 30 Sep 2013 12:04:25 +0000 Received: from ianc by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VQcDB-0000Pk-DR; Mon, 30 Sep 2013 12:04:25 +0000 Date: Mon, 30 Sep 2013 12:04:25 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 66 (CVE-2013-4361) - Information leak through fbld instruction emulation X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4361 / XSA-66 version 3 Information leak through fbld instruction emulation UPDATES IN VERSION 3 ==================== Public Release. ISSUE DESCRIPTION ================= The emulation of the fbld instruction (which is used during I/O emulation) uses the wrong variable for the source effective address. As a result, the actual address used is an uninitialised bit pattern from the stack. A malicious guest might be able to find out information about the contents of the hypervisor stack, by observing which values are actually being used by fbld and inferring what the address must have been. Depending on the actual values on the stack this attack might be very difficult to carry out. IMPACT ====== A malicious guest might conceivably gain access to sensitive data relating to other guests. VULNERABLE SYSTEMS ================== Xen 3.3.x and later are vulnerable. Only HVM guests can take advantage of this vulnerability. MITIGATION ========== Running only PV guests will avoid this issue. There is no mitigation available for HVM guests. We believe this vulnerability would require significant research to exploit. CREDITS ======= Jan Beulich discovered this issue. RESOLUTION ========== Applying the attached patch resolves this issue. xsa66.patch Xen 4.2.x, Xen 4.3.x, xen-unstable $ sha256sum xsa66.patch 3a9b6bf114eb19d708b68dd5973763ac83b57840bc0f6fbd1fe487797eaffed4 xsa66.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSSUhOAAoJEIP+FMlX6CvZdTsIAISzxoVv5PVKcT3RlikuDPdS AN4b5d/AJHGUcVg0K8CAd5UpvP0y5UfVhMFc+LCNDoeTE6a+4PsS/2V49HX259tT oX1HDZUxzfDbNTgZL5/hS3RUNZvTlWxVS0E5SMRW5jDrScPFUOqliD9hNj2cyvlq Ne362V5VFFb9AcZsMPnl2V4FerUyyuTCncxcvsvDshFIhBaqBY8G/LBqIHE7CKZF qCK9688RIMlwgNag7fbSloCLOifC7Jrfp9k+wfhAUdLj6R6l2SuyItYa7KufTAof /bWddQVFxhxcapYMDiNExZNxbHoM51rAeSkC3eYn6BGWKjqfIetA4X+uzfP3LNc= =PSEF -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa66.patch" Content-Disposition: attachment; filename="xsa66.patch" Content-Transfer-Encoding: base64 eDg2OiBwcm9wZXJseSBzZXQgdXAgZmJsZCBlbXVsYXRpb24gb3BlcmFuZCBh ZGRyZXNzCgpUaGlzIGlzIENWRS0yMDEzLTQzNjEgLyBYU0EtNjYuCgpTaWdu ZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CkFj a2VkLWJ5OiBJYW4gSmFja3NvbiA8aWFuLmphY2tzb25AZXUuY2l0cml4LmNv bT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni94ODZfZW11bGF0ZS94ODZfZW11bGF0 ZS5jCisrKyBiL3hlbi9hcmNoL3g4Ni94ODZfZW11bGF0ZS94ODZfZW11bGF0 ZS5jCkBAIC0zMTU2LDExICszMTU2LDExIEBAIHg4Nl9lbXVsYXRlKAogICAg ICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAgY2FzZSA0OiAvKiBm YmxkIG04MGRlYyAqLwogICAgICAgICAgICAgICAgIGVhLmJ5dGVzID0gMTA7 Ci0gICAgICAgICAgICAgICAgZHN0ID0gZWE7CisgICAgICAgICAgICAgICAg c3JjID0gZWE7CiAgICAgICAgICAgICAgICAgaWYgKCAocmMgPSBvcHMtPnJl YWQoc3JjLm1lbS5zZWcsIHNyYy5tZW0ub2ZmLAogICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICZzcmMudmFsLCBzcmMuYnl0ZXMsIGN0 eHQpKSAhPSAwICkKICAgICAgICAgICAgICAgICAgICAgZ290byBkb25lOwot ICAgICAgICAgICAgICAgIGVtdWxhdGVfZnB1X2luc25fbWVtZHN0KCJmYmxk Iiwgc3JjLnZhbCk7CisgICAgICAgICAgICAgICAgZW11bGF0ZV9mcHVfaW5z bl9tZW1zcmMoImZibGQiLCBzcmMudmFsKTsKICAgICAgICAgICAgICAgICBi cmVhazsKICAgICAgICAgICAgIGNhc2UgNTogLyogZmlsZCBtNjRpICovCiAg ICAgICAgICAgICAgICAgZWEuYnl0ZXMgPSA4Owo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Sep 30 12:06:01 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 30 Sep 2013 12:06:01 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VQcDF-0006EO-Vt; Mon, 30 Sep 2013 12:04:29 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VQcDE-0006Dg-LB; Mon, 30 Sep 2013 12:04:28 +0000 Received: from [193.109.254.147:8054] by server-9.bemta-14.messagelabs.com id B1/82-30026-BC869425; Mon, 30 Sep 2013 12:04:27 +0000 X-Env-Sender: ianc@xenbits.xen.org X-Msg-Ref: server-12.tower-27.messagelabs.com!1380542665!5196111!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 12074 invoked from network); 30 Sep 2013 12:04:26 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-12.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 30 Sep 2013 12:04:26 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VQcD4-0000wU-SC; Mon, 30 Sep 2013 12:04:18 +0000 Received: from ianc by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VQcD4-0000On-Pn; Mon, 30 Sep 2013 12:04:18 +0000 Date: Mon, 30 Sep 2013 12:04:18 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 64 (CVE-2013-4356) - Memory accessible by 64-bit PV guests under live migration X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4356 / XSA-64 version 3 Memory accessible by 64-bit PV guests under live migration UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= On some hardware, during live migration of 64-bit PV guests, some parts of the guest's shadow pagetables are mistakenly filled in with hypervisor mappings. This causes Xen to crash when those mappings are later cleared. Before the crash, a malicious guest could use hypercalls to cause Xen to read and write the parts of memory pointed to by the stray mappings. IMPACT ====== A malicious 64-bit PV guest, on a vulnerable host system, that can arrange for itself to be live-migrated, could read or write memory at high physical addresses on the host. Note that once such a guest begins live migration the host is likely to eventually crash, either when the live migration completes or on an earlier page fault. This crash could be avoided if the malicious guest uses its improperly escalated privilege to prevent it. VULNERABLE SYSTEMS ================== Xen 4.3.x and xen-unstable are vulnerable. Xen 4.2.x and earlier releases are not vulnerable. In addition, only hosts with RAM extending past 5TB are affected. On any host that is affected (and has not yet been successfully attacked), live migration of a 64-bit PV guest will deterministically crash the host. If you can migrate a 64-bit PV guest from from host A to host B, without crashing host A, then host A is not affected by this bug. MITIGATION ========== Running only HVM and 32-bit PV guests or preventing live migration of 64-bit PV guests will avoid this issue. CREDITS ======= Andrew Cooper found the issue as a bug, which on examination by the Xenproject.org Security Team turned out to be a security problem. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa64.patch xen-unstable, xen-4.3 $ sha256sum xsa64.patch 061396916de992c43b8637909d315581589e5fc28f238aca6822947b45445a47 xsa64.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSSUynAAoJEIP+FMlX6CvZbVsH/i4Lqqfrx+cKZJwVWEqc9Ufz YT9nJzy0nyHPmS8SB4CluhE6Uiy8xi0MwNZLRVTrpuchoFbnWETOpplaKbKasMs3 OtHtmYKxdZWWYGl5kNydx5d8pJ4OCftJ/zJbSQRBG2buORF8by1MTzq2sVzJRca6 PcJqruGXlscsPo9B9OxAg4zH5rQo+E3jg0JuuG2qNDYzSDB/tx4WO0uOjkhwxyR6 eL/sHIzNqUcTLxGUhS4xjfnbjfLJ+WaHUvTJOC3Hu6tmcIBke9p99sRZV8dgToxp OB4i02D8z3Rskjda8KgddWGbaOZPM75N47TCgGxh2r0Z46Eg5Pjye/2+VFHpW9U= =7bGU -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa64.patch" Content-Disposition: attachment; filename="xsa64.patch" Content-Transfer-Encoding: base64 Y29tbWl0IDk1YTA3NzAyODJlYTJhMDNmN2JjNDhjNjY1NmQ1ZmM3OWJhZTA1 OTkKQXV0aG9yOiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9yZz4KRGF0ZTogICBU aHUgU2VwIDEyIDE0OjE2OjI4IDIwMTMgKzAxMDAKCiAgICB4ODYvbW0vc2hh ZG93OiBGaXggaW5pdGlhbGl6YXRpb24gb2YgUFYgc2hhZG93IEw0IHRhYmxl cy4KICAgIAogICAgU2hhZG93ZWQgUFYgTDQgdGFibGVzIG11c3QgaGF2ZSB0 aGUgc2FtZSBYZW4gbWFwcGluZ3MgYXMgdGhlaXIKICAgIHVuc2hhZG93ZWQg ZXF1aXZhbGVudC4gIFRoaXMgaXMgZG9uZSBieSBjb3B5aW5nIHRoZSBYZW4g ZW50cmllcwogICAgdmVyYmF0aW0gZnJvbSB0aGUgaWRsZSBwYWdldGFibGUs IGFuZCB0aGVuIHVzaW5nIGd1ZXN0X2w0X3Nsb3QoKQogICAgaW4gdGhlIFNI QURPV19GT1JFQUNIX0w0RSgpIGl0ZXJhdG9yIHRvIGF2b2lkIHRvdWNoaW5n IHRob3NlIGVudHJpZXMuCiAgICAKICAgIGFkYzVhZmJmMWM3MGVmNTVjMjYw ZmI5M2U0YjhjZTVjY2I5MTg3MDYgKHg4Njogc3VwcG9ydCB1cCB0byAxNlRi KQogICAgY2hhbmdlZCB0aGUgZGVmaW5pdGlvbiBvZiBST09UX1BBR0VUQUJM RV9YRU5fU0xPVFMgdG8gZXh0ZW5kIHJpZ2h0IHRvCiAgICB0aGUgdG9wIG9m IHRoZSBhZGRyZXNzIHNwYWNlLCB3aGljaCBjYXVzZXMgdGhlIHNoYWRvdyBj b2RlIHRvCiAgICBjb3B5IFhlbiBtYXBwaW5ncyBpbnRvIGd1ZXN0LWtlcm5l bC1hZGRyZXNzIHNsb3RzIHRvby4KICAgIAogICAgSW4gdGhlIGNvbW1vbiBj YXNlLCBhbGwgdGhvc2Ugc2xvdHMgYXJlIHplcm8gaW4gdGhlIGlkbGUgcGFn ZXRhYmxlLAogICAgYW5kIG5vIGhhcm0gaXMgZG9uZS4gIEJ1dCBpZiBhbnkg c2xvdCBhYm92ZSAjMjcxIGlzIG5vbi16ZXJvLCBYZW4gd2lsbAogICAgY3Jh c2ggd2hlbiB0aGF0IHNsb3QgaXMgbGF0ZXIgY2xlYXJlZCAoaXQgYXR0ZW1w dHMgdG8gZHJvcAogICAgc2hhZG93LXBhZ2V0YWJsZSByZWZjb3VudHMgb24g aXRzIG93biBMNCBwYWdldGFibGVzKS4KICAgIAogICAgRml4IGJ5IHVzaW5n IHRoZSBuZXcgUk9PVF9QQUdFVEFCTEVfUFZfWEVOX1NMT1RTIHdoZW4gYXBw cm9wcmlhdGUuCiAgICBNb25pdG9yIHBhZ2V0YWJsZXMgbmVlZCB0aGUgZnVs bCBYZW4gbWFwcGluZ3MsIHNvIHRoZXkga2VlcCB1c2luZyB0aGUKICAgIG9s ZCBuYW1lICh3aXRoIGl0cyBuZXcgc2VtYW50aWNzKS4KICAgIAogICAgVGhp cyBpcyBYU0EtNjQuCiAgICAKICAgIFNpZ25lZC1vZmYtYnk6IFRpbSBEZWVn YW4gPHRpbUB4ZW4ub3JnPgogICAgUmV2aWV3ZWQtYnk6IEphbiBCZXVsaWNo IDxqYmV1bGljaEBzdXNlLmNvbT4KCmRpZmYgLS1naXQgYS94ZW4vYXJjaC94 ODYvbW0vc2hhZG93L211bHRpLmMgYi94ZW4vYXJjaC94ODYvbW0vc2hhZG93 L211bHRpLmMKaW5kZXggNGM0YzJiYS4uM2ZlZDBiNiAxMDA2NDQKLS0tIGEv eGVuL2FyY2gveDg2L21tL3NoYWRvdy9tdWx0aS5jCisrKyBiL3hlbi9hcmNo L3g4Ni9tbS9zaGFkb3cvbXVsdGkuYwpAQCAtMTQzMywxNSArMTQzMywxOSBA QCB2b2lkIHNoX2luc3RhbGxfeGVuX2VudHJpZXNfaW5fbDQoc3RydWN0IHZj cHUgKnYsIG1mbl90IGdsNG1mbiwgbWZuX3Qgc2w0bWZuKQogewogICAgIHN0 cnVjdCBkb21haW4gKmQgPSB2LT5kb21haW47CiAgICAgc2hhZG93X2w0ZV90 ICpzbDRlOworICAgIHVuc2lnbmVkIGludCBzbG90czsKIAogICAgIHNsNGUg PSBzaF9tYXBfZG9tYWluX3BhZ2Uoc2w0bWZuKTsKICAgICBBU1NFUlQoc2w0 ZSAhPSBOVUxMKTsKICAgICBBU1NFUlQoc2l6ZW9mIChsNF9wZ2VudHJ5X3Qp ID09IHNpemVvZiAoc2hhZG93X2w0ZV90KSk7CiAgICAgCiAgICAgLyogQ29w eSB0aGUgY29tbW9uIFhlbiBtYXBwaW5ncyBmcm9tIHRoZSBpZGxlIGRvbWFp biAqLworICAgIHNsb3RzID0gKHNoYWRvd19tb2RlX2V4dGVybmFsKGQpCisg ICAgICAgICAgICAgPyBST09UX1BBR0VUQUJMRV9YRU5fU0xPVFMKKyAgICAg ICAgICAgICA6IFJPT1RfUEFHRVRBQkxFX1BWX1hFTl9TTE9UUyk7CiAgICAg bWVtY3B5KCZzbDRlW1JPT1RfUEFHRVRBQkxFX0ZJUlNUX1hFTl9TTE9UXSwK ICAgICAgICAgICAgJmlkbGVfcGdfdGFibGVbUk9PVF9QQUdFVEFCTEVfRklS U1RfWEVOX1NMT1RdLAotICAgICAgICAgICBST09UX1BBR0VUQUJMRV9YRU5f U0xPVFMgKiBzaXplb2YobDRfcGdlbnRyeV90KSk7CisgICAgICAgICAgIHNs b3RzICogc2l6ZW9mKGw0X3BnZW50cnlfdCkpOwogCiAgICAgLyogSW5zdGFs bCB0aGUgcGVyLWRvbWFpbiBtYXBwaW5ncyBmb3IgdGhpcyBkb21haW4gKi8K ICAgICBzbDRlW3NoYWRvd19sNF90YWJsZV9vZmZzZXQoUEVSRE9NQUlOX1ZJ UlRfU1RBUlQpXSA9Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Sep 30 12:06:01 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 30 Sep 2013 12:06:01 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VQcDF-0006EO-Vt; Mon, 30 Sep 2013 12:04:29 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VQcDE-0006Dg-LB; Mon, 30 Sep 2013 12:04:28 +0000 Received: from [193.109.254.147:8054] by server-9.bemta-14.messagelabs.com id B1/82-30026-BC869425; Mon, 30 Sep 2013 12:04:27 +0000 X-Env-Sender: ianc@xenbits.xen.org X-Msg-Ref: server-12.tower-27.messagelabs.com!1380542665!5196111!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 12074 invoked from network); 30 Sep 2013 12:04:26 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-12.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 30 Sep 2013 12:04:26 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VQcD4-0000wU-SC; Mon, 30 Sep 2013 12:04:18 +0000 Received: from ianc by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VQcD4-0000On-Pn; Mon, 30 Sep 2013 12:04:18 +0000 Date: Mon, 30 Sep 2013 12:04:18 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 64 (CVE-2013-4356) - Memory accessible by 64-bit PV guests under live migration X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4356 / XSA-64 version 3 Memory accessible by 64-bit PV guests under live migration UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= On some hardware, during live migration of 64-bit PV guests, some parts of the guest's shadow pagetables are mistakenly filled in with hypervisor mappings. This causes Xen to crash when those mappings are later cleared. Before the crash, a malicious guest could use hypercalls to cause Xen to read and write the parts of memory pointed to by the stray mappings. IMPACT ====== A malicious 64-bit PV guest, on a vulnerable host system, that can arrange for itself to be live-migrated, could read or write memory at high physical addresses on the host. Note that once such a guest begins live migration the host is likely to eventually crash, either when the live migration completes or on an earlier page fault. This crash could be avoided if the malicious guest uses its improperly escalated privilege to prevent it. VULNERABLE SYSTEMS ================== Xen 4.3.x and xen-unstable are vulnerable. Xen 4.2.x and earlier releases are not vulnerable. In addition, only hosts with RAM extending past 5TB are affected. On any host that is affected (and has not yet been successfully attacked), live migration of a 64-bit PV guest will deterministically crash the host. If you can migrate a 64-bit PV guest from from host A to host B, without crashing host A, then host A is not affected by this bug. MITIGATION ========== Running only HVM and 32-bit PV guests or preventing live migration of 64-bit PV guests will avoid this issue. CREDITS ======= Andrew Cooper found the issue as a bug, which on examination by the Xenproject.org Security Team turned out to be a security problem. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa64.patch xen-unstable, xen-4.3 $ sha256sum xsa64.patch 061396916de992c43b8637909d315581589e5fc28f238aca6822947b45445a47 xsa64.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSSUynAAoJEIP+FMlX6CvZbVsH/i4Lqqfrx+cKZJwVWEqc9Ufz YT9nJzy0nyHPmS8SB4CluhE6Uiy8xi0MwNZLRVTrpuchoFbnWETOpplaKbKasMs3 OtHtmYKxdZWWYGl5kNydx5d8pJ4OCftJ/zJbSQRBG2buORF8by1MTzq2sVzJRca6 PcJqruGXlscsPo9B9OxAg4zH5rQo+E3jg0JuuG2qNDYzSDB/tx4WO0uOjkhwxyR6 eL/sHIzNqUcTLxGUhS4xjfnbjfLJ+WaHUvTJOC3Hu6tmcIBke9p99sRZV8dgToxp OB4i02D8z3Rskjda8KgddWGbaOZPM75N47TCgGxh2r0Z46Eg5Pjye/2+VFHpW9U= =7bGU -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa64.patch" Content-Disposition: attachment; filename="xsa64.patch" Content-Transfer-Encoding: base64 Y29tbWl0IDk1YTA3NzAyODJlYTJhMDNmN2JjNDhjNjY1NmQ1ZmM3OWJhZTA1 OTkKQXV0aG9yOiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9yZz4KRGF0ZTogICBU aHUgU2VwIDEyIDE0OjE2OjI4IDIwMTMgKzAxMDAKCiAgICB4ODYvbW0vc2hh ZG93OiBGaXggaW5pdGlhbGl6YXRpb24gb2YgUFYgc2hhZG93IEw0IHRhYmxl cy4KICAgIAogICAgU2hhZG93ZWQgUFYgTDQgdGFibGVzIG11c3QgaGF2ZSB0 aGUgc2FtZSBYZW4gbWFwcGluZ3MgYXMgdGhlaXIKICAgIHVuc2hhZG93ZWQg ZXF1aXZhbGVudC4gIFRoaXMgaXMgZG9uZSBieSBjb3B5aW5nIHRoZSBYZW4g ZW50cmllcwogICAgdmVyYmF0aW0gZnJvbSB0aGUgaWRsZSBwYWdldGFibGUs IGFuZCB0aGVuIHVzaW5nIGd1ZXN0X2w0X3Nsb3QoKQogICAgaW4gdGhlIFNI QURPV19GT1JFQUNIX0w0RSgpIGl0ZXJhdG9yIHRvIGF2b2lkIHRvdWNoaW5n IHRob3NlIGVudHJpZXMuCiAgICAKICAgIGFkYzVhZmJmMWM3MGVmNTVjMjYw ZmI5M2U0YjhjZTVjY2I5MTg3MDYgKHg4Njogc3VwcG9ydCB1cCB0byAxNlRi KQogICAgY2hhbmdlZCB0aGUgZGVmaW5pdGlvbiBvZiBST09UX1BBR0VUQUJM RV9YRU5fU0xPVFMgdG8gZXh0ZW5kIHJpZ2h0IHRvCiAgICB0aGUgdG9wIG9m IHRoZSBhZGRyZXNzIHNwYWNlLCB3aGljaCBjYXVzZXMgdGhlIHNoYWRvdyBj b2RlIHRvCiAgICBjb3B5IFhlbiBtYXBwaW5ncyBpbnRvIGd1ZXN0LWtlcm5l bC1hZGRyZXNzIHNsb3RzIHRvby4KICAgIAogICAgSW4gdGhlIGNvbW1vbiBj YXNlLCBhbGwgdGhvc2Ugc2xvdHMgYXJlIHplcm8gaW4gdGhlIGlkbGUgcGFn ZXRhYmxlLAogICAgYW5kIG5vIGhhcm0gaXMgZG9uZS4gIEJ1dCBpZiBhbnkg c2xvdCBhYm92ZSAjMjcxIGlzIG5vbi16ZXJvLCBYZW4gd2lsbAogICAgY3Jh c2ggd2hlbiB0aGF0IHNsb3QgaXMgbGF0ZXIgY2xlYXJlZCAoaXQgYXR0ZW1w dHMgdG8gZHJvcAogICAgc2hhZG93LXBhZ2V0YWJsZSByZWZjb3VudHMgb24g aXRzIG93biBMNCBwYWdldGFibGVzKS4KICAgIAogICAgRml4IGJ5IHVzaW5n IHRoZSBuZXcgUk9PVF9QQUdFVEFCTEVfUFZfWEVOX1NMT1RTIHdoZW4gYXBw cm9wcmlhdGUuCiAgICBNb25pdG9yIHBhZ2V0YWJsZXMgbmVlZCB0aGUgZnVs bCBYZW4gbWFwcGluZ3MsIHNvIHRoZXkga2VlcCB1c2luZyB0aGUKICAgIG9s ZCBuYW1lICh3aXRoIGl0cyBuZXcgc2VtYW50aWNzKS4KICAgIAogICAgVGhp cyBpcyBYU0EtNjQuCiAgICAKICAgIFNpZ25lZC1vZmYtYnk6IFRpbSBEZWVn YW4gPHRpbUB4ZW4ub3JnPgogICAgUmV2aWV3ZWQtYnk6IEphbiBCZXVsaWNo IDxqYmV1bGljaEBzdXNlLmNvbT4KCmRpZmYgLS1naXQgYS94ZW4vYXJjaC94 ODYvbW0vc2hhZG93L211bHRpLmMgYi94ZW4vYXJjaC94ODYvbW0vc2hhZG93 L211bHRpLmMKaW5kZXggNGM0YzJiYS4uM2ZlZDBiNiAxMDA2NDQKLS0tIGEv eGVuL2FyY2gveDg2L21tL3NoYWRvdy9tdWx0aS5jCisrKyBiL3hlbi9hcmNo L3g4Ni9tbS9zaGFkb3cvbXVsdGkuYwpAQCAtMTQzMywxNSArMTQzMywxOSBA QCB2b2lkIHNoX2luc3RhbGxfeGVuX2VudHJpZXNfaW5fbDQoc3RydWN0IHZj cHUgKnYsIG1mbl90IGdsNG1mbiwgbWZuX3Qgc2w0bWZuKQogewogICAgIHN0 cnVjdCBkb21haW4gKmQgPSB2LT5kb21haW47CiAgICAgc2hhZG93X2w0ZV90 ICpzbDRlOworICAgIHVuc2lnbmVkIGludCBzbG90czsKIAogICAgIHNsNGUg PSBzaF9tYXBfZG9tYWluX3BhZ2Uoc2w0bWZuKTsKICAgICBBU1NFUlQoc2w0 ZSAhPSBOVUxMKTsKICAgICBBU1NFUlQoc2l6ZW9mIChsNF9wZ2VudHJ5X3Qp ID09IHNpemVvZiAoc2hhZG93X2w0ZV90KSk7CiAgICAgCiAgICAgLyogQ29w eSB0aGUgY29tbW9uIFhlbiBtYXBwaW5ncyBmcm9tIHRoZSBpZGxlIGRvbWFp biAqLworICAgIHNsb3RzID0gKHNoYWRvd19tb2RlX2V4dGVybmFsKGQpCisg ICAgICAgICAgICAgPyBST09UX1BBR0VUQUJMRV9YRU5fU0xPVFMKKyAgICAg ICAgICAgICA6IFJPT1RfUEFHRVRBQkxFX1BWX1hFTl9TTE9UUyk7CiAgICAg bWVtY3B5KCZzbDRlW1JPT1RfUEFHRVRBQkxFX0ZJUlNUX1hFTl9TTE9UXSwK ICAgICAgICAgICAgJmlkbGVfcGdfdGFibGVbUk9PVF9QQUdFVEFCTEVfRklS U1RfWEVOX1NMT1RdLAotICAgICAgICAgICBST09UX1BBR0VUQUJMRV9YRU5f U0xPVFMgKiBzaXplb2YobDRfcGdlbnRyeV90KSk7CisgICAgICAgICAgIHNs b3RzICogc2l6ZW9mKGw0X3BnZW50cnlfdCkpOwogCiAgICAgLyogSW5zdGFs bCB0aGUgcGVyLWRvbWFpbiBtYXBwaW5ncyBmb3IgdGhpcyBkb21haW4gKi8K ICAgICBzbDRlW3NoYWRvd19sNF90YWJsZV9vZmZzZXQoUEVSRE9NQUlOX1ZJ UlRfU1RBUlQpXSA9Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Sep 30 12:06:02 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 30 Sep 2013 12:06:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VQcDE-0006Dh-AA; Mon, 30 Sep 2013 12:04:28 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VQcDC-0006DF-Rr; Mon, 30 Sep 2013 12:04:27 +0000 Received: from [85.158.137.68:63134] by server-8.bemta-3.messagelabs.com id 50/0A-28652-9C869425; Mon, 30 Sep 2013 12:04:25 +0000 X-Env-Sender: ianc@xenbits.xen.org X-Msg-Ref: server-2.tower-31.messagelabs.com!1380542662!5614077!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 23463 invoked from network); 30 Sep 2013 12:04:24 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-2.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 30 Sep 2013 12:04:24 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VQcD1-0000wI-Ei; Mon, 30 Sep 2013 12:04:15 +0000 Received: from ianc by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VQcD1-0000Nq-BD; Mon, 30 Sep 2013 12:04:15 +0000 Date: Mon, 30 Sep 2013 12:04:15 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 63 (CVE-2013-4355) - Information leaks through I/O instruction emulation X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4355 / XSA-63 version 3 Information leaks through I/O instruction emulation UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Insufficient or missing error handling in certain routines dealing with guest memory reads can lead to uninitialized data on the hypervisor stack (potentially containing sensitive data from prior work the hypervisor performed) being copied to guest visible storage. This allows a malicious HVM guest to craft certain operations (namely, but not limited to, port or memory mapped I/O writes) involving physical or virtual addresses that have no actual memory associated with them, so that hypervisor stack contents are copied into the destination of the operation, thus becoming visible to the guest. IMPACT ====== A malicious HVM guest might be able to read sensitive data relating to other guests. VULNERABLE SYSTEMS ================== Xen 3.2.x and later are vulnerable. Xen 3.1.x and earlier have not been inspected. Only HVM guests can take advantage of this vulnerability. MITIGATION ========== Running only PV guests will avoid this issue. CREDITS ======= This issue was discovered by Coverity Scan and diagnosed by Andrew Cooper & Tim Deegan. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa63.patch Xen 4.2.x, 4.3.x, and unstable $ sha256sum xsa63*.patch 32fa93d8ebdfbe85931c52010bf9e561fdae8846462c5b1f2fbc217ca36f3005 xsa63.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSSUhEAAoJEIP+FMlX6CvZGUsH/13jBs/EU8H/mqXCO7gQXIrm tPp/gsjxxxhVrwOjmmJZShQ8CWU8T3zL0RKaaGBJzAd+imnXQdb+il1vkNYT8edH zSB9WN3o/WNu7bzlhm3ro67WlwhXSY2yea7Bj/9bg2//T5RgoXsewX+LbCAJ3Z44 fflCQsCuvpl77oIcftIe5rcJAtHR4Jb5/4Ps+MzxI52oS3m2BGXv/qOTpDfy7qsp 7j/219hChnGVoZ1u/2m0i1789/9tYWM7jFbvqVYH6yHTEgk1ds8Cnn/uHQ8zXjKI CW8E5HGKOHOpTtJjDF0h3OqcK8vG7qKgHULDziXV//QWPP3uH/dAQCjQO9uS8r4= =RilU -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa63.patch" Content-Disposition: attachment; filename="xsa63.patch" Content-Transfer-Encoding: base64 eDg2OiBwcm9wZXJseSBoYW5kbGUgaHZtX2NvcHlfZnJvbV9ndWVzdF97cGh5 cyx2aXJ0fSgpIGVycm9ycwoKSWdub3JpbmcgdGhlbSBnZW5lcmFsbHkgaW1w bGllcyB1c2luZyB1bmluaXRpYWxpemVkIGRhdGEgYW5kLCBpbiBhbGwKY2Fz ZXMgZGVhbHQgd2l0aCBoZXJlLCBwb3RlbnRpYWxseSBsZWFraW5nIGh5cGVy dmlzb3Igc3RhY2sgY29udGVudHMgdG8KZ3Vlc3RzLgoKVGhpcyBpcyBYU0Et NjMuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3Vz ZS5jb20+ClJldmlld2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9yZz4K UmV2aWV3ZWQtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNp dHJpeC5jb20+CgotLS0gYS94ZW4vYXJjaC94ODYvaHZtL2h2bS5jCisrKyBi L3hlbi9hcmNoL3g4Ni9odm0vaHZtLmMKQEAgLTIzMDgsMTEgKzIzMDgsNyBA QCB2b2lkIGh2bV90YXNrX3N3aXRjaCgKIAogICAgIHJjID0gaHZtX2NvcHlf ZnJvbV9ndWVzdF92aXJ0KAogICAgICAgICAmdHNzLCBwcmV2X3RyLmJhc2Us IHNpemVvZih0c3MpLCBQRkVDX3BhZ2VfcHJlc2VudCk7Ci0gICAgaWYgKCBy YyA9PSBIVk1DT1BZX2JhZF9ndmFfdG9fZ2ZuICkKLSAgICAgICAgZ290byBv dXQ7Ci0gICAgaWYgKCByYyA9PSBIVk1DT1BZX2dmbl9wYWdlZF9vdXQgKQot ICAgICAgICBnb3RvIG91dDsKLSAgICBpZiAoIHJjID09IEhWTUNPUFlfZ2Zu X3NoYXJlZCApCisgICAgaWYgKCByYyAhPSBIVk1DT1BZX29rYXkgKQogICAg ICAgICBnb3RvIG91dDsKIAogICAgIGVmbGFncyA9IHJlZ3MtPmVmbGFnczsK QEAgLTIzNTcsMTMgKzIzNTMsMTEgQEAgdm9pZCBodm1fdGFza19zd2l0Y2go CiAKICAgICByYyA9IGh2bV9jb3B5X2Zyb21fZ3Vlc3RfdmlydCgKICAgICAg ICAgJnRzcywgdHIuYmFzZSwgc2l6ZW9mKHRzcyksIFBGRUNfcGFnZV9wcmVz ZW50KTsKLSAgICBpZiAoIHJjID09IEhWTUNPUFlfYmFkX2d2YV90b19nZm4g KQotICAgICAgICBnb3RvIG91dDsKLSAgICBpZiAoIHJjID09IEhWTUNPUFlf Z2ZuX3BhZ2VkX291dCApCi0gICAgICAgIGdvdG8gb3V0OwotICAgIC8qIE5v dGU6IHRoaXMgY291bGQgYmUgb3B0aW1pc2VkLCBpZiB0aGUgY2FsbGVlIGZ1 bmN0aW9ucyBrbmV3IHdlIHdhbnQgUk8KLSAgICAgKiBhY2Nlc3MgKi8KLSAg ICBpZiAoIHJjID09IEhWTUNPUFlfZ2ZuX3NoYXJlZCApCisgICAgLyoKKyAg ICAgKiBOb3RlOiBUaGUgSFZNQ09QWV9nZm5fc2hhcmVkIGNhc2UgY291bGQg YmUgb3B0aW1pc2VkLCBpZiB0aGUgY2FsbGVlCisgICAgICogZnVuY3Rpb25z IGtuZXcgd2Ugd2FudCBSTyBhY2Nlc3MuCisgICAgICovCisgICAgaWYgKCBy YyAhPSBIVk1DT1BZX29rYXkgKQogICAgICAgICBnb3RvIG91dDsKIAogCi0t LSBhL3hlbi9hcmNoL3g4Ni9odm0vaW50ZXJjZXB0LmMKKysrIGIveGVuL2Fy Y2gveDg2L2h2bS9pbnRlcmNlcHQuYwpAQCAtODcsMTcgKzg3LDI4IEBAIHN0 YXRpYyBpbnQgaHZtX21taW9fYWNjZXNzKHN0cnVjdCB2Y3B1ICoKICAgICB7 CiAgICAgICAgIGZvciAoIGkgPSAwOyBpIDwgcC0+Y291bnQ7IGkrKyApCiAg ICAgICAgIHsKLSAgICAgICAgICAgIGludCByZXQ7Ci0KLSAgICAgICAgICAg IHJldCA9IGh2bV9jb3B5X2Zyb21fZ3Vlc3RfcGh5cygmZGF0YSwKLSAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwLT5kYXRh ICsgKHNpZ24gKiBpICogcC0+c2l6ZSksCi0gICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgcC0+c2l6ZSk7Ci0gICAgICAgICAg ICBpZiAoIChyZXQgPT0gSFZNQ09QWV9nZm5fcGFnZWRfb3V0KSB8fCAKLSAg ICAgICAgICAgICAgICAgKHJldCA9PSBIVk1DT1BZX2dmbl9zaGFyZWQpICkK KyAgICAgICAgICAgIHN3aXRjaCAoIGh2bV9jb3B5X2Zyb21fZ3Vlc3RfcGh5 cygmZGF0YSwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICBwLT5kYXRhICsgc2lnbiAqIGkgKiBwLT5zaXplLAorICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHAt PnNpemUpICkKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgIGNhc2UgSFZN Q09QWV9va2F5OgorICAgICAgICAgICAgICAgIGJyZWFrOworICAgICAgICAg ICAgY2FzZSBIVk1DT1BZX2dmbl9wYWdlZF9vdXQ6CisgICAgICAgICAgICBj YXNlIEhWTUNPUFlfZ2ZuX3NoYXJlZDoKICAgICAgICAgICAgICAgICByYyA9 IFg4NkVNVUxfUkVUUlk7CiAgICAgICAgICAgICAgICAgYnJlYWs7CisgICAg ICAgICAgICBjYXNlIEhWTUNPUFlfYmFkX2dmbl90b19tZm46CisgICAgICAg ICAgICAgICAgZGF0YSA9IH4wOworICAgICAgICAgICAgICAgIGJyZWFrOwor ICAgICAgICAgICAgY2FzZSBIVk1DT1BZX2JhZF9ndmFfdG9fZ2ZuOgorICAg ICAgICAgICAgICAgIEFTU0VSVCgwKTsKKyAgICAgICAgICAgICAgICAvKiBm YWxsIHRocm91Z2ggKi8KKyAgICAgICAgICAgIGRlZmF1bHQ6CisgICAgICAg ICAgICAgICAgcmMgPSBYODZFTVVMX1VOSEFORExFQUJMRTsKKyAgICAgICAg ICAgICAgICBicmVhazsKICAgICAgICAgICAgIH0KKyAgICAgICAgICAgIGlm ICggcmMgIT0gWDg2RU1VTF9PS0FZICkKKyAgICAgICAgICAgICAgICBicmVh azsKICAgICAgICAgICAgIHJjID0gd3JpdGVfaGFuZGxlcih2LCBwLT5hZGRy ICsgKHNpZ24gKiBpICogcC0+c2l6ZSksIHAtPnNpemUsCiAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgZGF0YSk7CiAgICAgICAgICAgICBpZiAo IHJjICE9IFg4NkVNVUxfT0tBWSApCkBAIC0xNjUsOCArMTc2LDI4IEBAIHN0 YXRpYyBpbnQgcHJvY2Vzc19wb3J0aW9faW50ZXJjZXB0KHBvcnQKICAgICAg ICAgZm9yICggaSA9IDA7IGkgPCBwLT5jb3VudDsgaSsrICkKICAgICAgICAg ewogICAgICAgICAgICAgZGF0YSA9IDA7Ci0gICAgICAgICAgICAodm9pZClo dm1fY29weV9mcm9tX2d1ZXN0X3BoeXMoJmRhdGEsIHAtPmRhdGEgKyBzaWdu KmkqcC0+c2l6ZSwKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICBwLT5zaXplKTsKKyAgICAgICAgICAgIHN3aXRjaCAoIGh2 bV9jb3B5X2Zyb21fZ3Vlc3RfcGh5cygmZGF0YSwKKyAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwLT5kYXRhICsgc2ln biAqIGkgKiBwLT5zaXplLAorICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIHAtPnNpemUpICkKKyAgICAgICAgICAgIHsK KyAgICAgICAgICAgIGNhc2UgSFZNQ09QWV9va2F5OgorICAgICAgICAgICAg ICAgIGJyZWFrOworICAgICAgICAgICAgY2FzZSBIVk1DT1BZX2dmbl9wYWdl ZF9vdXQ6CisgICAgICAgICAgICBjYXNlIEhWTUNPUFlfZ2ZuX3NoYXJlZDoK KyAgICAgICAgICAgICAgICByYyA9IFg4NkVNVUxfUkVUUlk7CisgICAgICAg ICAgICAgICAgYnJlYWs7CisgICAgICAgICAgICBjYXNlIEhWTUNPUFlfYmFk X2dmbl90b19tZm46CisgICAgICAgICAgICAgICAgZGF0YSA9IH4wOworICAg ICAgICAgICAgICAgIGJyZWFrOworICAgICAgICAgICAgY2FzZSBIVk1DT1BZ X2JhZF9ndmFfdG9fZ2ZuOgorICAgICAgICAgICAgICAgIEFTU0VSVCgwKTsK KyAgICAgICAgICAgICAgICAvKiBmYWxsIHRocm91Z2ggKi8KKyAgICAgICAg ICAgIGRlZmF1bHQ6CisgICAgICAgICAgICAgICAgcmMgPSBYODZFTVVMX1VO SEFORExFQUJMRTsKKyAgICAgICAgICAgICAgICBicmVhazsKKyAgICAgICAg ICAgIH0KKyAgICAgICAgICAgIGlmICggcmMgIT0gWDg2RU1VTF9PS0FZICkK KyAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgICAgIHJjID0gYWN0 aW9uKElPUkVRX1dSSVRFLCBwLT5hZGRyLCBwLT5zaXplLCAmZGF0YSk7CiAg ICAgICAgICAgICBpZiAoIHJjICE9IFg4NkVNVUxfT0tBWSApCiAgICAgICAg ICAgICAgICAgYnJlYWs7Ci0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vaW8uYwor KysgYi94ZW4vYXJjaC94ODYvaHZtL2lvLmMKQEAgLTM0MCwxNCArMzQwLDI0 IEBAIHN0YXRpYyBpbnQgZHBjaV9pb3BvcnRfd3JpdGUodWludDMyX3QgbXAK ICAgICAgICAgZGF0YSA9IHAtPmRhdGE7CiAgICAgICAgIGlmICggcC0+ZGF0 YV9pc19wdHIgKQogICAgICAgICB7Ci0gICAgICAgICAgICBpbnQgcmV0Owot ICAgICAgICAgICAgCi0gICAgICAgICAgICByZXQgPSBodm1fY29weV9mcm9t X2d1ZXN0X3BoeXMoJmRhdGEsIAotICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIHAtPmRhdGEgKyAoc2lnbiAqIGkgKiBwLT5z aXplKSwKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICBwLT5zaXplKTsKLSAgICAgICAgICAgIGlmICggKHJldCA9PSBIVk1D T1BZX2dmbl9wYWdlZF9vdXQpICYmCi0gICAgICAgICAgICAgICAgIChyZXQg PT0gSFZNQ09QWV9nZm5fc2hhcmVkKSApCisgICAgICAgICAgICBzd2l0Y2gg KCBodm1fY29weV9mcm9tX2d1ZXN0X3BoeXMoJmRhdGEsCisgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcC0+ZGF0YSAr IHNpZ24gKiBpICogcC0+c2l6ZSwKKyAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICBwLT5zaXplKSApCisgICAgICAgICAg ICB7CisgICAgICAgICAgICBjYXNlIEhWTUNPUFlfb2theToKKyAgICAgICAg ICAgICAgICBicmVhazsKKyAgICAgICAgICAgIGNhc2UgSFZNQ09QWV9nZm5f cGFnZWRfb3V0OgorICAgICAgICAgICAgY2FzZSBIVk1DT1BZX2dmbl9zaGFy ZWQ6CiAgICAgICAgICAgICAgICAgcmV0dXJuIFg4NkVNVUxfUkVUUlk7Cisg ICAgICAgICAgICBjYXNlIEhWTUNPUFlfYmFkX2dmbl90b19tZm46CisgICAg ICAgICAgICAgICAgZGF0YSA9IH4wOworICAgICAgICAgICAgICAgIGJyZWFr OworICAgICAgICAgICAgY2FzZSBIVk1DT1BZX2JhZF9ndmFfdG9fZ2ZuOgor ICAgICAgICAgICAgICAgIEFTU0VSVCgwKTsKKyAgICAgICAgICAgICAgICAv KiBmYWxsIHRocm91Z2ggKi8KKyAgICAgICAgICAgIGRlZmF1bHQ6CisgICAg ICAgICAgICAgICAgcmV0dXJuIFg4NkVNVUxfVU5IQU5ETEVBQkxFOworICAg ICAgICAgICAgfQogICAgICAgICB9CiAKICAgICAgICAgc3dpdGNoICggcC0+ c2l6ZSApCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vdm14L3JlYWxtb2RlLmMK KysrIGIveGVuL2FyY2gveDg2L2h2bS92bXgvcmVhbG1vZGUuYwpAQCAtMzks NyArMzksOSBAQCBzdGF0aWMgdm9pZCByZWFsbW9kZV9kZWxpdmVyX2V4Y2Vw dGlvbigKIAogIGFnYWluOgogICAgIGxhc3RfYnl0ZSA9ICh2ZWN0b3IgKiA0 KSArIDM7Ci0gICAgaWYgKCBpZHRyLT5saW1pdCA8IGxhc3RfYnl0ZSApCisg ICAgaWYgKCBpZHRyLT5saW1pdCA8IGxhc3RfYnl0ZSB8fAorICAgICAgICAg aHZtX2NvcHlfZnJvbV9ndWVzdF9waHlzKCZjc19laXAsIGlkdHItPmJhc2Ug KyB2ZWN0b3IgKiA0LCA0KSAhPQorICAgICAgICAgSFZNQ09QWV9va2F5ICkK ICAgICB7CiAgICAgICAgIC8qIFNvZnR3YXJlIGludGVycnVwdD8gKi8KICAg ICAgICAgaWYgKCBpbnNuX2xlbiAhPSAwICkKQEAgLTY0LDggKzY2LDYgQEAg c3RhdGljIHZvaWQgcmVhbG1vZGVfZGVsaXZlcl9leGNlcHRpb24oCiAgICAg ICAgIH0KICAgICB9CiAKLSAgICAodm9pZClodm1fY29weV9mcm9tX2d1ZXN0 X3BoeXMoJmNzX2VpcCwgaWR0ci0+YmFzZSArIHZlY3RvciAqIDQsIDQpOwot CiAgICAgZnJhbWVbMF0gPSByZWdzLT5laXAgKyBpbnNuX2xlbjsKICAgICBm cmFtZVsxXSA9IGNzci0+c2VsOwogICAgIGZyYW1lWzJdID0gcmVncy0+ZWZs YWdzICYgflg4Nl9FRkxBR1NfUkY7Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Sep 30 12:06:02 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 30 Sep 2013 12:06:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VQcDE-0006Dh-AA; Mon, 30 Sep 2013 12:04:28 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VQcDC-0006DF-Rr; Mon, 30 Sep 2013 12:04:27 +0000 Received: from [85.158.137.68:63134] by server-8.bemta-3.messagelabs.com id 50/0A-28652-9C869425; Mon, 30 Sep 2013 12:04:25 +0000 X-Env-Sender: ianc@xenbits.xen.org X-Msg-Ref: server-2.tower-31.messagelabs.com!1380542662!5614077!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 23463 invoked from network); 30 Sep 2013 12:04:24 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-2.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 30 Sep 2013 12:04:24 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VQcD1-0000wI-Ei; Mon, 30 Sep 2013 12:04:15 +0000 Received: from ianc by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VQcD1-0000Nq-BD; Mon, 30 Sep 2013 12:04:15 +0000 Date: Mon, 30 Sep 2013 12:04:15 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 63 (CVE-2013-4355) - Information leaks through I/O instruction emulation X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4355 / XSA-63 version 3 Information leaks through I/O instruction emulation UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Insufficient or missing error handling in certain routines dealing with guest memory reads can lead to uninitialized data on the hypervisor stack (potentially containing sensitive data from prior work the hypervisor performed) being copied to guest visible storage. This allows a malicious HVM guest to craft certain operations (namely, but not limited to, port or memory mapped I/O writes) involving physical or virtual addresses that have no actual memory associated with them, so that hypervisor stack contents are copied into the destination of the operation, thus becoming visible to the guest. IMPACT ====== A malicious HVM guest might be able to read sensitive data relating to other guests. VULNERABLE SYSTEMS ================== Xen 3.2.x and later are vulnerable. Xen 3.1.x and earlier have not been inspected. Only HVM guests can take advantage of this vulnerability. MITIGATION ========== Running only PV guests will avoid this issue. CREDITS ======= This issue was discovered by Coverity Scan and diagnosed by Andrew Cooper & Tim Deegan. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa63.patch Xen 4.2.x, 4.3.x, and unstable $ sha256sum xsa63*.patch 32fa93d8ebdfbe85931c52010bf9e561fdae8846462c5b1f2fbc217ca36f3005 xsa63.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSSUhEAAoJEIP+FMlX6CvZGUsH/13jBs/EU8H/mqXCO7gQXIrm tPp/gsjxxxhVrwOjmmJZShQ8CWU8T3zL0RKaaGBJzAd+imnXQdb+il1vkNYT8edH zSB9WN3o/WNu7bzlhm3ro67WlwhXSY2yea7Bj/9bg2//T5RgoXsewX+LbCAJ3Z44 fflCQsCuvpl77oIcftIe5rcJAtHR4Jb5/4Ps+MzxI52oS3m2BGXv/qOTpDfy7qsp 7j/219hChnGVoZ1u/2m0i1789/9tYWM7jFbvqVYH6yHTEgk1ds8Cnn/uHQ8zXjKI CW8E5HGKOHOpTtJjDF0h3OqcK8vG7qKgHULDziXV//QWPP3uH/dAQCjQO9uS8r4= =RilU -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa63.patch" Content-Disposition: attachment; filename="xsa63.patch" Content-Transfer-Encoding: base64 eDg2OiBwcm9wZXJseSBoYW5kbGUgaHZtX2NvcHlfZnJvbV9ndWVzdF97cGh5 cyx2aXJ0fSgpIGVycm9ycwoKSWdub3JpbmcgdGhlbSBnZW5lcmFsbHkgaW1w bGllcyB1c2luZyB1bmluaXRpYWxpemVkIGRhdGEgYW5kLCBpbiBhbGwKY2Fz ZXMgZGVhbHQgd2l0aCBoZXJlLCBwb3RlbnRpYWxseSBsZWFraW5nIGh5cGVy dmlzb3Igc3RhY2sgY29udGVudHMgdG8KZ3Vlc3RzLgoKVGhpcyBpcyBYU0Et NjMuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3Vz ZS5jb20+ClJldmlld2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9yZz4K UmV2aWV3ZWQtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNp dHJpeC5jb20+CgotLS0gYS94ZW4vYXJjaC94ODYvaHZtL2h2bS5jCisrKyBi L3hlbi9hcmNoL3g4Ni9odm0vaHZtLmMKQEAgLTIzMDgsMTEgKzIzMDgsNyBA QCB2b2lkIGh2bV90YXNrX3N3aXRjaCgKIAogICAgIHJjID0gaHZtX2NvcHlf ZnJvbV9ndWVzdF92aXJ0KAogICAgICAgICAmdHNzLCBwcmV2X3RyLmJhc2Us IHNpemVvZih0c3MpLCBQRkVDX3BhZ2VfcHJlc2VudCk7Ci0gICAgaWYgKCBy YyA9PSBIVk1DT1BZX2JhZF9ndmFfdG9fZ2ZuICkKLSAgICAgICAgZ290byBv dXQ7Ci0gICAgaWYgKCByYyA9PSBIVk1DT1BZX2dmbl9wYWdlZF9vdXQgKQot ICAgICAgICBnb3RvIG91dDsKLSAgICBpZiAoIHJjID09IEhWTUNPUFlfZ2Zu X3NoYXJlZCApCisgICAgaWYgKCByYyAhPSBIVk1DT1BZX29rYXkgKQogICAg ICAgICBnb3RvIG91dDsKIAogICAgIGVmbGFncyA9IHJlZ3MtPmVmbGFnczsK QEAgLTIzNTcsMTMgKzIzNTMsMTEgQEAgdm9pZCBodm1fdGFza19zd2l0Y2go CiAKICAgICByYyA9IGh2bV9jb3B5X2Zyb21fZ3Vlc3RfdmlydCgKICAgICAg ICAgJnRzcywgdHIuYmFzZSwgc2l6ZW9mKHRzcyksIFBGRUNfcGFnZV9wcmVz ZW50KTsKLSAgICBpZiAoIHJjID09IEhWTUNPUFlfYmFkX2d2YV90b19nZm4g KQotICAgICAgICBnb3RvIG91dDsKLSAgICBpZiAoIHJjID09IEhWTUNPUFlf Z2ZuX3BhZ2VkX291dCApCi0gICAgICAgIGdvdG8gb3V0OwotICAgIC8qIE5v dGU6IHRoaXMgY291bGQgYmUgb3B0aW1pc2VkLCBpZiB0aGUgY2FsbGVlIGZ1 bmN0aW9ucyBrbmV3IHdlIHdhbnQgUk8KLSAgICAgKiBhY2Nlc3MgKi8KLSAg ICBpZiAoIHJjID09IEhWTUNPUFlfZ2ZuX3NoYXJlZCApCisgICAgLyoKKyAg ICAgKiBOb3RlOiBUaGUgSFZNQ09QWV9nZm5fc2hhcmVkIGNhc2UgY291bGQg YmUgb3B0aW1pc2VkLCBpZiB0aGUgY2FsbGVlCisgICAgICogZnVuY3Rpb25z IGtuZXcgd2Ugd2FudCBSTyBhY2Nlc3MuCisgICAgICovCisgICAgaWYgKCBy YyAhPSBIVk1DT1BZX29rYXkgKQogICAgICAgICBnb3RvIG91dDsKIAogCi0t LSBhL3hlbi9hcmNoL3g4Ni9odm0vaW50ZXJjZXB0LmMKKysrIGIveGVuL2Fy Y2gveDg2L2h2bS9pbnRlcmNlcHQuYwpAQCAtODcsMTcgKzg3LDI4IEBAIHN0 YXRpYyBpbnQgaHZtX21taW9fYWNjZXNzKHN0cnVjdCB2Y3B1ICoKICAgICB7 CiAgICAgICAgIGZvciAoIGkgPSAwOyBpIDwgcC0+Y291bnQ7IGkrKyApCiAg ICAgICAgIHsKLSAgICAgICAgICAgIGludCByZXQ7Ci0KLSAgICAgICAgICAg IHJldCA9IGh2bV9jb3B5X2Zyb21fZ3Vlc3RfcGh5cygmZGF0YSwKLSAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwLT5kYXRh ICsgKHNpZ24gKiBpICogcC0+c2l6ZSksCi0gICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgcC0+c2l6ZSk7Ci0gICAgICAgICAg ICBpZiAoIChyZXQgPT0gSFZNQ09QWV9nZm5fcGFnZWRfb3V0KSB8fCAKLSAg ICAgICAgICAgICAgICAgKHJldCA9PSBIVk1DT1BZX2dmbl9zaGFyZWQpICkK KyAgICAgICAgICAgIHN3aXRjaCAoIGh2bV9jb3B5X2Zyb21fZ3Vlc3RfcGh5 cygmZGF0YSwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICBwLT5kYXRhICsgc2lnbiAqIGkgKiBwLT5zaXplLAorICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHAt PnNpemUpICkKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgIGNhc2UgSFZN Q09QWV9va2F5OgorICAgICAgICAgICAgICAgIGJyZWFrOworICAgICAgICAg ICAgY2FzZSBIVk1DT1BZX2dmbl9wYWdlZF9vdXQ6CisgICAgICAgICAgICBj YXNlIEhWTUNPUFlfZ2ZuX3NoYXJlZDoKICAgICAgICAgICAgICAgICByYyA9 IFg4NkVNVUxfUkVUUlk7CiAgICAgICAgICAgICAgICAgYnJlYWs7CisgICAg ICAgICAgICBjYXNlIEhWTUNPUFlfYmFkX2dmbl90b19tZm46CisgICAgICAg ICAgICAgICAgZGF0YSA9IH4wOworICAgICAgICAgICAgICAgIGJyZWFrOwor ICAgICAgICAgICAgY2FzZSBIVk1DT1BZX2JhZF9ndmFfdG9fZ2ZuOgorICAg ICAgICAgICAgICAgIEFTU0VSVCgwKTsKKyAgICAgICAgICAgICAgICAvKiBm YWxsIHRocm91Z2ggKi8KKyAgICAgICAgICAgIGRlZmF1bHQ6CisgICAgICAg ICAgICAgICAgcmMgPSBYODZFTVVMX1VOSEFORExFQUJMRTsKKyAgICAgICAg ICAgICAgICBicmVhazsKICAgICAgICAgICAgIH0KKyAgICAgICAgICAgIGlm ICggcmMgIT0gWDg2RU1VTF9PS0FZICkKKyAgICAgICAgICAgICAgICBicmVh azsKICAgICAgICAgICAgIHJjID0gd3JpdGVfaGFuZGxlcih2LCBwLT5hZGRy ICsgKHNpZ24gKiBpICogcC0+c2l6ZSksIHAtPnNpemUsCiAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgZGF0YSk7CiAgICAgICAgICAgICBpZiAo IHJjICE9IFg4NkVNVUxfT0tBWSApCkBAIC0xNjUsOCArMTc2LDI4IEBAIHN0 YXRpYyBpbnQgcHJvY2Vzc19wb3J0aW9faW50ZXJjZXB0KHBvcnQKICAgICAg ICAgZm9yICggaSA9IDA7IGkgPCBwLT5jb3VudDsgaSsrICkKICAgICAgICAg ewogICAgICAgICAgICAgZGF0YSA9IDA7Ci0gICAgICAgICAgICAodm9pZClo dm1fY29weV9mcm9tX2d1ZXN0X3BoeXMoJmRhdGEsIHAtPmRhdGEgKyBzaWdu KmkqcC0+c2l6ZSwKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICBwLT5zaXplKTsKKyAgICAgICAgICAgIHN3aXRjaCAoIGh2 bV9jb3B5X2Zyb21fZ3Vlc3RfcGh5cygmZGF0YSwKKyAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwLT5kYXRhICsgc2ln biAqIGkgKiBwLT5zaXplLAorICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIHAtPnNpemUpICkKKyAgICAgICAgICAgIHsK KyAgICAgICAgICAgIGNhc2UgSFZNQ09QWV9va2F5OgorICAgICAgICAgICAg ICAgIGJyZWFrOworICAgICAgICAgICAgY2FzZSBIVk1DT1BZX2dmbl9wYWdl ZF9vdXQ6CisgICAgICAgICAgICBjYXNlIEhWTUNPUFlfZ2ZuX3NoYXJlZDoK KyAgICAgICAgICAgICAgICByYyA9IFg4NkVNVUxfUkVUUlk7CisgICAgICAg ICAgICAgICAgYnJlYWs7CisgICAgICAgICAgICBjYXNlIEhWTUNPUFlfYmFk X2dmbl90b19tZm46CisgICAgICAgICAgICAgICAgZGF0YSA9IH4wOworICAg ICAgICAgICAgICAgIGJyZWFrOworICAgICAgICAgICAgY2FzZSBIVk1DT1BZ X2JhZF9ndmFfdG9fZ2ZuOgorICAgICAgICAgICAgICAgIEFTU0VSVCgwKTsK KyAgICAgICAgICAgICAgICAvKiBmYWxsIHRocm91Z2ggKi8KKyAgICAgICAg ICAgIGRlZmF1bHQ6CisgICAgICAgICAgICAgICAgcmMgPSBYODZFTVVMX1VO SEFORExFQUJMRTsKKyAgICAgICAgICAgICAgICBicmVhazsKKyAgICAgICAg ICAgIH0KKyAgICAgICAgICAgIGlmICggcmMgIT0gWDg2RU1VTF9PS0FZICkK KyAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgICAgIHJjID0gYWN0 aW9uKElPUkVRX1dSSVRFLCBwLT5hZGRyLCBwLT5zaXplLCAmZGF0YSk7CiAg ICAgICAgICAgICBpZiAoIHJjICE9IFg4NkVNVUxfT0tBWSApCiAgICAgICAg ICAgICAgICAgYnJlYWs7Ci0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vaW8uYwor KysgYi94ZW4vYXJjaC94ODYvaHZtL2lvLmMKQEAgLTM0MCwxNCArMzQwLDI0 IEBAIHN0YXRpYyBpbnQgZHBjaV9pb3BvcnRfd3JpdGUodWludDMyX3QgbXAK ICAgICAgICAgZGF0YSA9IHAtPmRhdGE7CiAgICAgICAgIGlmICggcC0+ZGF0 YV9pc19wdHIgKQogICAgICAgICB7Ci0gICAgICAgICAgICBpbnQgcmV0Owot ICAgICAgICAgICAgCi0gICAgICAgICAgICByZXQgPSBodm1fY29weV9mcm9t X2d1ZXN0X3BoeXMoJmRhdGEsIAotICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIHAtPmRhdGEgKyAoc2lnbiAqIGkgKiBwLT5z aXplKSwKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICBwLT5zaXplKTsKLSAgICAgICAgICAgIGlmICggKHJldCA9PSBIVk1D T1BZX2dmbl9wYWdlZF9vdXQpICYmCi0gICAgICAgICAgICAgICAgIChyZXQg PT0gSFZNQ09QWV9nZm5fc2hhcmVkKSApCisgICAgICAgICAgICBzd2l0Y2gg KCBodm1fY29weV9mcm9tX2d1ZXN0X3BoeXMoJmRhdGEsCisgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcC0+ZGF0YSAr IHNpZ24gKiBpICogcC0+c2l6ZSwKKyAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICBwLT5zaXplKSApCisgICAgICAgICAg ICB7CisgICAgICAgICAgICBjYXNlIEhWTUNPUFlfb2theToKKyAgICAgICAg ICAgICAgICBicmVhazsKKyAgICAgICAgICAgIGNhc2UgSFZNQ09QWV9nZm5f cGFnZWRfb3V0OgorICAgICAgICAgICAgY2FzZSBIVk1DT1BZX2dmbl9zaGFy ZWQ6CiAgICAgICAgICAgICAgICAgcmV0dXJuIFg4NkVNVUxfUkVUUlk7Cisg ICAgICAgICAgICBjYXNlIEhWTUNPUFlfYmFkX2dmbl90b19tZm46CisgICAg ICAgICAgICAgICAgZGF0YSA9IH4wOworICAgICAgICAgICAgICAgIGJyZWFr OworICAgICAgICAgICAgY2FzZSBIVk1DT1BZX2JhZF9ndmFfdG9fZ2ZuOgor ICAgICAgICAgICAgICAgIEFTU0VSVCgwKTsKKyAgICAgICAgICAgICAgICAv KiBmYWxsIHRocm91Z2ggKi8KKyAgICAgICAgICAgIGRlZmF1bHQ6CisgICAg ICAgICAgICAgICAgcmV0dXJuIFg4NkVNVUxfVU5IQU5ETEVBQkxFOworICAg ICAgICAgICAgfQogICAgICAgICB9CiAKICAgICAgICAgc3dpdGNoICggcC0+ c2l6ZSApCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vdm14L3JlYWxtb2RlLmMK KysrIGIveGVuL2FyY2gveDg2L2h2bS92bXgvcmVhbG1vZGUuYwpAQCAtMzks NyArMzksOSBAQCBzdGF0aWMgdm9pZCByZWFsbW9kZV9kZWxpdmVyX2V4Y2Vw dGlvbigKIAogIGFnYWluOgogICAgIGxhc3RfYnl0ZSA9ICh2ZWN0b3IgKiA0 KSArIDM7Ci0gICAgaWYgKCBpZHRyLT5saW1pdCA8IGxhc3RfYnl0ZSApCisg ICAgaWYgKCBpZHRyLT5saW1pdCA8IGxhc3RfYnl0ZSB8fAorICAgICAgICAg aHZtX2NvcHlfZnJvbV9ndWVzdF9waHlzKCZjc19laXAsIGlkdHItPmJhc2Ug KyB2ZWN0b3IgKiA0LCA0KSAhPQorICAgICAgICAgSFZNQ09QWV9va2F5ICkK ICAgICB7CiAgICAgICAgIC8qIFNvZnR3YXJlIGludGVycnVwdD8gKi8KICAg ICAgICAgaWYgKCBpbnNuX2xlbiAhPSAwICkKQEAgLTY0LDggKzY2LDYgQEAg c3RhdGljIHZvaWQgcmVhbG1vZGVfZGVsaXZlcl9leGNlcHRpb24oCiAgICAg ICAgIH0KICAgICB9CiAKLSAgICAodm9pZClodm1fY29weV9mcm9tX2d1ZXN0 X3BoeXMoJmNzX2VpcCwgaWR0ci0+YmFzZSArIHZlY3RvciAqIDQsIDQpOwot CiAgICAgZnJhbWVbMF0gPSByZWdzLT5laXAgKyBpbnNuX2xlbjsKICAgICBm cmFtZVsxXSA9IGNzci0+c2VsOwogICAgIGZyYW1lWzJdID0gcmVncy0+ZWZs YWdzICYgflg4Nl9FRkxBR1NfUkY7Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator--