From xen-announce-bounces@lists.xen.org Wed Oct 02 16:28:18 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 02 Oct 2013 16:28:18 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VRPFy-0007aA-6B; Wed, 02 Oct 2013 16:26:34 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VRPFv-0007Zn-Tb; Wed, 02 Oct 2013 16:26:32 +0000 Received: from [193.109.254.147:63778] by server-8.bemta-14.messagelabs.com id 56/95-14324-7394C425; Wed, 02 Oct 2013 16:26:31 +0000 X-Env-Sender: ianc@xenbits.xen.org X-Msg-Ref: server-10.tower-27.messagelabs.com!1380731189!4515971!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 25716 invoked from network); 2 Oct 2013 16:26:30 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-10.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 2 Oct 2013 16:26:30 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VRPFn-0004Pn-8H; Wed, 02 Oct 2013 16:26:23 +0000 Received: from ianc by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VRPFn-00053J-3A; Wed, 02 Oct 2013 16:26:23 +0000 Date: Wed, 02 Oct 2013 16:26:23 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 65 (CVE-2013-4344) - qemu SCSI REPORT LUNS buffer overflow X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4344 / XSA-65 version 2 qemu SCSI REPORT LUNS buffer overflow UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= qemu contains a possible buffer overflow in the SCSI code that implements the REPORT LUNS command. The buffer can be overflowed by creating a SCSI controller with more than 256 attached devices (such as disks) and sending a REPORT LUNS command with a short transfer buffer (less than 2056 bytes). Xen systems do not use the qemu SCSI code by default. IMPACT ====== On Xen systems where the device_model_args (or equivalent) parameters have been used to configure a SCSI controller for a guest, with more than 256 devices, a malicious guest might be able to escalate its privilege to that of the qemu process in the host (typically root). VULNERABLE SYSTEMS ================== Only Xen systems whose administrators have deliberately configured HVM guests to have emulated SCSI controllers, and where those guests are provided with more than 256 devices, are vulnerable. We are not aware of any such systems. MITIGATION AND RESOLUTION ========================= Please refer to the advisories and information from the Qemu project. If, during the embargo period, you have any questions about this advisory in the context of Xen, please contact the Xen Project Security Team. CREDITS ======= This issue was reported to us by the Qemu project. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSTEiLAAoJEIP+FMlX6CvZsuIH/2f6vLkHvXLe862mX/bKF1Ix TQQjvoIxV8dAJmY6Rb5U1KKvNK8JoNNcxtv5rPkQ7n+5TcR2AuWGkuHA5CZGCa10 ctW2dmf7/V46SOrJz0xPKzNcNJSdu7R9sLo6Dbw4c0m/+xs5H29AO38VHXyKNtgN eMZBcMt9GUgGt0PFMsqDkcGnk2RgA9aXzPycHumuCEtUlzF23m0PpqZK3qKUAK0s lTHjr4WBmsxBaQyqmjdyMPdmh2BtnYa6pkmGvNw3ALncuhO5aepL7rbeE0ZtUOEO o5pB88MRAOGeu0DRDgYm6r6aWLh2SjeGKJayljYTJXp2yS5tlSMBkXH6w0khZj8= =c8pu -----END PGP SIGNATURE----- --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Oct 02 16:28:18 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 02 Oct 2013 16:28:18 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VRPFy-0007aA-6B; Wed, 02 Oct 2013 16:26:34 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VRPFv-0007Zn-Tb; Wed, 02 Oct 2013 16:26:32 +0000 Received: from [193.109.254.147:63778] by server-8.bemta-14.messagelabs.com id 56/95-14324-7394C425; Wed, 02 Oct 2013 16:26:31 +0000 X-Env-Sender: ianc@xenbits.xen.org X-Msg-Ref: server-10.tower-27.messagelabs.com!1380731189!4515971!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 25716 invoked from network); 2 Oct 2013 16:26:30 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-10.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 2 Oct 2013 16:26:30 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VRPFn-0004Pn-8H; Wed, 02 Oct 2013 16:26:23 +0000 Received: from ianc by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VRPFn-00053J-3A; Wed, 02 Oct 2013 16:26:23 +0000 Date: Wed, 02 Oct 2013 16:26:23 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 65 (CVE-2013-4344) - qemu SCSI REPORT LUNS buffer overflow X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4344 / XSA-65 version 2 qemu SCSI REPORT LUNS buffer overflow UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= qemu contains a possible buffer overflow in the SCSI code that implements the REPORT LUNS command. The buffer can be overflowed by creating a SCSI controller with more than 256 attached devices (such as disks) and sending a REPORT LUNS command with a short transfer buffer (less than 2056 bytes). Xen systems do not use the qemu SCSI code by default. IMPACT ====== On Xen systems where the device_model_args (or equivalent) parameters have been used to configure a SCSI controller for a guest, with more than 256 devices, a malicious guest might be able to escalate its privilege to that of the qemu process in the host (typically root). VULNERABLE SYSTEMS ================== Only Xen systems whose administrators have deliberately configured HVM guests to have emulated SCSI controllers, and where those guests are provided with more than 256 devices, are vulnerable. We are not aware of any such systems. MITIGATION AND RESOLUTION ========================= Please refer to the advisories and information from the Qemu project. If, during the embargo period, you have any questions about this advisory in the context of Xen, please contact the Xen Project Security Team. CREDITS ======= This issue was reported to us by the Qemu project. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSTEiLAAoJEIP+FMlX6CvZsuIH/2f6vLkHvXLe862mX/bKF1Ix TQQjvoIxV8dAJmY6Rb5U1KKvNK8JoNNcxtv5rPkQ7n+5TcR2AuWGkuHA5CZGCa10 ctW2dmf7/V46SOrJz0xPKzNcNJSdu7R9sLo6Dbw4c0m/+xs5H29AO38VHXyKNtgN eMZBcMt9GUgGt0PFMsqDkcGnk2RgA9aXzPycHumuCEtUlzF23m0PpqZK3qKUAK0s lTHjr4WBmsxBaQyqmjdyMPdmh2BtnYa6pkmGvNw3ALncuhO5aepL7rbeE0ZtUOEO o5pB88MRAOGeu0DRDgYm6r6aWLh2SjeGKJayljYTJXp2yS5tlSMBkXH6w0khZj8= =c8pu -----END PGP SIGNATURE----- --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Oct 10 12:24:05 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 10 Oct 2013 12:24:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFGa-0005Yb-2f; Thu, 10 Oct 2013 12:22:56 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFGZ-0005Y2-01; Thu, 10 Oct 2013 12:22:55 +0000 Received: from [85.158.139.211:35149] by server-7.bemta-5.messagelabs.com id E8/40-24315-D1C96525; Thu, 10 Oct 2013 12:22:53 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-4.tower-206.messagelabs.com!1381407771!597185!1 X-Originating-IP: [50.57.168.107] X-SpamReason: INFO: max file limit 5000 X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 32680 invoked from network); 10 Oct 2013 12:22:52 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-4.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 10 Oct 2013 12:22:52 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFGQ-0004pf-84; Thu, 10 Oct 2013 12:22:46 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VUFGP-0002YX-VB; Thu, 10 Oct 2013 12:22:46 +0000 Date: Thu, 10 Oct 2013 12:22:45 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 68 (CVE-2013-4369) - possible null dereference when parsing vif ratelimiting info X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4369 / XSA-68 version 2 possible null dereference when parsing vif ratelimiting info UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The libxlu library function xlu_vif_parse_rate does not properly handle inputs which consist solely of the '@' character, leading to a NULL pointer dereference. IMPACT ====== A toolstack which allows untrusted users to specify an arbitrary configuration for the VIF rate can be subjected to a DOS. The only known user of this library is the xl toolstack which does not have a central long running daemon and therefore the impact is limited to crashing the process which is creating the domain, which exists only to service a single domain. VULNERABLE SYSTEMS ================== The vulnerable code is present from Xen 4.2 onwards. MITIGATION ========== Disallowing untrusted users from specifying arbitrary VIF rate limits will avoid this issue. CREDITS ======= This issue was discovered by Coverity Scan and Matthew Daley. RESOLUTION ========== Applying the attached patch resolves this issue in all branches xsa68.patch xen-unstable, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa68*.patch 64716cb49696298e0bbd9556fe9d6f559a4e2785081e28d50607317b6e27ba32 xsa68.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSVpv6AAoJEIP+FMlX6CvZh5AH/3eMQvmLfgXNbr/vBFKwwJFc FXd/5N76S17ZI5jTPLoXc1GiXOI9MhPNazKo6e/RLYkVrxgK4Cq8jowBJBgg8Q4R egOlTinu87uT3ik6DP1ZQVQXEC2Wot0lJwjkN5B/72Tx/ldnS7i/Wi7P5QW7kzcJ 3FWSoCP/degKK/pBbPbt6keUjsUgkIXR3S0Vx/5+NXWeGMfjBFMqV6O1TQ1COkjw GrvYzXBPAnhmw0fUSYdh87Ed2MH0nZqBGuP/b4wlXqoYWBZN/1xs8M+txnfGLyRm +vvoM5shs+IiC0cVUcOPF+o7xZRiF6ZNdEMZdMV0NPHNeVEKtdXd6zlc/7VWuvM= =9/V5 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa68.patch" Content-Disposition: attachment; filename="xsa68.patch" Content-Transfer-Encoding: base64 bGlieGw6IGZpeCB2aWYgcmF0ZSBwYXJzaW5nCgpzdHJ0b2sgY2FuIHJldHVy biBOVUxMIGhlcmUuIFdlIGRvbid0IG5lZWQgdG8gdXNlIHN0cnRvayBhbnl3 YXksIHNvIGp1c3QKdXNlIGEgc2ltcGxlIHN0cmNociBtZXRob2QuCgpDb3Zl cml0eS1JRDogMTA1NTY0MgoKVGhpcyBpcyBDVkUtMjAxMy00MzY5IC8gWFNB LTY4CgpTaWduZWQtb2ZmLWJ5OiBNYXR0aGV3IERhbGV5IDxtYXR0amRAZ21h aWwuY29tPgoKRml4IHR5cGUuIEFkZCB0ZXN0IGNhc2UKClNpZ25lZC1vZmYt Ynk6IElhbiBDYW1wYmVsbCA8SWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+Cgpk aWZmIC0tZ2l0IGEvdG9vbHMvbGlieGwvY2hlY2steGwtdmlmLXBhcnNlIGIv dG9vbHMvbGlieGwvY2hlY2steGwtdmlmLXBhcnNlCmluZGV4IDA0NzMxODIu LjAyYzZkYmEgMTAwNzU1Ci0tLSBhL3Rvb2xzL2xpYnhsL2NoZWNrLXhsLXZp Zi1wYXJzZQorKysgYi90b29scy9saWJ4bC9jaGVjay14bC12aWYtcGFyc2UK QEAgLTIwNiw0ICsyMDYsOCBAQCBleHBlY3RlZCA8L2Rldi9udWxsCiBvbmUg JGUgcmF0ZT00Mjk0OTY3Mjk1R0Ivc0A1dXMKIG9uZSAkZSByYXRlPTQyOTZN Qi9zQDQyOTRzCiAKKyMgdGVzdCBpbmNsdWRlIG9mIHNpbmdsZSAnQCcKK2V4 cGVjdGVkIDwvZGV2L251bGwKK29uZSAkZSByYXRlPUAKKwogY29tcGxldGUK ZGlmZiAtLWdpdCBhL3Rvb2xzL2xpYnhsL2xpYnhsdV92aWYuYyBiL3Rvb2xz L2xpYnhsL2xpYnhsdV92aWYuYwppbmRleCAzYjNkZTBmLi4wNjY1ZTYyIDEw MDY0NAotLS0gYS90b29scy9saWJ4bC9saWJ4bHVfdmlmLmMKKysrIGIvdG9v bHMvbGlieGwvbGlieGx1X3ZpZi5jCkBAIC05NSwyMyArOTUsMzAgQEAgaW50 IHhsdV92aWZfcGFyc2VfcmF0ZShYTFVfQ29uZmlnICpjZmcsIGNvbnN0IGNo YXIgKnJhdGUsIGxpYnhsX2RldmljZV9uaWMgKm5pYykKICAgICB1aW50NjRf dCBieXRlc19wZXJfc2VjID0gMDsKICAgICB1aW50NjRfdCBieXRlc19wZXJf aW50ZXJ2YWwgPSAwOwogICAgIHVpbnQzMl90IGludGVydmFsX3VzZWNzID0g NTAwMDBVTDsgLyogRGVmYXVsdCB0byA1MG1zICovCi0gICAgY2hhciAqcmF0 ZXRvaywgKnRtcHJhdGU7CisgICAgY2hhciAqcCwgKnRtcHJhdGU7CiAgICAg aW50IHJjID0gMDsKIAogICAgIHRtcHJhdGUgPSBzdHJkdXAocmF0ZSk7Cisg ICAgaWYgKHRtcHJhdGUgPT0gTlVMTCkgeworICAgICAgICByYyA9IEVOT01F TTsKKyAgICAgICAgZ290byBvdXQ7CisgICAgfQorCisgICAgcCA9IHN0cmNo cih0bXByYXRlLCAnQCcpOworICAgIGlmIChwICE9IE5VTEwpCisgICAgICAg ICpwKysgPSAwOworCiAgICAgaWYgKCFzdHJjbXAodG1wcmF0ZSwiIikpIHsK ICAgICAgICAgeGx1X192aWZfZXJyKGNmZywgIm5vIHJhdGUgc3BlY2lmaWVk IiwgcmF0ZSk7CiAgICAgICAgIHJjID0gRUlOVkFMOwogICAgICAgICBnb3Rv IG91dDsKICAgICB9CiAKLSAgICByYXRldG9rID0gc3RydG9rKHRtcHJhdGUs ICJAIik7Ci0gICAgcmMgPSB2aWZfcGFyc2VfcmF0ZV9ieXRlc19wZXJfc2Vj KGNmZywgcmF0ZXRvaywgJmJ5dGVzX3Blcl9zZWMpOworICAgIHJjID0gdmlm X3BhcnNlX3JhdGVfYnl0ZXNfcGVyX3NlYyhjZmcsIHRtcHJhdGUsICZieXRl c19wZXJfc2VjKTsKICAgICBpZiAocmMpIGdvdG8gb3V0OwogCi0gICAgcmF0 ZXRvayA9IHN0cnRvayhOVUxMLCAiQCIpOwotICAgIGlmIChyYXRldG9rICE9 IE5VTEwpIHsKLSAgICAgICAgcmMgPSB2aWZfcGFyc2VfcmF0ZV9pbnRlcnZh bF91c2VjcyhjZmcsIHJhdGV0b2ssICZpbnRlcnZhbF91c2Vjcyk7CisgICAg aWYgKHAgIT0gTlVMTCkgeworICAgICAgICByYyA9IHZpZl9wYXJzZV9yYXRl X2ludGVydmFsX3VzZWNzKGNmZywgcCwgJmludGVydmFsX3VzZWNzKTsKICAg ICAgICAgaWYgKHJjKSBnb3RvIG91dDsKICAgICB9CiAK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Oct 10 12:24:05 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 10 Oct 2013 12:24:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFGa-0005Yb-2f; Thu, 10 Oct 2013 12:22:56 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFGZ-0005Y2-01; Thu, 10 Oct 2013 12:22:55 +0000 Received: from [85.158.139.211:35149] by server-7.bemta-5.messagelabs.com id E8/40-24315-D1C96525; Thu, 10 Oct 2013 12:22:53 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-4.tower-206.messagelabs.com!1381407771!597185!1 X-Originating-IP: [50.57.168.107] X-SpamReason: INFO: max file limit 5000 X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 32680 invoked from network); 10 Oct 2013 12:22:52 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-4.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 10 Oct 2013 12:22:52 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFGQ-0004pf-84; Thu, 10 Oct 2013 12:22:46 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VUFGP-0002YX-VB; Thu, 10 Oct 2013 12:22:46 +0000 Date: Thu, 10 Oct 2013 12:22:45 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 68 (CVE-2013-4369) - possible null dereference when parsing vif ratelimiting info X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4369 / XSA-68 version 2 possible null dereference when parsing vif ratelimiting info UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The libxlu library function xlu_vif_parse_rate does not properly handle inputs which consist solely of the '@' character, leading to a NULL pointer dereference. IMPACT ====== A toolstack which allows untrusted users to specify an arbitrary configuration for the VIF rate can be subjected to a DOS. The only known user of this library is the xl toolstack which does not have a central long running daemon and therefore the impact is limited to crashing the process which is creating the domain, which exists only to service a single domain. VULNERABLE SYSTEMS ================== The vulnerable code is present from Xen 4.2 onwards. MITIGATION ========== Disallowing untrusted users from specifying arbitrary VIF rate limits will avoid this issue. CREDITS ======= This issue was discovered by Coverity Scan and Matthew Daley. RESOLUTION ========== Applying the attached patch resolves this issue in all branches xsa68.patch xen-unstable, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa68*.patch 64716cb49696298e0bbd9556fe9d6f559a4e2785081e28d50607317b6e27ba32 xsa68.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSVpv6AAoJEIP+FMlX6CvZh5AH/3eMQvmLfgXNbr/vBFKwwJFc FXd/5N76S17ZI5jTPLoXc1GiXOI9MhPNazKo6e/RLYkVrxgK4Cq8jowBJBgg8Q4R egOlTinu87uT3ik6DP1ZQVQXEC2Wot0lJwjkN5B/72Tx/ldnS7i/Wi7P5QW7kzcJ 3FWSoCP/degKK/pBbPbt6keUjsUgkIXR3S0Vx/5+NXWeGMfjBFMqV6O1TQ1COkjw GrvYzXBPAnhmw0fUSYdh87Ed2MH0nZqBGuP/b4wlXqoYWBZN/1xs8M+txnfGLyRm +vvoM5shs+IiC0cVUcOPF+o7xZRiF6ZNdEMZdMV0NPHNeVEKtdXd6zlc/7VWuvM= =9/V5 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa68.patch" Content-Disposition: attachment; filename="xsa68.patch" Content-Transfer-Encoding: base64 bGlieGw6IGZpeCB2aWYgcmF0ZSBwYXJzaW5nCgpzdHJ0b2sgY2FuIHJldHVy biBOVUxMIGhlcmUuIFdlIGRvbid0IG5lZWQgdG8gdXNlIHN0cnRvayBhbnl3 YXksIHNvIGp1c3QKdXNlIGEgc2ltcGxlIHN0cmNociBtZXRob2QuCgpDb3Zl cml0eS1JRDogMTA1NTY0MgoKVGhpcyBpcyBDVkUtMjAxMy00MzY5IC8gWFNB LTY4CgpTaWduZWQtb2ZmLWJ5OiBNYXR0aGV3IERhbGV5IDxtYXR0amRAZ21h aWwuY29tPgoKRml4IHR5cGUuIEFkZCB0ZXN0IGNhc2UKClNpZ25lZC1vZmYt Ynk6IElhbiBDYW1wYmVsbCA8SWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+Cgpk aWZmIC0tZ2l0IGEvdG9vbHMvbGlieGwvY2hlY2steGwtdmlmLXBhcnNlIGIv dG9vbHMvbGlieGwvY2hlY2steGwtdmlmLXBhcnNlCmluZGV4IDA0NzMxODIu LjAyYzZkYmEgMTAwNzU1Ci0tLSBhL3Rvb2xzL2xpYnhsL2NoZWNrLXhsLXZp Zi1wYXJzZQorKysgYi90b29scy9saWJ4bC9jaGVjay14bC12aWYtcGFyc2UK QEAgLTIwNiw0ICsyMDYsOCBAQCBleHBlY3RlZCA8L2Rldi9udWxsCiBvbmUg JGUgcmF0ZT00Mjk0OTY3Mjk1R0Ivc0A1dXMKIG9uZSAkZSByYXRlPTQyOTZN Qi9zQDQyOTRzCiAKKyMgdGVzdCBpbmNsdWRlIG9mIHNpbmdsZSAnQCcKK2V4 cGVjdGVkIDwvZGV2L251bGwKK29uZSAkZSByYXRlPUAKKwogY29tcGxldGUK ZGlmZiAtLWdpdCBhL3Rvb2xzL2xpYnhsL2xpYnhsdV92aWYuYyBiL3Rvb2xz L2xpYnhsL2xpYnhsdV92aWYuYwppbmRleCAzYjNkZTBmLi4wNjY1ZTYyIDEw MDY0NAotLS0gYS90b29scy9saWJ4bC9saWJ4bHVfdmlmLmMKKysrIGIvdG9v bHMvbGlieGwvbGlieGx1X3ZpZi5jCkBAIC05NSwyMyArOTUsMzAgQEAgaW50 IHhsdV92aWZfcGFyc2VfcmF0ZShYTFVfQ29uZmlnICpjZmcsIGNvbnN0IGNo YXIgKnJhdGUsIGxpYnhsX2RldmljZV9uaWMgKm5pYykKICAgICB1aW50NjRf dCBieXRlc19wZXJfc2VjID0gMDsKICAgICB1aW50NjRfdCBieXRlc19wZXJf aW50ZXJ2YWwgPSAwOwogICAgIHVpbnQzMl90IGludGVydmFsX3VzZWNzID0g NTAwMDBVTDsgLyogRGVmYXVsdCB0byA1MG1zICovCi0gICAgY2hhciAqcmF0 ZXRvaywgKnRtcHJhdGU7CisgICAgY2hhciAqcCwgKnRtcHJhdGU7CiAgICAg aW50IHJjID0gMDsKIAogICAgIHRtcHJhdGUgPSBzdHJkdXAocmF0ZSk7Cisg ICAgaWYgKHRtcHJhdGUgPT0gTlVMTCkgeworICAgICAgICByYyA9IEVOT01F TTsKKyAgICAgICAgZ290byBvdXQ7CisgICAgfQorCisgICAgcCA9IHN0cmNo cih0bXByYXRlLCAnQCcpOworICAgIGlmIChwICE9IE5VTEwpCisgICAgICAg ICpwKysgPSAwOworCiAgICAgaWYgKCFzdHJjbXAodG1wcmF0ZSwiIikpIHsK ICAgICAgICAgeGx1X192aWZfZXJyKGNmZywgIm5vIHJhdGUgc3BlY2lmaWVk IiwgcmF0ZSk7CiAgICAgICAgIHJjID0gRUlOVkFMOwogICAgICAgICBnb3Rv IG91dDsKICAgICB9CiAKLSAgICByYXRldG9rID0gc3RydG9rKHRtcHJhdGUs ICJAIik7Ci0gICAgcmMgPSB2aWZfcGFyc2VfcmF0ZV9ieXRlc19wZXJfc2Vj KGNmZywgcmF0ZXRvaywgJmJ5dGVzX3Blcl9zZWMpOworICAgIHJjID0gdmlm X3BhcnNlX3JhdGVfYnl0ZXNfcGVyX3NlYyhjZmcsIHRtcHJhdGUsICZieXRl c19wZXJfc2VjKTsKICAgICBpZiAocmMpIGdvdG8gb3V0OwogCi0gICAgcmF0 ZXRvayA9IHN0cnRvayhOVUxMLCAiQCIpOwotICAgIGlmIChyYXRldG9rICE9 IE5VTEwpIHsKLSAgICAgICAgcmMgPSB2aWZfcGFyc2VfcmF0ZV9pbnRlcnZh bF91c2VjcyhjZmcsIHJhdGV0b2ssICZpbnRlcnZhbF91c2Vjcyk7CisgICAg aWYgKHAgIT0gTlVMTCkgeworICAgICAgICByYyA9IHZpZl9wYXJzZV9yYXRl X2ludGVydmFsX3VzZWNzKGNmZywgcCwgJmludGVydmFsX3VzZWNzKTsKICAg ICAgICAgaWYgKHJjKSBnb3RvIG91dDsKICAgICB9CiAK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Oct 10 12:24:05 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 10 Oct 2013 12:24:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFGd-0005Zz-Pu; Thu, 10 Oct 2013 12:22:59 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFGc-0005Z9-GR; Thu, 10 Oct 2013 12:22:58 +0000 Received: from [85.158.137.68:35357] by server-14.bemta-3.messagelabs.com id 1F/75-00990-12C96525; Thu, 10 Oct 2013 12:22:57 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-7.tower-31.messagelabs.com!1381407775!621865!1 X-Originating-IP: [50.57.168.107] X-SpamReason: INFO: max file limit 5000 X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 8379 invoked from network); 10 Oct 2013 12:22:56 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-7.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 10 Oct 2013 12:22:56 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFGT-0004pw-Js; Thu, 10 Oct 2013 12:22:49 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VUFGT-0002ZU-HA; Thu, 10 Oct 2013 12:22:49 +0000 Date: Thu, 10 Oct 2013 12:22:49 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 69 (CVE-2013-4370) - misplaced free in ocaml xc_vcpu_getaffinity stub X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4370 / XSA-69 version 2 misplaced free in ocaml xc_vcpu_getaffinity stub UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The ocaml binding for the xc_vcpu_getaffinity function incorrectly frees a pointer before using it and subsequently freeing it again afterwards. The code therefore contains a use-after-free and double-free flaws. IMPACT ====== An attacker may be able to cause a multithreaded toolstack written in ocaml and using this function to race against itself leading to heap corruption and a potential DoS. Depending on the malloc implementation code execution cannot be ruled out. VULNERABLE SYSTEMS ================== The flaw is present in Xen 4.2 onwards. Systems using an ocaml based toolstack (e.g. xapi) are vulnerable. MITIGATION ========== Not calling the vcpu_getaffinity function will avoid this issue. Not allowing untrusted users access to toolstack functionality will avoid this issue. CREDITS ======= This issue was discovered by Coverity Scan and Matthew Daley. RESOLUTION ========== Applying the attached patch resolves this issue. xsa69.patch Xen 4.3.x, Xen 4.2.x, xen-unstable $ sha256sum xsa69*.patch d3beb662aacf628b6a25ff6cfcd9526ab689aa43a56cf25e792a001f89b4edbc xsa69.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSVpv9AAoJEIP+FMlX6CvZDDsIALyFWH1+Ox87+kncvYUHu6UJ m4r85Jqp7pD97hAWP0mbVu/RxZgIE2mUaLDruuRvyaA940HtmsYxYRd010uqxUGQ ouFdaChJpfyGAgKn15INEQnj7giX5Kd6tPFyza5N4TBm8HbK1N83rpGHDT8+unzA MTAPk5KXCiIJ0LBU23Ce5ryXwXIkDjwPP+hJ+G0Axv1UpBTn6BhxE135m7cTOemU oWHSrYbrM4zBpVPQHl1NX8YGtjbBILwDZOmtfJD/EDI2i7iqiIbVAAEoY6xFIHmL nk0ZSN/rLSBXV+FH+sdJJunQzj4MOXg+nTx6ptO2T1pzTssEVsz6JOgUcCEMIy8= =4eSf -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa69.patch" Content-Disposition: attachment; filename="xsa69.patch" Content-Transfer-Encoding: base64 RnJvbSAwNjdjMTIyODczYzY3YmQxZDk2MjBmODM0MGY5YzljMjA5MTM1Mzg4 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBNYXR0aGV3IERhbGV5 IDxtYXR0amRAZ21haWwuY29tPgpEYXRlOiBUdWUsIDEwIFNlcCAyMDEzIDIz OjEyOjQ1ICsxMjAwClN1YmplY3Q6IFtQQVRDSF0gdG9vbHMvb2NhbWw6IGZp eCBlcnJvbmVvdXMgZnJlZSBvZiBjcHVtYXAgaW4KIHN0dWJfeGNfdmNwdV9n ZXRhZmZpbml0eQoKTm90IHN1cmUgaG93IGl0IGdvdCB0aGVyZS4uLgoKQ292 ZXJpdHktSUQ6IDEwNTYxOTYKClRoaXMgaXMgQ1ZFLTIwMTMtNDM3MCAvIFhT QS02OQoKU2lnbmVkLW9mZi1ieTogTWF0dGhldyBEYWxleSA8bWF0dGpkQGdt YWlsLmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxs QGNpdHJpeC5jb20+Ci0tLQogdG9vbHMvb2NhbWwvbGlicy94Yy94ZW5jdHJs X3N0dWJzLmMgfCAgICAyIC0tCiAxIGZpbGUgY2hhbmdlZCwgMiBkZWxldGlv bnMoLSkKCmRpZmYgLS1naXQgYS90b29scy9vY2FtbC9saWJzL3hjL3hlbmN0 cmxfc3R1YnMuYyBiL3Rvb2xzL29jYW1sL2xpYnMveGMveGVuY3RybF9zdHVi cy5jCmluZGV4IGRmNzU2YWQuLmY1Y2YwZWQgMTAwNjQ0Ci0tLSBhL3Rvb2xz L29jYW1sL2xpYnMveGMveGVuY3RybF9zdHVicy5jCisrKyBiL3Rvb2xzL29j YW1sL2xpYnMveGMveGVuY3RybF9zdHVicy5jCkBAIC00NjEsOCArNDYxLDYg QEAgQ0FNTHByaW0gdmFsdWUgc3R1Yl94Y192Y3B1X2dldGFmZmluaXR5KHZh bHVlIHhjaCwgdmFsdWUgZG9taWQsCiAKIAlyZXR2YWwgPSB4Y192Y3B1X2dl dGFmZmluaXR5KF9IKHhjaCksIF9EKGRvbWlkKSwKIAkgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIEludF92YWwodmNwdSksIGNfY3B1bWFwKTsKLQlm cmVlKGNfY3B1bWFwKTsKLQogCWlmIChyZXR2YWwgPCAwKSB7CiAJCWZyZWUo Y19jcHVtYXApOwogCQlmYWlsd2l0aF94YyhfSCh4Y2gpKTsKLS0gCjEuNy4x MC40Cgo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Oct 10 12:24:05 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 10 Oct 2013 12:24:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFGd-0005Zz-Pu; Thu, 10 Oct 2013 12:22:59 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFGc-0005Z9-GR; Thu, 10 Oct 2013 12:22:58 +0000 Received: from [85.158.137.68:35357] by server-14.bemta-3.messagelabs.com id 1F/75-00990-12C96525; Thu, 10 Oct 2013 12:22:57 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-7.tower-31.messagelabs.com!1381407775!621865!1 X-Originating-IP: [50.57.168.107] X-SpamReason: INFO: max file limit 5000 X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 8379 invoked from network); 10 Oct 2013 12:22:56 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-7.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 10 Oct 2013 12:22:56 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFGT-0004pw-Js; Thu, 10 Oct 2013 12:22:49 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VUFGT-0002ZU-HA; Thu, 10 Oct 2013 12:22:49 +0000 Date: Thu, 10 Oct 2013 12:22:49 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 69 (CVE-2013-4370) - misplaced free in ocaml xc_vcpu_getaffinity stub X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4370 / XSA-69 version 2 misplaced free in ocaml xc_vcpu_getaffinity stub UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The ocaml binding for the xc_vcpu_getaffinity function incorrectly frees a pointer before using it and subsequently freeing it again afterwards. The code therefore contains a use-after-free and double-free flaws. IMPACT ====== An attacker may be able to cause a multithreaded toolstack written in ocaml and using this function to race against itself leading to heap corruption and a potential DoS. Depending on the malloc implementation code execution cannot be ruled out. VULNERABLE SYSTEMS ================== The flaw is present in Xen 4.2 onwards. Systems using an ocaml based toolstack (e.g. xapi) are vulnerable. MITIGATION ========== Not calling the vcpu_getaffinity function will avoid this issue. Not allowing untrusted users access to toolstack functionality will avoid this issue. CREDITS ======= This issue was discovered by Coverity Scan and Matthew Daley. RESOLUTION ========== Applying the attached patch resolves this issue. xsa69.patch Xen 4.3.x, Xen 4.2.x, xen-unstable $ sha256sum xsa69*.patch d3beb662aacf628b6a25ff6cfcd9526ab689aa43a56cf25e792a001f89b4edbc xsa69.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSVpv9AAoJEIP+FMlX6CvZDDsIALyFWH1+Ox87+kncvYUHu6UJ m4r85Jqp7pD97hAWP0mbVu/RxZgIE2mUaLDruuRvyaA940HtmsYxYRd010uqxUGQ ouFdaChJpfyGAgKn15INEQnj7giX5Kd6tPFyza5N4TBm8HbK1N83rpGHDT8+unzA MTAPk5KXCiIJ0LBU23Ce5ryXwXIkDjwPP+hJ+G0Axv1UpBTn6BhxE135m7cTOemU oWHSrYbrM4zBpVPQHl1NX8YGtjbBILwDZOmtfJD/EDI2i7iqiIbVAAEoY6xFIHmL nk0ZSN/rLSBXV+FH+sdJJunQzj4MOXg+nTx6ptO2T1pzTssEVsz6JOgUcCEMIy8= =4eSf -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa69.patch" Content-Disposition: attachment; filename="xsa69.patch" Content-Transfer-Encoding: base64 RnJvbSAwNjdjMTIyODczYzY3YmQxZDk2MjBmODM0MGY5YzljMjA5MTM1Mzg4 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBNYXR0aGV3IERhbGV5 IDxtYXR0amRAZ21haWwuY29tPgpEYXRlOiBUdWUsIDEwIFNlcCAyMDEzIDIz OjEyOjQ1ICsxMjAwClN1YmplY3Q6IFtQQVRDSF0gdG9vbHMvb2NhbWw6IGZp eCBlcnJvbmVvdXMgZnJlZSBvZiBjcHVtYXAgaW4KIHN0dWJfeGNfdmNwdV9n ZXRhZmZpbml0eQoKTm90IHN1cmUgaG93IGl0IGdvdCB0aGVyZS4uLgoKQ292 ZXJpdHktSUQ6IDEwNTYxOTYKClRoaXMgaXMgQ1ZFLTIwMTMtNDM3MCAvIFhT QS02OQoKU2lnbmVkLW9mZi1ieTogTWF0dGhldyBEYWxleSA8bWF0dGpkQGdt YWlsLmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxs QGNpdHJpeC5jb20+Ci0tLQogdG9vbHMvb2NhbWwvbGlicy94Yy94ZW5jdHJs X3N0dWJzLmMgfCAgICAyIC0tCiAxIGZpbGUgY2hhbmdlZCwgMiBkZWxldGlv bnMoLSkKCmRpZmYgLS1naXQgYS90b29scy9vY2FtbC9saWJzL3hjL3hlbmN0 cmxfc3R1YnMuYyBiL3Rvb2xzL29jYW1sL2xpYnMveGMveGVuY3RybF9zdHVi cy5jCmluZGV4IGRmNzU2YWQuLmY1Y2YwZWQgMTAwNjQ0Ci0tLSBhL3Rvb2xz L29jYW1sL2xpYnMveGMveGVuY3RybF9zdHVicy5jCisrKyBiL3Rvb2xzL29j YW1sL2xpYnMveGMveGVuY3RybF9zdHVicy5jCkBAIC00NjEsOCArNDYxLDYg QEAgQ0FNTHByaW0gdmFsdWUgc3R1Yl94Y192Y3B1X2dldGFmZmluaXR5KHZh bHVlIHhjaCwgdmFsdWUgZG9taWQsCiAKIAlyZXR2YWwgPSB4Y192Y3B1X2dl dGFmZmluaXR5KF9IKHhjaCksIF9EKGRvbWlkKSwKIAkgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIEludF92YWwodmNwdSksIGNfY3B1bWFwKTsKLQlm cmVlKGNfY3B1bWFwKTsKLQogCWlmIChyZXR2YWwgPCAwKSB7CiAJCWZyZWUo Y19jcHVtYXApOwogCQlmYWlsd2l0aF94YyhfSCh4Y2gpKTsKLS0gCjEuNy4x MC40Cgo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Oct 10 12:24:06 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 10 Oct 2013 12:24:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFGX-0005Xq-Hv; Thu, 10 Oct 2013 12:22:53 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFGV-0005XU-Il; Thu, 10 Oct 2013 12:22:51 +0000 Received: from [85.158.137.68:31667] by server-13.bemta-3.messagelabs.com id 59/C2-25971-A1C96525; Thu, 10 Oct 2013 12:22:50 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-7.tower-31.messagelabs.com!1381407768!621830!1 X-Originating-IP: [50.57.168.107] X-SpamReason: INFO: max file limit 5000 X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 7494 invoked from network); 10 Oct 2013 12:22:49 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-7.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 10 Oct 2013 12:22:49 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFGL-0004pT-B0; Thu, 10 Oct 2013 12:22:41 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VUFGK-0002Xa-D5; Thu, 10 Oct 2013 12:22:40 +0000 Date: Thu, 10 Oct 2013 12:22:40 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 67 (CVE-2013-4368) - Information leak through outs instruction emulation X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4368 / XSA-67 version 2 Information leak through outs instruction emulation UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The emulation of the outs instruction for 64-bit PV guests uses an uninitialized variable as the segment base for the source data if an FS: or GS: segment override is used, and if the segment descriptor the respective non-null selector in the corresponding selector register points to cannot be read by the emulation code (this is possible if the segment register was loaded before a more recent GDT or LDT update, i.e. the segment register contains stale data). A malicious guest might be able to get hold of contents of the hypervisor stack, through the fault address passed to the page fault handler if the outs raises such a fault (which is mostly under guest control). Other methods for indirectly deducing information also exist. IMPACT ====== A malicious 64-bit PV guest might conceivably gain access to sensitive data relating to other guests. VULNERABLE SYSTEMS ================== Xen 3.1.x and later are vulnerable. Only 64-bit PV guests can take advantage of this vulnerability. MITIGATION ========== Running only HVM or 32-bit PV guests will avoid this issue. CREDITS ======= This issue was discovered by Coverity Scan and Matthew Daley. RESOLUTION ========== Applying the attached patch resolves this issue. xsa67.patch Xen 4.2.x, Xen 4.3.x, xen-unstable $ sha256sum xsa67*.patch 7de3ac9baa6cd9fead46e68912dfa0189e900095317645d0e33d85346fc8a028 xsa67.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSVpv2AAoJEIP+FMlX6CvZBl4H/RAC7wtn0iA5AGj8197NJC0q kZDOT0h9QAgecWtYLaZ249MIWeFRGDLjw5IQKxQG+0c/BJyTZzyvLqbfAA/rjjX2 FVSi9+6qtr23WTIgoMKDuSvO/MaC55Y2hkZ/9+j8c+jUD9OyOdbGpjYMF+n3ARB7 GYJkDomxTD/5N8D25wCciaR3fKepM4eaBayXrjIVP2S/k6aQ8QQCjSLP+ito8EG8 RD+MaRlYyBYrO3Q9hZdNju6AREKphpS0WEHqlChmql8Ij8+88ZFYXVHHmhw70G6D 1d6OSm1kFikmroWby9AD97qDwX+estTA4kwKnXYxmcrgyWvkE7O9/uVQJbGGNwg= =thOF -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa67.patch" Content-Disposition: attachment; filename="xsa67.patch" Content-Transfer-Encoding: base64 eDg2OiBjaGVjayBzZWdtZW50IGRlc2NyaXB0b3IgcmVhZCByZXN1bHQgaW4g NjQtYml0IE9VVFMgZW11bGF0aW9uCgpXaGVuIGVtdWxhdGluZyBzdWNoIGFu IG9wZXJhdGlvbiBmcm9tIGEgNjQtYml0IGNvbnRleHQgKENTIGhhcyBsb25n Cm1vZGUgc2V0KSwgYW5kIHRoZSBkYXRhIHNlZ21lbnQgaXMgb3ZlcnJpZGRl biB0byBGUy9HUywgdGhlIHJlc3VsdCBvZgpyZWFkaW5nIHRoZSBvdmVycmlk ZGVuIHNlZ21lbnQncyBkZXNjcmlwdG9yIChyZWFkX2Rlc2NyaXB0b3IpIGlz IG5vdApjaGVja2VkLiBJZiBpdCBmYWlscywgZGF0YV9iYXNlIGlzIGxlZnQg dW5pbml0aWFsaXplZC4KClRoaXMgY2FuIGxlYWQgdG8gOCBieXRlcyBvZiBY ZW4ncyBzdGFjayBiZWluZyBsZWFrZWQgdG8gdGhlIGd1ZXN0CihpbXBsaWNp dGx5LCBpLmUuIHZpYSB0aGUgYWRkcmVzcyBnaXZlbiBpbiBhICNQRikuCgpD b3Zlcml0eS1JRDogMTA1NTExNgoKVGhpcyBpcyBDVkUtMjAxMy00MzY4IC8g WFNBLTY3LgoKU2lnbmVkLW9mZi1ieTogTWF0dGhldyBEYWxleSA8bWF0dGpk QGdtYWlsLmNvbT4KCkZpeCBmb3JtYXR0aW5nLgoKU2lnbmVkLW9mZi1ieTog SmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgoKLS0tIGEveGVuL2Fy Y2gveDg2L3RyYXBzLmMKKysrIGIveGVuL2FyY2gveDg2L3RyYXBzLmMKQEAg LTE5OTMsMTAgKzE5OTMsMTAgQEAgc3RhdGljIGludCBlbXVsYXRlX3ByaXZp bGVnZWRfb3Aoc3RydWN0IAogICAgICAgICAgICAgICAgICAgICBicmVhazsK ICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICB9Ci0gICAgICAgICAg ICBlbHNlCi0gICAgICAgICAgICAgICAgcmVhZF9kZXNjcmlwdG9yKGRhdGFf c2VsLCB2LCByZWdzLAotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAmZGF0YV9iYXNlLCAmZGF0YV9saW1pdCwgJmFyLAotICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAwKTsKKyAgICAgICAgICAgIGVsc2UgaWYg KCAhcmVhZF9kZXNjcmlwdG9yKGRhdGFfc2VsLCB2LCByZWdzLAorICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJmRhdGFfYmFzZSwg JmRhdGFfbGltaXQsICZhciwgMCkgfHwKKyAgICAgICAgICAgICAgICAgICAg ICAhKGFyICYgX1NFR01FTlRfUykgfHwgIShhciAmIF9TRUdNRU5UX1ApICkK KyAgICAgICAgICAgICAgICBnb3RvIGZhaWw7CiAgICAgICAgICAgICBkYXRh X2xpbWl0ID0gfjBVTDsKICAgICAgICAgICAgIGFyID0gX1NFR01FTlRfV1J8 X1NFR01FTlRfU3xfU0VHTUVOVF9EUEx8X1NFR01FTlRfUDsKICAgICAgICAg fQo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Oct 10 12:24:06 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 10 Oct 2013 12:24:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFGX-0005Xq-Hv; Thu, 10 Oct 2013 12:22:53 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFGV-0005XU-Il; Thu, 10 Oct 2013 12:22:51 +0000 Received: from [85.158.137.68:31667] by server-13.bemta-3.messagelabs.com id 59/C2-25971-A1C96525; Thu, 10 Oct 2013 12:22:50 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-7.tower-31.messagelabs.com!1381407768!621830!1 X-Originating-IP: [50.57.168.107] X-SpamReason: INFO: max file limit 5000 X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 7494 invoked from network); 10 Oct 2013 12:22:49 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-7.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 10 Oct 2013 12:22:49 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFGL-0004pT-B0; Thu, 10 Oct 2013 12:22:41 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VUFGK-0002Xa-D5; Thu, 10 Oct 2013 12:22:40 +0000 Date: Thu, 10 Oct 2013 12:22:40 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 67 (CVE-2013-4368) - Information leak through outs instruction emulation X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4368 / XSA-67 version 2 Information leak through outs instruction emulation UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The emulation of the outs instruction for 64-bit PV guests uses an uninitialized variable as the segment base for the source data if an FS: or GS: segment override is used, and if the segment descriptor the respective non-null selector in the corresponding selector register points to cannot be read by the emulation code (this is possible if the segment register was loaded before a more recent GDT or LDT update, i.e. the segment register contains stale data). A malicious guest might be able to get hold of contents of the hypervisor stack, through the fault address passed to the page fault handler if the outs raises such a fault (which is mostly under guest control). Other methods for indirectly deducing information also exist. IMPACT ====== A malicious 64-bit PV guest might conceivably gain access to sensitive data relating to other guests. VULNERABLE SYSTEMS ================== Xen 3.1.x and later are vulnerable. Only 64-bit PV guests can take advantage of this vulnerability. MITIGATION ========== Running only HVM or 32-bit PV guests will avoid this issue. CREDITS ======= This issue was discovered by Coverity Scan and Matthew Daley. RESOLUTION ========== Applying the attached patch resolves this issue. xsa67.patch Xen 4.2.x, Xen 4.3.x, xen-unstable $ sha256sum xsa67*.patch 7de3ac9baa6cd9fead46e68912dfa0189e900095317645d0e33d85346fc8a028 xsa67.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSVpv2AAoJEIP+FMlX6CvZBl4H/RAC7wtn0iA5AGj8197NJC0q kZDOT0h9QAgecWtYLaZ249MIWeFRGDLjw5IQKxQG+0c/BJyTZzyvLqbfAA/rjjX2 FVSi9+6qtr23WTIgoMKDuSvO/MaC55Y2hkZ/9+j8c+jUD9OyOdbGpjYMF+n3ARB7 GYJkDomxTD/5N8D25wCciaR3fKepM4eaBayXrjIVP2S/k6aQ8QQCjSLP+ito8EG8 RD+MaRlYyBYrO3Q9hZdNju6AREKphpS0WEHqlChmql8Ij8+88ZFYXVHHmhw70G6D 1d6OSm1kFikmroWby9AD97qDwX+estTA4kwKnXYxmcrgyWvkE7O9/uVQJbGGNwg= =thOF -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa67.patch" Content-Disposition: attachment; filename="xsa67.patch" Content-Transfer-Encoding: base64 eDg2OiBjaGVjayBzZWdtZW50IGRlc2NyaXB0b3IgcmVhZCByZXN1bHQgaW4g NjQtYml0IE9VVFMgZW11bGF0aW9uCgpXaGVuIGVtdWxhdGluZyBzdWNoIGFu IG9wZXJhdGlvbiBmcm9tIGEgNjQtYml0IGNvbnRleHQgKENTIGhhcyBsb25n Cm1vZGUgc2V0KSwgYW5kIHRoZSBkYXRhIHNlZ21lbnQgaXMgb3ZlcnJpZGRl biB0byBGUy9HUywgdGhlIHJlc3VsdCBvZgpyZWFkaW5nIHRoZSBvdmVycmlk ZGVuIHNlZ21lbnQncyBkZXNjcmlwdG9yIChyZWFkX2Rlc2NyaXB0b3IpIGlz IG5vdApjaGVja2VkLiBJZiBpdCBmYWlscywgZGF0YV9iYXNlIGlzIGxlZnQg dW5pbml0aWFsaXplZC4KClRoaXMgY2FuIGxlYWQgdG8gOCBieXRlcyBvZiBY ZW4ncyBzdGFjayBiZWluZyBsZWFrZWQgdG8gdGhlIGd1ZXN0CihpbXBsaWNp dGx5LCBpLmUuIHZpYSB0aGUgYWRkcmVzcyBnaXZlbiBpbiBhICNQRikuCgpD b3Zlcml0eS1JRDogMTA1NTExNgoKVGhpcyBpcyBDVkUtMjAxMy00MzY4IC8g WFNBLTY3LgoKU2lnbmVkLW9mZi1ieTogTWF0dGhldyBEYWxleSA8bWF0dGpk QGdtYWlsLmNvbT4KCkZpeCBmb3JtYXR0aW5nLgoKU2lnbmVkLW9mZi1ieTog SmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgoKLS0tIGEveGVuL2Fy Y2gveDg2L3RyYXBzLmMKKysrIGIveGVuL2FyY2gveDg2L3RyYXBzLmMKQEAg LTE5OTMsMTAgKzE5OTMsMTAgQEAgc3RhdGljIGludCBlbXVsYXRlX3ByaXZp bGVnZWRfb3Aoc3RydWN0IAogICAgICAgICAgICAgICAgICAgICBicmVhazsK ICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICB9Ci0gICAgICAgICAg ICBlbHNlCi0gICAgICAgICAgICAgICAgcmVhZF9kZXNjcmlwdG9yKGRhdGFf c2VsLCB2LCByZWdzLAotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAmZGF0YV9iYXNlLCAmZGF0YV9saW1pdCwgJmFyLAotICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAwKTsKKyAgICAgICAgICAgIGVsc2UgaWYg KCAhcmVhZF9kZXNjcmlwdG9yKGRhdGFfc2VsLCB2LCByZWdzLAorICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJmRhdGFfYmFzZSwg JmRhdGFfbGltaXQsICZhciwgMCkgfHwKKyAgICAgICAgICAgICAgICAgICAg ICAhKGFyICYgX1NFR01FTlRfUykgfHwgIShhciAmIF9TRUdNRU5UX1ApICkK KyAgICAgICAgICAgICAgICBnb3RvIGZhaWw7CiAgICAgICAgICAgICBkYXRh X2xpbWl0ID0gfjBVTDsKICAgICAgICAgICAgIGFyID0gX1NFR01FTlRfV1J8 X1NFR01FTlRfU3xfU0VHTUVOVF9EUEx8X1NFR01FTlRfUDsKICAgICAgICAg fQo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Oct 10 12:24:07 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 10 Oct 2013 12:24:07 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFGk-0005co-Mo; Thu, 10 Oct 2013 12:23:06 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFGi-0005bf-QR; Thu, 10 Oct 2013 12:23:05 +0000 Received: from [85.158.143.35:25051] by server-3.bemta-4.messagelabs.com id 33/71-24907-72C96525; Thu, 10 Oct 2013 12:23:03 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-8.tower-21.messagelabs.com!1381407782!854006!1 X-Originating-IP: [50.57.168.107] X-SpamReason: INFO: max file limit 5000 X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 31934 invoked from network); 10 Oct 2013 12:23:03 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-8.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 10 Oct 2013 12:23:03 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFGZ-0004qI-2F; Thu, 10 Oct 2013 12:22:55 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VUFGZ-0002aR-0Q; Thu, 10 Oct 2013 12:22:55 +0000 Date: Thu, 10 Oct 2013 12:22:55 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 70 (CVE-2013-4371) - use-after-free in libxl_list_cpupool under memory pressure X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4371 / XSA-70 version 2 use-after-free in libxl_list_cpupool under memory pressure UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= If realloc(3) fails then libxl_list_cpupool will incorrectly return the now-free original pointer. IMPACT ====== An attacker may be able to cause a multithreaded toolstack using this function to race against itself leading to heap corruption and a potential DoS. Depending on the malloc implementation code execution cannot be ruled out. VULNERABLE SYSTEMS ================== The flaw is present in Xen 4.2 onwards. Systems using the libxl toolstack library are vulnerable. MITIGATION ========== Not calling the libxl_list_cpupool function will avoid this issue. Not allowing untrusted users access to toolstack functionality will avoid this issue. CREDITS ======= This issue was discovered by Coverity Scan and Matthew Daley. RESOLUTION ========== Applying the attached patch resolves this issue. xsa70.patch Xen 4.3.x, Xen 4.2.x, xen-unstable $ sha256sum xsa70*.patch 2582d3d545903af475436145f7e459414ad9d9c61d5720992eeeec42de8dde56 xsa70.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSVpwCAAoJEIP+FMlX6CvZRskH/1fMuZLw8xSFT0L6piYvTudo BYqm+xxOR9dFMVKWMb0Pqk9nhLlYXXAn6pZV0KsoUIaA81Qx+fTkRpafVG9FGoD6 AG2TWijVmG3kyQdEcjxBPKLont2COupTwKUU4wusvLq3adYu7s4CaxUrVLZrhbCf q8EfmBA9rf1sLw2SiNXPT1o0XZjXJgiRbf5T4ggjJKUsb5+QMb0qXVFPHIqaAcZ5 Jf0HGRi+irH5thRx7hY3mprcGNx5WAWTiKOrzvQH6eDJjAlcAeS5YrDpBn1Z8lA2 ep2c758y6+ZcMfOffU9kHA9wybnZLq+yGIIgS2vcnbpiYHp29JFVEJ6ZIXp/4+4= =5x/x -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa70.patch" Content-Disposition: attachment; filename="xsa70.patch" Content-Transfer-Encoding: base64 RnJvbSA5NGRiM2UxY2IzNTZhMGQyZGUxNzUzODg4Y2ViMGViNzY3NDA0ZWM0 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBNYXR0aGV3IERhbGV5 IDxtYXR0amRAZ21haWwuY29tPgpEYXRlOiBUdWUsIDEwIFNlcCAyMDEzIDIy OjE4OjQ2ICsxMjAwClN1YmplY3Q6IFtQQVRDSF0gbGlieGw6IGZpeCBvdXQt b2YtbWVtb3J5IGVycm9yIGhhbmRsaW5nIGluCiBsaWJ4bF9saXN0X2NwdXBv b2wKCi4uLm90aGVyd2lzZSBpdCB3aWxsIHJldHVybiBmcmVlZCBtZW1vcnku IEFsbCB0aGUgY3VycmVudCB1c2VycyBvZiB0aGlzCmZ1bmN0aW9uIGNoZWNr IGFscmVhZHkgZm9yIGEgTlVMTCByZXR1cm4sIHNvIHVzZSB0aGF0LgoKQ292 ZXJpdHktSUQ6IDEwNTYxOTQKClRoaXMgaXMgQ1ZFLTIwMTMtNDM3MSAvIFhT QS03MAoKU2lnbmVkLW9mZi1ieTogTWF0dGhldyBEYWxleSA8bWF0dGpkQGdt YWlsLmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxs QGNpdHJpeC5jb20+Ci0tLQogdG9vbHMvbGlieGwvbGlieGwuYyB8ICAgIDEg KwogMSBmaWxlIGNoYW5nZWQsIDEgaW5zZXJ0aW9uKCspCgpkaWZmIC0tZ2l0 IGEvdG9vbHMvbGlieGwvbGlieGwuYyBiL3Rvb2xzL2xpYnhsL2xpYnhsLmMK aW5kZXggMDg3OWYyMy4uMTc2NTNlZiAxMDA2NDQKLS0tIGEvdG9vbHMvbGli eGwvbGlieGwuYworKysgYi90b29scy9saWJ4bC9saWJ4bC5jCkBAIC02NTEs NiArNjUxLDcgQEAgbGlieGxfY3B1cG9vbGluZm8gKiBsaWJ4bF9saXN0X2Nw dXBvb2wobGlieGxfY3R4ICpjdHgsIGludCAqbmJfcG9vbF9vdXQpCiAgICAg ICAgIGlmICghdG1wKSB7CiAgICAgICAgICAgICBMSUJYTF9fTE9HX0VSUk5P KGN0eCwgTElCWExfX0xPR19FUlJPUiwgImFsbG9jYXRpbmcgY3B1cG9vbCBp bmZvIik7CiAgICAgICAgICAgICBsaWJ4bF9jcHVwb29saW5mb19saXN0X2Zy ZWUocHRyLCBpKTsKKyAgICAgICAgICAgIHB0ciA9IE5VTEw7CiAgICAgICAg ICAgICBnb3RvIG91dDsKICAgICAgICAgfQogICAgICAgICBwdHIgPSB0bXA7 Ci0tIAoxLjcuMTAuNAoK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Oct 10 12:24:07 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 10 Oct 2013 12:24:07 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFGk-0005co-Mo; Thu, 10 Oct 2013 12:23:06 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFGi-0005bf-QR; Thu, 10 Oct 2013 12:23:05 +0000 Received: from [85.158.143.35:25051] by server-3.bemta-4.messagelabs.com id 33/71-24907-72C96525; Thu, 10 Oct 2013 12:23:03 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-8.tower-21.messagelabs.com!1381407782!854006!1 X-Originating-IP: [50.57.168.107] X-SpamReason: INFO: max file limit 5000 X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 31934 invoked from network); 10 Oct 2013 12:23:03 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-8.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 10 Oct 2013 12:23:03 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFGZ-0004qI-2F; Thu, 10 Oct 2013 12:22:55 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VUFGZ-0002aR-0Q; Thu, 10 Oct 2013 12:22:55 +0000 Date: Thu, 10 Oct 2013 12:22:55 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 70 (CVE-2013-4371) - use-after-free in libxl_list_cpupool under memory pressure X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4371 / XSA-70 version 2 use-after-free in libxl_list_cpupool under memory pressure UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= If realloc(3) fails then libxl_list_cpupool will incorrectly return the now-free original pointer. IMPACT ====== An attacker may be able to cause a multithreaded toolstack using this function to race against itself leading to heap corruption and a potential DoS. Depending on the malloc implementation code execution cannot be ruled out. VULNERABLE SYSTEMS ================== The flaw is present in Xen 4.2 onwards. Systems using the libxl toolstack library are vulnerable. MITIGATION ========== Not calling the libxl_list_cpupool function will avoid this issue. Not allowing untrusted users access to toolstack functionality will avoid this issue. CREDITS ======= This issue was discovered by Coverity Scan and Matthew Daley. RESOLUTION ========== Applying the attached patch resolves this issue. xsa70.patch Xen 4.3.x, Xen 4.2.x, xen-unstable $ sha256sum xsa70*.patch 2582d3d545903af475436145f7e459414ad9d9c61d5720992eeeec42de8dde56 xsa70.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSVpwCAAoJEIP+FMlX6CvZRskH/1fMuZLw8xSFT0L6piYvTudo BYqm+xxOR9dFMVKWMb0Pqk9nhLlYXXAn6pZV0KsoUIaA81Qx+fTkRpafVG9FGoD6 AG2TWijVmG3kyQdEcjxBPKLont2COupTwKUU4wusvLq3adYu7s4CaxUrVLZrhbCf q8EfmBA9rf1sLw2SiNXPT1o0XZjXJgiRbf5T4ggjJKUsb5+QMb0qXVFPHIqaAcZ5 Jf0HGRi+irH5thRx7hY3mprcGNx5WAWTiKOrzvQH6eDJjAlcAeS5YrDpBn1Z8lA2 ep2c758y6+ZcMfOffU9kHA9wybnZLq+yGIIgS2vcnbpiYHp29JFVEJ6ZIXp/4+4= =5x/x -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa70.patch" Content-Disposition: attachment; filename="xsa70.patch" Content-Transfer-Encoding: base64 RnJvbSA5NGRiM2UxY2IzNTZhMGQyZGUxNzUzODg4Y2ViMGViNzY3NDA0ZWM0 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBNYXR0aGV3IERhbGV5 IDxtYXR0amRAZ21haWwuY29tPgpEYXRlOiBUdWUsIDEwIFNlcCAyMDEzIDIy OjE4OjQ2ICsxMjAwClN1YmplY3Q6IFtQQVRDSF0gbGlieGw6IGZpeCBvdXQt b2YtbWVtb3J5IGVycm9yIGhhbmRsaW5nIGluCiBsaWJ4bF9saXN0X2NwdXBv b2wKCi4uLm90aGVyd2lzZSBpdCB3aWxsIHJldHVybiBmcmVlZCBtZW1vcnku IEFsbCB0aGUgY3VycmVudCB1c2VycyBvZiB0aGlzCmZ1bmN0aW9uIGNoZWNr IGFscmVhZHkgZm9yIGEgTlVMTCByZXR1cm4sIHNvIHVzZSB0aGF0LgoKQ292 ZXJpdHktSUQ6IDEwNTYxOTQKClRoaXMgaXMgQ1ZFLTIwMTMtNDM3MSAvIFhT QS03MAoKU2lnbmVkLW9mZi1ieTogTWF0dGhldyBEYWxleSA8bWF0dGpkQGdt YWlsLmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxs QGNpdHJpeC5jb20+Ci0tLQogdG9vbHMvbGlieGwvbGlieGwuYyB8ICAgIDEg KwogMSBmaWxlIGNoYW5nZWQsIDEgaW5zZXJ0aW9uKCspCgpkaWZmIC0tZ2l0 IGEvdG9vbHMvbGlieGwvbGlieGwuYyBiL3Rvb2xzL2xpYnhsL2xpYnhsLmMK aW5kZXggMDg3OWYyMy4uMTc2NTNlZiAxMDA2NDQKLS0tIGEvdG9vbHMvbGli eGwvbGlieGwuYworKysgYi90b29scy9saWJ4bC9saWJ4bC5jCkBAIC02NTEs NiArNjUxLDcgQEAgbGlieGxfY3B1cG9vbGluZm8gKiBsaWJ4bF9saXN0X2Nw dXBvb2wobGlieGxfY3R4ICpjdHgsIGludCAqbmJfcG9vbF9vdXQpCiAgICAg ICAgIGlmICghdG1wKSB7CiAgICAgICAgICAgICBMSUJYTF9fTE9HX0VSUk5P KGN0eCwgTElCWExfX0xPR19FUlJPUiwgImFsbG9jYXRpbmcgY3B1cG9vbCBp bmZvIik7CiAgICAgICAgICAgICBsaWJ4bF9jcHVwb29saW5mb19saXN0X2Zy ZWUocHRyLCBpKTsKKyAgICAgICAgICAgIHB0ciA9IE5VTEw7CiAgICAgICAg ICAgICBnb3RvIG91dDsKICAgICAgICAgfQogICAgICAgICBwdHIgPSB0bXA7 Ci0tIAoxLjcuMTAuNAoK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Oct 10 12:29:25 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 10 Oct 2013 12:29:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFM5-0007S3-0h; Thu, 10 Oct 2013 12:28:37 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFM3-0007RC-9b; Thu, 10 Oct 2013 12:28:35 +0000 Received: from [85.158.143.35:9274] by server-3.bemta-4.messagelabs.com id 51/1C-24907-27D96525; Thu, 10 Oct 2013 12:28:34 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-15.tower-21.messagelabs.com!1381408112!975209!1 X-Originating-IP: [50.57.168.107] X-SpamReason: INFO: max file limit 5000 X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 11211 invoked from network); 10 Oct 2013 12:28:33 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-15.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 10 Oct 2013 12:28:33 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFLv-0004up-Ca; Thu, 10 Oct 2013 12:28:27 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VUFLt-0002yY-AA; Thu, 10 Oct 2013 12:28:25 +0000 Date: Thu, 10 Oct 2013 12:28:25 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 71 (CVE-2013-4375) - qemu disk backend (qdisk) resource leak X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4375 / XSA-71 version 2 qemu disk backend (qdisk) resource leak UPDATES IN VERSION 2 ==================== Public release Fix patch header corruption in xsa71-qemu-xen-unstable.patch. ISSUE DESCRIPTION ================= The qdisk PV disk backend in the qemu-xen flavour of qemu ("upstream qemu") can be influenced by a malicious frontend to leak mapped grant references. IMPACT ====== A malicious HVM guest can cause the backend domain to run out of grant references, leading to a DoS for any other domain which shares that driver domain. VULNERABLE SYSTEMS ================== Any system which is using the qemu-xen qdisk backend for HVM guests is vulnerable. qemu-xen and qdisk are exposed by systems using libxl from Xen 4.2.0 onwards. In Xen 4.2.0 qemu-xen was a non-default option, from Xen 4.3.0 onwards qemu-xen is the default. Xen 4.1.0 exposes qdisk via libxl but does not support qemu-xen and therefore is not vulnerable. The xend toolstack has never supported qdisk as a disk backend and therefore such systems are not vulnerable. Upstream qemu is vulnerable from version 1.1 onwards. MITIGATION ========== This vulnerability can be avoided by using a different block backend (e.g. blkback or blktap2) or by using the qemu-xen-traditional version of qemu. Users of the xl toolstack, see docs/misc/xl-disk-configuration.txt for information on forcing the use of a particular disk backend and xl.cfg(5) for information on forcing the use of qemu-xen-traditional. Systems which only run PV guests and/or run HVM guests without PV drivers are not vulnerable. CREDITS ======= This issue was discovered by Coverity Scan and Matthew Daley. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa71-qemu-xen-unstable.patch xen-unstable, Xen 4.3.x xsa71-qemu-xen-4.2.patch Xen 4.2.x $ sha256sum xsa71*.patch a3f667e251a32fa5eff4a78eae49acd020b2f340fb203dc08a033d43841b0a2a xsa71-qemu-xen-4.2.patch f5ec607babb01dc8f8065dfe121882af4c3d93c035bafbfed48825dea684d6d9 xsa71-qemu-xen-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSVp1bAAoJEIP+FMlX6CvZ8nMH/1sMYLD38viMSIJndL3Nlfz4 cj5AaTHyPIYaX3RzLZfM08+qeRIcXcPDAcNwaYn97IOv0JJ/gppfNOeCdmHGvWhl z88vKbzI0RaDv3pL+eKo7RiGN/T32gsh6H4ltjrNGyO0LiDI4rfbxTBjVlzE8bB8 M4weAWtgEa7/VAYeM4g7cOoCD7goE15lYLSRsrQJGn/iizLdL/I+IqSvTaGwgE+I yKvl7wJ1fEfy9sKCTls9INZdMnJXmlC4+Pq8phmW9QoSSIxNFqRDZ13IduXHbpXe xyeAr7U5b5GzPtGclu6XX0vyuOct2mf984xHbe06ecJF2KjsXi44spszPP2elHQ= =hcxy -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa71-qemu-xen-4.2.patch" Content-Disposition: attachment; filename="xsa71-qemu-xen-4.2.patch" Content-Transfer-Encoding: base64 RnJvbSAyMzI2MGU1ODllNTJlYzgzMzQ5ZjIyMTk4ZWFiMjMzMWI1YTE2ODRl IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBNYXR0aGV3IERhbGV5 IDxtYXR0amRAZ21haWwuY29tPgpEYXRlOiBXZWQsIDI1IFNlcCAyMDEzIDEy OjI4OjQ3ICsxMjAwClN1YmplY3Q6IFtQQVRDSF0geGVuX2Rpc2s6IG1hcmsg aW9yZXEgYXMgbWFwcGVkIGJlZm9yZSB1bm1hcHBpbmcgaW4gZXJyb3IKIGNh c2UKCkNvbW1pdCBjNjk2MWI3ZCAoInhlbl9kaXNrOiB1c2UgYmRydl9haW9f Zmx1c2ggaW5zdGVhZCBvZiBiZHJ2X2ZsdXNoIikKbW9kaWZpZWQgdGhlIHNl bWFudGljcyBvZiBpb3JlcV97dW4sfW1hcCBzbyB0aGF0IHRoZXkgYXJlIGlk ZW1wb3RlbnQgaWYKY2FsbGVkIHdoZW4gdGhleSdyZSBub3QgbmVlZGVkIChp ZS4sIHR3aWNlIGluIGEgcm93KS4gSG93ZXZlciwgaXQgbmVnbGVjdGVkCnRv IGhhbmRsZSB0aGUgY2FzZSB3aGVyZSBiYXRjaCBtYXBwaW5nIGlzIG5vdCBi ZWluZyB1c2VkICh0aGUgZGVmYXVsdCksIGFuZApvbmUgb2YgdGhlIGdyYW50 cyBmYWlscyB0byBtYXAuIEluIHRoaXMgY2FzZSwgaW9yZXFfdW5tYXAgd2ls bCBiZSBjYWxsZWQgdG8KdW53aW5kIGFuZCB1bm1hcCBhbnkgbWFwcGluZ3Mg YWxyZWFkeSBwZXJmb3JtZWQsIGJ1dCBpb3JlcV91bm1hcCBzaW1wbHkKcmV0 dXJucyBkdWUgdG8gdGhlIGFmb3JlbWVudGlvbmVkIGNoYW5nZSAodGhlIGlv cmVxIGhhcyBub3QgYWxyZWFkeSBiZWVuCm1hcmtlZCBhcyBtYXBwZWQpLgoK VGhlIGZyb250ZW5kIHVzZXIgY2FuIHRoZXJlZm9yZSBmb3JjZSB4ZW5fZGlz ayB0byBsZWFrIGdyYW50IG1hcHBpbmdzLCBhCnBlci1iYWNrZW5kLWRvbWFp biBsaW1pdGVkIHJlc291cmNlLgoKRml4IGJ5IG1hcmtpbmcgdGhlIGlvcmVx IGFzIG1hcHBlZCBiZWZvcmUgY2FsbGluZyBpb3JlcV91bm1hcCBpbiB0aGlz CnNpdHVhdGlvbi4KClRoaXMgaXMgWFNBLTcxIC8gQ1ZFLTIwMTMtNDM3NQoK U2lnbmVkLW9mZi1ieTogTWF0dGhldyBEYWxleSA8bWF0dGpkQGdtYWlsLmNv bT4KLS0tCiBody94ZW5fZGlzay5jIHwgICAgMSArCiAxIGZpbGUgY2hhbmdl ZCwgMSBpbnNlcnRpb24oKykKCmRpZmYgLS1naXQgYS9ody94ZW5fZGlzay5j IGIvaHcveGVuX2Rpc2suYwppbmRleCBhNDAyYWM4Li4xY2RmY2JjIDEwMDY0 NAotLS0gYS9ody94ZW5fZGlzay5jCisrKyBiL2h3L3hlbl9kaXNrLmMKQEAg LTI5OSw2ICsyOTksNyBAQCBzdGF0aWMgaW50IGlvcmVxX21hcChzdHJ1Y3Qg aW9yZXEgKmlvcmVxKQogICAgICAgICAgICAgICAgIHhlbl9iZV9wcmludGYo JmlvcmVxLT5ibGtkZXYtPnhlbmRldiwgMCwKICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICJjYW4ndCBtYXAgZ3JhbnQgcmVmICVkICglcywgJWQg bWFwcylcbiIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpb3Jl cS0+cmVmc1tpXSwgc3RyZXJyb3IoZXJybm8pLCBpb3JlcS0+YmxrZGV2LT5j bnRfbWFwKTsKKyAgICAgICAgICAgICAgICBpb3JlcS0+bWFwcGVkID0gMTsK ICAgICAgICAgICAgICAgICBpb3JlcV91bm1hcChpb3JlcSk7CiAgICAgICAg ICAgICAgICAgcmV0dXJuIC0xOwogICAgICAgICAgICAgfQotLSAKMS43LjEw LjQKCg== --=separator Content-Type: application/octet-stream; name="xsa71-qemu-xen-unstable.patch" Content-Disposition: attachment; filename="xsa71-qemu-xen-unstable.patch" Content-Transfer-Encoding: base64 RnJvbSAyMzI2MGU1ODllNTJlYzgzMzQ5ZjIyMTk4ZWFiMjMzMWI1YTE2ODRl IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBNYXR0aGV3IERhbGV5 IDxtYXR0amRAZ21haWwuY29tPgpEYXRlOiBXZWQsIDI1IFNlcCAyMDEzIDEy OjI4OjQ3ICsxMjAwClN1YmplY3Q6IFtQQVRDSF0geGVuX2Rpc2s6IG1hcmsg aW9yZXEgYXMgbWFwcGVkIGJlZm9yZSB1bm1hcHBpbmcgaW4gZXJyb3IKIGNh c2UKCkNvbW1pdCBjNjk2MWI3ZCAoInhlbl9kaXNrOiB1c2UgYmRydl9haW9f Zmx1c2ggaW5zdGVhZCBvZiBiZHJ2X2ZsdXNoIikKbW9kaWZpZWQgdGhlIHNl bWFudGljcyBvZiBpb3JlcV97dW4sfW1hcCBzbyB0aGF0IHRoZXkgYXJlIGlk ZW1wb3RlbnQgaWYKY2FsbGVkIHdoZW4gdGhleSdyZSBub3QgbmVlZGVkIChp ZS4sIHR3aWNlIGluIGEgcm93KS4gSG93ZXZlciwgaXQgbmVnbGVjdGVkCnRv IGhhbmRsZSB0aGUgY2FzZSB3aGVyZSBiYXRjaCBtYXBwaW5nIGlzIG5vdCBi ZWluZyB1c2VkICh0aGUgZGVmYXVsdCksIGFuZApvbmUgb2YgdGhlIGdyYW50 cyBmYWlscyB0byBtYXAuIEluIHRoaXMgY2FzZSwgaW9yZXFfdW5tYXAgd2ls bCBiZSBjYWxsZWQgdG8KdW53aW5kIGFuZCB1bm1hcCBhbnkgbWFwcGluZ3Mg YWxyZWFkeSBwZXJmb3JtZWQsIGJ1dCBpb3JlcV91bm1hcCBzaW1wbHkKcmV0 dXJucyBkdWUgdG8gdGhlIGFmb3JlbWVudGlvbmVkIGNoYW5nZSAodGhlIGlv cmVxIGhhcyBub3QgYWxyZWFkeSBiZWVuCm1hcmtlZCBhcyBtYXBwZWQpLgoK VGhlIGZyb250ZW5kIHVzZXIgY2FuIHRoZXJlZm9yZSBmb3JjZSB4ZW5fZGlz ayB0byBsZWFrIGdyYW50IG1hcHBpbmdzLCBhCnBlci1iYWNrZW5kLWRvbWFp biBsaW1pdGVkIHJlc291cmNlLgoKRml4IGJ5IG1hcmtpbmcgdGhlIGlvcmVx IGFzIG1hcHBlZCBiZWZvcmUgY2FsbGluZyBpb3JlcV91bm1hcCBpbiB0aGlz CnNpdHVhdGlvbi4KClRoaXMgaXMgWFNBLTcxIC8gQ1ZFLTIwMTMtNDM3NQoK U2lnbmVkLW9mZi1ieTogTWF0dGhldyBEYWxleSA8bWF0dGpkQGdtYWlsLmNv bT4KLS0tCiBody94ZW5fZGlzay5jIHwgICAgMSArCiAxIGZpbGUgY2hhbmdl ZCwgMSBpbnNlcnRpb24oKykKCmRpZmYgLS1naXQgYS9ody94ZW5fZGlzay5j IGIvaHcveGVuX2Rpc2suYwppbmRleCBhNDAyYWM4Li4xY2RmY2JjIDEwMDY0 NAotLS0gYS9ody94ZW5fZGlzay5jCisrKyBiL2h3L3hlbl9kaXNrLmMKQEAg LTI5OSw2ICsyOTksNyBAQCBzdGF0aWMgaW50IGlvcmVxX21hcChzdHJ1Y3Qg aW9yZXEgKmlvcmVxKQogICAgICAgICAgICAgICAgIHhlbl9iZV9wcmludGYo JmlvcmVxLT5ibGtkZXYtPnhlbmRldiwgMCwKICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICJjYW4ndCBtYXAgZ3JhbnQgcmVmICVkICglcywgJWQg bWFwcylcbiIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByZWZz W2ldLCBzdHJlcnJvcihlcnJubyksIGlvcmVxLT5ibGtkZXYtPmNudF9tYXAp OworICAgICAgICAgICAgICAgIGlvcmVxLT5tYXBwZWQgPSAxOwogICAgICAg ICAgICAgICAgIGlvcmVxX3VubWFwKGlvcmVxKTsKICAgICAgICAgICAgICAg ICByZXR1cm4gLTE7CiAgICAgICAgICAgICB9Ci0tIAoxLjcuMTAuNAoK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Oct 10 12:29:25 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 10 Oct 2013 12:29:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFM5-0007S3-0h; Thu, 10 Oct 2013 12:28:37 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFM3-0007RC-9b; Thu, 10 Oct 2013 12:28:35 +0000 Received: from [85.158.143.35:9274] by server-3.bemta-4.messagelabs.com id 51/1C-24907-27D96525; Thu, 10 Oct 2013 12:28:34 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-15.tower-21.messagelabs.com!1381408112!975209!1 X-Originating-IP: [50.57.168.107] X-SpamReason: INFO: max file limit 5000 X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 11211 invoked from network); 10 Oct 2013 12:28:33 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-15.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 10 Oct 2013 12:28:33 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUFLv-0004up-Ca; Thu, 10 Oct 2013 12:28:27 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VUFLt-0002yY-AA; Thu, 10 Oct 2013 12:28:25 +0000 Date: Thu, 10 Oct 2013 12:28:25 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 71 (CVE-2013-4375) - qemu disk backend (qdisk) resource leak X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4375 / XSA-71 version 2 qemu disk backend (qdisk) resource leak UPDATES IN VERSION 2 ==================== Public release Fix patch header corruption in xsa71-qemu-xen-unstable.patch. ISSUE DESCRIPTION ================= The qdisk PV disk backend in the qemu-xen flavour of qemu ("upstream qemu") can be influenced by a malicious frontend to leak mapped grant references. IMPACT ====== A malicious HVM guest can cause the backend domain to run out of grant references, leading to a DoS for any other domain which shares that driver domain. VULNERABLE SYSTEMS ================== Any system which is using the qemu-xen qdisk backend for HVM guests is vulnerable. qemu-xen and qdisk are exposed by systems using libxl from Xen 4.2.0 onwards. In Xen 4.2.0 qemu-xen was a non-default option, from Xen 4.3.0 onwards qemu-xen is the default. Xen 4.1.0 exposes qdisk via libxl but does not support qemu-xen and therefore is not vulnerable. The xend toolstack has never supported qdisk as a disk backend and therefore such systems are not vulnerable. Upstream qemu is vulnerable from version 1.1 onwards. MITIGATION ========== This vulnerability can be avoided by using a different block backend (e.g. blkback or blktap2) or by using the qemu-xen-traditional version of qemu. Users of the xl toolstack, see docs/misc/xl-disk-configuration.txt for information on forcing the use of a particular disk backend and xl.cfg(5) for information on forcing the use of qemu-xen-traditional. Systems which only run PV guests and/or run HVM guests without PV drivers are not vulnerable. CREDITS ======= This issue was discovered by Coverity Scan and Matthew Daley. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa71-qemu-xen-unstable.patch xen-unstable, Xen 4.3.x xsa71-qemu-xen-4.2.patch Xen 4.2.x $ sha256sum xsa71*.patch a3f667e251a32fa5eff4a78eae49acd020b2f340fb203dc08a033d43841b0a2a xsa71-qemu-xen-4.2.patch f5ec607babb01dc8f8065dfe121882af4c3d93c035bafbfed48825dea684d6d9 xsa71-qemu-xen-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSVp1bAAoJEIP+FMlX6CvZ8nMH/1sMYLD38viMSIJndL3Nlfz4 cj5AaTHyPIYaX3RzLZfM08+qeRIcXcPDAcNwaYn97IOv0JJ/gppfNOeCdmHGvWhl z88vKbzI0RaDv3pL+eKo7RiGN/T32gsh6H4ltjrNGyO0LiDI4rfbxTBjVlzE8bB8 M4weAWtgEa7/VAYeM4g7cOoCD7goE15lYLSRsrQJGn/iizLdL/I+IqSvTaGwgE+I yKvl7wJ1fEfy9sKCTls9INZdMnJXmlC4+Pq8phmW9QoSSIxNFqRDZ13IduXHbpXe xyeAr7U5b5GzPtGclu6XX0vyuOct2mf984xHbe06ecJF2KjsXi44spszPP2elHQ= =hcxy -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa71-qemu-xen-4.2.patch" Content-Disposition: attachment; filename="xsa71-qemu-xen-4.2.patch" Content-Transfer-Encoding: base64 RnJvbSAyMzI2MGU1ODllNTJlYzgzMzQ5ZjIyMTk4ZWFiMjMzMWI1YTE2ODRl IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBNYXR0aGV3IERhbGV5 IDxtYXR0amRAZ21haWwuY29tPgpEYXRlOiBXZWQsIDI1IFNlcCAyMDEzIDEy OjI4OjQ3ICsxMjAwClN1YmplY3Q6IFtQQVRDSF0geGVuX2Rpc2s6IG1hcmsg aW9yZXEgYXMgbWFwcGVkIGJlZm9yZSB1bm1hcHBpbmcgaW4gZXJyb3IKIGNh c2UKCkNvbW1pdCBjNjk2MWI3ZCAoInhlbl9kaXNrOiB1c2UgYmRydl9haW9f Zmx1c2ggaW5zdGVhZCBvZiBiZHJ2X2ZsdXNoIikKbW9kaWZpZWQgdGhlIHNl bWFudGljcyBvZiBpb3JlcV97dW4sfW1hcCBzbyB0aGF0IHRoZXkgYXJlIGlk ZW1wb3RlbnQgaWYKY2FsbGVkIHdoZW4gdGhleSdyZSBub3QgbmVlZGVkIChp ZS4sIHR3aWNlIGluIGEgcm93KS4gSG93ZXZlciwgaXQgbmVnbGVjdGVkCnRv IGhhbmRsZSB0aGUgY2FzZSB3aGVyZSBiYXRjaCBtYXBwaW5nIGlzIG5vdCBi ZWluZyB1c2VkICh0aGUgZGVmYXVsdCksIGFuZApvbmUgb2YgdGhlIGdyYW50 cyBmYWlscyB0byBtYXAuIEluIHRoaXMgY2FzZSwgaW9yZXFfdW5tYXAgd2ls bCBiZSBjYWxsZWQgdG8KdW53aW5kIGFuZCB1bm1hcCBhbnkgbWFwcGluZ3Mg YWxyZWFkeSBwZXJmb3JtZWQsIGJ1dCBpb3JlcV91bm1hcCBzaW1wbHkKcmV0 dXJucyBkdWUgdG8gdGhlIGFmb3JlbWVudGlvbmVkIGNoYW5nZSAodGhlIGlv cmVxIGhhcyBub3QgYWxyZWFkeSBiZWVuCm1hcmtlZCBhcyBtYXBwZWQpLgoK VGhlIGZyb250ZW5kIHVzZXIgY2FuIHRoZXJlZm9yZSBmb3JjZSB4ZW5fZGlz ayB0byBsZWFrIGdyYW50IG1hcHBpbmdzLCBhCnBlci1iYWNrZW5kLWRvbWFp biBsaW1pdGVkIHJlc291cmNlLgoKRml4IGJ5IG1hcmtpbmcgdGhlIGlvcmVx IGFzIG1hcHBlZCBiZWZvcmUgY2FsbGluZyBpb3JlcV91bm1hcCBpbiB0aGlz CnNpdHVhdGlvbi4KClRoaXMgaXMgWFNBLTcxIC8gQ1ZFLTIwMTMtNDM3NQoK U2lnbmVkLW9mZi1ieTogTWF0dGhldyBEYWxleSA8bWF0dGpkQGdtYWlsLmNv bT4KLS0tCiBody94ZW5fZGlzay5jIHwgICAgMSArCiAxIGZpbGUgY2hhbmdl ZCwgMSBpbnNlcnRpb24oKykKCmRpZmYgLS1naXQgYS9ody94ZW5fZGlzay5j IGIvaHcveGVuX2Rpc2suYwppbmRleCBhNDAyYWM4Li4xY2RmY2JjIDEwMDY0 NAotLS0gYS9ody94ZW5fZGlzay5jCisrKyBiL2h3L3hlbl9kaXNrLmMKQEAg LTI5OSw2ICsyOTksNyBAQCBzdGF0aWMgaW50IGlvcmVxX21hcChzdHJ1Y3Qg aW9yZXEgKmlvcmVxKQogICAgICAgICAgICAgICAgIHhlbl9iZV9wcmludGYo JmlvcmVxLT5ibGtkZXYtPnhlbmRldiwgMCwKICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICJjYW4ndCBtYXAgZ3JhbnQgcmVmICVkICglcywgJWQg bWFwcylcbiIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpb3Jl cS0+cmVmc1tpXSwgc3RyZXJyb3IoZXJybm8pLCBpb3JlcS0+YmxrZGV2LT5j bnRfbWFwKTsKKyAgICAgICAgICAgICAgICBpb3JlcS0+bWFwcGVkID0gMTsK ICAgICAgICAgICAgICAgICBpb3JlcV91bm1hcChpb3JlcSk7CiAgICAgICAg ICAgICAgICAgcmV0dXJuIC0xOwogICAgICAgICAgICAgfQotLSAKMS43LjEw LjQKCg== --=separator Content-Type: application/octet-stream; name="xsa71-qemu-xen-unstable.patch" Content-Disposition: attachment; filename="xsa71-qemu-xen-unstable.patch" Content-Transfer-Encoding: base64 RnJvbSAyMzI2MGU1ODllNTJlYzgzMzQ5ZjIyMTk4ZWFiMjMzMWI1YTE2ODRl IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBNYXR0aGV3IERhbGV5 IDxtYXR0amRAZ21haWwuY29tPgpEYXRlOiBXZWQsIDI1IFNlcCAyMDEzIDEy OjI4OjQ3ICsxMjAwClN1YmplY3Q6IFtQQVRDSF0geGVuX2Rpc2s6IG1hcmsg aW9yZXEgYXMgbWFwcGVkIGJlZm9yZSB1bm1hcHBpbmcgaW4gZXJyb3IKIGNh c2UKCkNvbW1pdCBjNjk2MWI3ZCAoInhlbl9kaXNrOiB1c2UgYmRydl9haW9f Zmx1c2ggaW5zdGVhZCBvZiBiZHJ2X2ZsdXNoIikKbW9kaWZpZWQgdGhlIHNl bWFudGljcyBvZiBpb3JlcV97dW4sfW1hcCBzbyB0aGF0IHRoZXkgYXJlIGlk ZW1wb3RlbnQgaWYKY2FsbGVkIHdoZW4gdGhleSdyZSBub3QgbmVlZGVkIChp ZS4sIHR3aWNlIGluIGEgcm93KS4gSG93ZXZlciwgaXQgbmVnbGVjdGVkCnRv IGhhbmRsZSB0aGUgY2FzZSB3aGVyZSBiYXRjaCBtYXBwaW5nIGlzIG5vdCBi ZWluZyB1c2VkICh0aGUgZGVmYXVsdCksIGFuZApvbmUgb2YgdGhlIGdyYW50 cyBmYWlscyB0byBtYXAuIEluIHRoaXMgY2FzZSwgaW9yZXFfdW5tYXAgd2ls bCBiZSBjYWxsZWQgdG8KdW53aW5kIGFuZCB1bm1hcCBhbnkgbWFwcGluZ3Mg YWxyZWFkeSBwZXJmb3JtZWQsIGJ1dCBpb3JlcV91bm1hcCBzaW1wbHkKcmV0 dXJucyBkdWUgdG8gdGhlIGFmb3JlbWVudGlvbmVkIGNoYW5nZSAodGhlIGlv cmVxIGhhcyBub3QgYWxyZWFkeSBiZWVuCm1hcmtlZCBhcyBtYXBwZWQpLgoK VGhlIGZyb250ZW5kIHVzZXIgY2FuIHRoZXJlZm9yZSBmb3JjZSB4ZW5fZGlz ayB0byBsZWFrIGdyYW50IG1hcHBpbmdzLCBhCnBlci1iYWNrZW5kLWRvbWFp biBsaW1pdGVkIHJlc291cmNlLgoKRml4IGJ5IG1hcmtpbmcgdGhlIGlvcmVx IGFzIG1hcHBlZCBiZWZvcmUgY2FsbGluZyBpb3JlcV91bm1hcCBpbiB0aGlz CnNpdHVhdGlvbi4KClRoaXMgaXMgWFNBLTcxIC8gQ1ZFLTIwMTMtNDM3NQoK U2lnbmVkLW9mZi1ieTogTWF0dGhldyBEYWxleSA8bWF0dGpkQGdtYWlsLmNv bT4KLS0tCiBody94ZW5fZGlzay5jIHwgICAgMSArCiAxIGZpbGUgY2hhbmdl ZCwgMSBpbnNlcnRpb24oKykKCmRpZmYgLS1naXQgYS9ody94ZW5fZGlzay5j IGIvaHcveGVuX2Rpc2suYwppbmRleCBhNDAyYWM4Li4xY2RmY2JjIDEwMDY0 NAotLS0gYS9ody94ZW5fZGlzay5jCisrKyBiL2h3L3hlbl9kaXNrLmMKQEAg LTI5OSw2ICsyOTksNyBAQCBzdGF0aWMgaW50IGlvcmVxX21hcChzdHJ1Y3Qg aW9yZXEgKmlvcmVxKQogICAgICAgICAgICAgICAgIHhlbl9iZV9wcmludGYo JmlvcmVxLT5ibGtkZXYtPnhlbmRldiwgMCwKICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICJjYW4ndCBtYXAgZ3JhbnQgcmVmICVkICglcywgJWQg bWFwcylcbiIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByZWZz W2ldLCBzdHJlcnJvcihlcnJubyksIGlvcmVxLT5ibGtkZXYtPmNudF9tYXAp OworICAgICAgICAgICAgICAgIGlvcmVxLT5tYXBwZWQgPSAxOwogICAgICAg ICAgICAgICAgIGlvcmVxX3VubWFwKGlvcmVxKTsKICAgICAgICAgICAgICAg ICByZXR1cm4gLTE7CiAgICAgICAgICAgICB9Ci0tIAoxLjcuMTAuNAoK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Oct 29 15:41:05 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 29 Oct 2013 15:41:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VbBO8-0007fk-0o; Tue, 29 Oct 2013 15:39:24 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VbBO5-0007fQ-FM; Tue, 29 Oct 2013 15:39:21 +0000 Received: from [85.158.137.68:28848] by server-7.bemta-3.messagelabs.com id 51/24-13052-8A6DF625; Tue, 29 Oct 2013 15:39:20 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-5.tower-31.messagelabs.com!1383061158!385979!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 7247 invoked from network); 29 Oct 2013 15:39:19 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-5.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 29 Oct 2013 15:39:19 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VbBNv-0008EC-Ua; Tue, 29 Oct 2013 15:39:11 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VbBNu-0001Jl-G5; Tue, 29 Oct 2013 15:39:11 +0000 Date: Tue, 29 Oct 2013 15:39:10 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 72 (CVE-2013-4416) - ocaml xenstored mishandles oversized message replies X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4416 / XSA-72 version 3 ocaml xenstored mishandles oversized message replies UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The Ocaml xenstored implementation ("oxenstored") cannot correctly handle a message reply larger than XENSTORE_PAYLOAD_SIZE when communicating with a client domain via the shared ring mechanism. When this situation occurs the connection to the client domain will be shutdown and cannot be restarted leading to a denial of service to that domain. Clients in the same domain as xenstored which are using the Unix domain socket mechanism are not vulnerable. IMPACT ====== A malicious domain can create a directory containing a large number of entries in the hopes that a victim domain will attempt to list the contents of that directory. If this happens then the victim domain's xenstore connection will be shutdown leading to a denial of service against that domain. If the victim domain is a toolstack or control domain then this can lead to a denial of service against the whole system. VULNERABLE SYSTEMS ================== All systems using oxenstored are potentially vulnerable. oxenstored was added in Xen 4.1.0. From Xen 4.2.0 onward it is used by default if an ocaml toolstack was present at build time. In its default configuration the C xenstored implementation is not vulnerable. By default this implementation imposes a quota on the maximum directory size which is less than XENSTORE_PAYLOAD_SIZE. If you have adjusted the quota using the --entry-size / -S option to a value larger than XENSTORE_PAYLOAD_SIZE (4096 bytes) then you may be vulnerable. Systems where the toolstack and oxenstored live in the same domain will default to using Unix domain socket based communications and therefore are not vulnerable to the host wide denial of service by default. In such a configuration guest domains which do not list xenstore paths belonging to untrusted foreign domains will not be vulnerable to the DoS. (In the common case guests will not have permission to do so in any case.) MITIGATION ========== Switching to the C xenstored (in its default configuration), will eliminate this vulnerability. CREDITS ======= This issue was discovered by Thomas Sanders at Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves both the ocaml xenstore and C xenstore issues. xsa72.patch xen-unstable, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa72*.patch 66e11513fc512173140f3ca12568f8ef79415e9a7884254a700991b3f1afd125 xsa72.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSb9aMAAoJEIP+FMlX6CvZU6MH/2Racg6r+JLka2jqPO3X+BCh +Dvkp2s85lQ/i7lUDq7V/1Badc+GpqCAoysgjh0bMSyXpPwaz3N+JhcgSEzWbXoU IlQQUWGA86jO7x0g1HBIfvmf6o+ALWKkoyLiOZ3ZgpibO/vkl+8qU6yiD+r0XDaM TTcsuRrosw6wbVsPkL7wGpTsQD1JA/FSKd7BpsQRMjxUeMtTeBtPN1o+zsvGf7he A8MYe55XXYZbHv/S9yuBCHXtCU+QRtuGJGODIPACOqsaqWETIf013sxCORAmqg3x bNEm3R0EJl3pO8Hdd2kTzIjRHgLn9LEKTIQU4+IYj0jOqXsMYjalFIL2RFC2lzI= =vgDt -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa72.patch" Content-Disposition: attachment; filename="xsa72.patch" Content-Transfer-Encoding: base64 dG9vbHM6IHhlbnN0b3JlZDogaWYgdGhlIHJlcGx5IGlzIHRvbyBiaWcgdGhl biBzZW5kIEUyQklHIGVycm9yCgpUaGlzIGZpeGVzIHRoZSBpc3N1ZSBmb3Ig Ym90aCBDIGFuZCBvY2FtbCB4ZW5zdG9yZWQsIGhvd2V2ZXIgb25seSB0aGUg b2NhbWwKeGVuc3RvcmVkIGlzIHZ1bG5lcmFibGUgaW4gaXRzIGRlZmF1bHQg Y29uZmlndXJhdGlvbi4KCkFkZGluZyBhIG5ldyBlcnJvciBhcHBlYXJzIHRv IGJlIHNhZmUsIHNpbmNlIGJpdCBsaWJ4ZW5zdG9yZSBhbmQgdGhlIExpbnV4 CmRyaXZlciBhdCBsZWFzdCB0cmVhdCBhbiB1bmtub3duIGVycm9yIGNvZGUg YXMgRUlOVkFMLgoKVGhpcyBpcyBYU0EtNzIKCk9yaWdpbmFsIG9jYW1sIHBh dGNoIGJ5IEplcm9tZSBNYWxvYmVydGkgPGplcm9tZS5tYWxvYmVydGlAY2l0 cml4LmNvbT4KU2lnbmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2Ft cGJlbGxAY2l0cml4LmNvbT4KU2lnbmVkLW9mZi1ieTogVGhvbWFzIFNhbmRl cnMgPHRob21hcy5zYW5kZXJzQGNpdHJpeC5jb20+CgpkaWZmIC0tZ2l0IGEv dG9vbHMvb2NhbWwveGVuc3RvcmVkL2Nvbm5lY3Rpb24ubWwgYi90b29scy9v Y2FtbC94ZW5zdG9yZWQvY29ubmVjdGlvbi5tbAppbmRleCAyNzNmZTRkLi40 NzY5NWY4IDEwMDY0NAotLS0gYS90b29scy9vY2FtbC94ZW5zdG9yZWQvY29u bmVjdGlvbi5tbAorKysgYi90b29scy9vY2FtbC94ZW5zdG9yZWQvY29ubmVj dGlvbi5tbApAQCAtMTgsNiArMTgsOCBAQCBleGNlcHRpb24gRW5kX29mX2Zp bGUKIAogb3BlbiBTdGRleHQKIAorbGV0IHhlbnN0b3JlX3BheWxvYWRfbWF4 ID0gNDA5NiAoKiB4ZW4vaW5jbHVkZS9wdWJsaWMvaW8veHNfd2lyZS5oICop CisKIHR5cGUgd2F0Y2ggPSB7CiAJY29uOiB0OwogCXRva2VuOiBzdHJpbmc7 CkBAIC0xMTIsOCArMTE0LDE1IEBAIGxldCByZXN0cmljdCBjb24gZG9taWQg PQogbGV0IHNldF90YXJnZXQgY29uIHRhcmdldF9kb21pZCA9CiAJY29uLnBl cm0gPC0gUGVybXMuQ29ubmVjdGlvbi5zZXRfdGFyZ2V0IChnZXRfcGVybSBj b24pIH5wZXJtczpbUGVybXMuUkVBRDsgUGVybXMuV1JJVEVdIHRhcmdldF9k b21pZAogCitsZXQgaXNfYmFja2VuZF9tbWFwIGNvbiA9IG1hdGNoIGNvbi54 Yi5YZW5idXMuWGIuYmFja2VuZCB3aXRoCisJfCBYZW5idXMuWGIuWGVubW1h cCBfIC0+IHRydWUKKwl8IF8gLT4gZmFsc2UKKwogbGV0IHNlbmRfcmVwbHkg Y29uIHRpZCByaWQgdHkgZGF0YSA9Ci0JWGVuYnVzLlhiLnF1ZXVlIGNvbi54 YiAoWGVuYnVzLlhiLlBhY2tldC5jcmVhdGUgdGlkIHJpZCB0eSBkYXRhKQor CWlmIChTdHJpbmcubGVuZ3RoIGRhdGEpID4geGVuc3RvcmVfcGF5bG9hZF9t YXggJiYgKGlzX2JhY2tlbmRfbW1hcCBjb24pIHRoZW4KKwkJWGVuYnVzLlhi LnF1ZXVlIGNvbi54YiAoWGVuYnVzLlhiLlBhY2tldC5jcmVhdGUgdGlkIHJp ZCBYZW5idXMuWGIuT3AuRXJyb3IgIkUyQklHXDAwMCIpCisJZWxzZQorCQlY ZW5idXMuWGIucXVldWUgY29uLnhiIChYZW5idXMuWGIuUGFja2V0LmNyZWF0 ZSB0aWQgcmlkIHR5IGRhdGEpCiAKIGxldCBzZW5kX2Vycm9yIGNvbiB0aWQg cmlkIGVyciA9IHNlbmRfcmVwbHkgY29uIHRpZCByaWQgWGVuYnVzLlhiLk9w LkVycm9yIChlcnIgXiAiXDAwMCIpCiBsZXQgc2VuZF9hY2sgY29uIHRpZCBy aWQgdHkgPSBzZW5kX3JlcGx5IGNvbiB0aWQgcmlkIHR5ICJPS1wwMDAiCmRp ZmYgLS1naXQgYS90b29scy94ZW5zdG9yZS94ZW5zdG9yZWRfY29yZS5jIGIv dG9vbHMveGVuc3RvcmUveGVuc3RvcmVkX2NvcmUuYwppbmRleCAwZjhiYTY0 Li5jY2ZkYWEzIDEwMDY0NAotLS0gYS90b29scy94ZW5zdG9yZS94ZW5zdG9y ZWRfY29yZS5jCisrKyBiL3Rvb2xzL3hlbnN0b3JlL3hlbnN0b3JlZF9jb3Jl LmMKQEAgLTYyOSw2ICs2MjksMTEgQEAgdm9pZCBzZW5kX3JlcGx5KHN0cnVj dCBjb25uZWN0aW9uICpjb25uLCBlbnVtIHhzZF9zb2NrbXNnX3R5cGUgdHlw ZSwKIHsKIAlzdHJ1Y3QgYnVmZmVyZWRfZGF0YSAqYmRhdGE7CiAKKwlpZiAo IGxlbiA+IFhFTlNUT1JFX1BBWUxPQURfTUFYICkgeworCQlzZW5kX2Vycm9y KGNvbm4sIEUyQklHKTsKKwkJcmV0dXJuOworCX0KKwogCS8qIE1lc3NhZ2Ug aXMgYSBjaGlsZCBvZiB0aGUgY29ubmVjdGlvbiBjb250ZXh0IGZvciBhdXRv LWNsZWFudXAuICovCiAJYmRhdGEgPSBuZXdfYnVmZmVyKGNvbm4pOwogCWJk YXRhLT5idWZmZXIgPSB0YWxsb2NfYXJyYXkoYmRhdGEsIGNoYXIsIGxlbik7 CmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9wdWJsaWMvaW8veHNfd2lyZS5o IGIveGVuL2luY2x1ZGUvcHVibGljL2lvL3hzX3dpcmUuaAppbmRleCA5OWQy NGUzLi41ODVmMGM4IDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9wdWJsaWMv aW8veHNfd2lyZS5oCisrKyBiL3hlbi9pbmNsdWRlL3B1YmxpYy9pby94c193 aXJlLmgKQEAgLTgzLDcgKzgzLDggQEAgX19hdHRyaWJ1dGVfXygodW51c2Vk KSkKICAgICBYU0RfRVJST1IoRVJPRlMpLAogICAgIFhTRF9FUlJPUihFQlVT WSksCiAgICAgWFNEX0VSUk9SKEVBR0FJTiksCi0gICAgWFNEX0VSUk9SKEVJ U0NPTk4pCisgICAgWFNEX0VSUk9SKEVJU0NPTk4pLAorICAgIFhTRF9FUlJP UihFMkJJRykKIH07CiAjZW5kaWYKIAo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Oct 29 15:41:05 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 29 Oct 2013 15:41:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VbBO8-0007fk-0o; Tue, 29 Oct 2013 15:39:24 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VbBO5-0007fQ-FM; Tue, 29 Oct 2013 15:39:21 +0000 Received: from [85.158.137.68:28848] by server-7.bemta-3.messagelabs.com id 51/24-13052-8A6DF625; Tue, 29 Oct 2013 15:39:20 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-5.tower-31.messagelabs.com!1383061158!385979!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 7247 invoked from network); 29 Oct 2013 15:39:19 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-5.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 29 Oct 2013 15:39:19 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VbBNv-0008EC-Ua; Tue, 29 Oct 2013 15:39:11 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VbBNu-0001Jl-G5; Tue, 29 Oct 2013 15:39:11 +0000 Date: Tue, 29 Oct 2013 15:39:10 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 72 (CVE-2013-4416) - ocaml xenstored mishandles oversized message replies X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4416 / XSA-72 version 3 ocaml xenstored mishandles oversized message replies UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The Ocaml xenstored implementation ("oxenstored") cannot correctly handle a message reply larger than XENSTORE_PAYLOAD_SIZE when communicating with a client domain via the shared ring mechanism. When this situation occurs the connection to the client domain will be shutdown and cannot be restarted leading to a denial of service to that domain. Clients in the same domain as xenstored which are using the Unix domain socket mechanism are not vulnerable. IMPACT ====== A malicious domain can create a directory containing a large number of entries in the hopes that a victim domain will attempt to list the contents of that directory. If this happens then the victim domain's xenstore connection will be shutdown leading to a denial of service against that domain. If the victim domain is a toolstack or control domain then this can lead to a denial of service against the whole system. VULNERABLE SYSTEMS ================== All systems using oxenstored are potentially vulnerable. oxenstored was added in Xen 4.1.0. From Xen 4.2.0 onward it is used by default if an ocaml toolstack was present at build time. In its default configuration the C xenstored implementation is not vulnerable. By default this implementation imposes a quota on the maximum directory size which is less than XENSTORE_PAYLOAD_SIZE. If you have adjusted the quota using the --entry-size / -S option to a value larger than XENSTORE_PAYLOAD_SIZE (4096 bytes) then you may be vulnerable. Systems where the toolstack and oxenstored live in the same domain will default to using Unix domain socket based communications and therefore are not vulnerable to the host wide denial of service by default. In such a configuration guest domains which do not list xenstore paths belonging to untrusted foreign domains will not be vulnerable to the DoS. (In the common case guests will not have permission to do so in any case.) MITIGATION ========== Switching to the C xenstored (in its default configuration), will eliminate this vulnerability. CREDITS ======= This issue was discovered by Thomas Sanders at Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves both the ocaml xenstore and C xenstore issues. xsa72.patch xen-unstable, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa72*.patch 66e11513fc512173140f3ca12568f8ef79415e9a7884254a700991b3f1afd125 xsa72.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSb9aMAAoJEIP+FMlX6CvZU6MH/2Racg6r+JLka2jqPO3X+BCh +Dvkp2s85lQ/i7lUDq7V/1Badc+GpqCAoysgjh0bMSyXpPwaz3N+JhcgSEzWbXoU IlQQUWGA86jO7x0g1HBIfvmf6o+ALWKkoyLiOZ3ZgpibO/vkl+8qU6yiD+r0XDaM TTcsuRrosw6wbVsPkL7wGpTsQD1JA/FSKd7BpsQRMjxUeMtTeBtPN1o+zsvGf7he A8MYe55XXYZbHv/S9yuBCHXtCU+QRtuGJGODIPACOqsaqWETIf013sxCORAmqg3x bNEm3R0EJl3pO8Hdd2kTzIjRHgLn9LEKTIQU4+IYj0jOqXsMYjalFIL2RFC2lzI= =vgDt -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa72.patch" Content-Disposition: attachment; filename="xsa72.patch" Content-Transfer-Encoding: base64 dG9vbHM6IHhlbnN0b3JlZDogaWYgdGhlIHJlcGx5IGlzIHRvbyBiaWcgdGhl biBzZW5kIEUyQklHIGVycm9yCgpUaGlzIGZpeGVzIHRoZSBpc3N1ZSBmb3Ig Ym90aCBDIGFuZCBvY2FtbCB4ZW5zdG9yZWQsIGhvd2V2ZXIgb25seSB0aGUg b2NhbWwKeGVuc3RvcmVkIGlzIHZ1bG5lcmFibGUgaW4gaXRzIGRlZmF1bHQg Y29uZmlndXJhdGlvbi4KCkFkZGluZyBhIG5ldyBlcnJvciBhcHBlYXJzIHRv IGJlIHNhZmUsIHNpbmNlIGJpdCBsaWJ4ZW5zdG9yZSBhbmQgdGhlIExpbnV4 CmRyaXZlciBhdCBsZWFzdCB0cmVhdCBhbiB1bmtub3duIGVycm9yIGNvZGUg YXMgRUlOVkFMLgoKVGhpcyBpcyBYU0EtNzIKCk9yaWdpbmFsIG9jYW1sIHBh dGNoIGJ5IEplcm9tZSBNYWxvYmVydGkgPGplcm9tZS5tYWxvYmVydGlAY2l0 cml4LmNvbT4KU2lnbmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2Ft cGJlbGxAY2l0cml4LmNvbT4KU2lnbmVkLW9mZi1ieTogVGhvbWFzIFNhbmRl cnMgPHRob21hcy5zYW5kZXJzQGNpdHJpeC5jb20+CgpkaWZmIC0tZ2l0IGEv dG9vbHMvb2NhbWwveGVuc3RvcmVkL2Nvbm5lY3Rpb24ubWwgYi90b29scy9v Y2FtbC94ZW5zdG9yZWQvY29ubmVjdGlvbi5tbAppbmRleCAyNzNmZTRkLi40 NzY5NWY4IDEwMDY0NAotLS0gYS90b29scy9vY2FtbC94ZW5zdG9yZWQvY29u bmVjdGlvbi5tbAorKysgYi90b29scy9vY2FtbC94ZW5zdG9yZWQvY29ubmVj dGlvbi5tbApAQCAtMTgsNiArMTgsOCBAQCBleGNlcHRpb24gRW5kX29mX2Zp bGUKIAogb3BlbiBTdGRleHQKIAorbGV0IHhlbnN0b3JlX3BheWxvYWRfbWF4 ID0gNDA5NiAoKiB4ZW4vaW5jbHVkZS9wdWJsaWMvaW8veHNfd2lyZS5oICop CisKIHR5cGUgd2F0Y2ggPSB7CiAJY29uOiB0OwogCXRva2VuOiBzdHJpbmc7 CkBAIC0xMTIsOCArMTE0LDE1IEBAIGxldCByZXN0cmljdCBjb24gZG9taWQg PQogbGV0IHNldF90YXJnZXQgY29uIHRhcmdldF9kb21pZCA9CiAJY29uLnBl cm0gPC0gUGVybXMuQ29ubmVjdGlvbi5zZXRfdGFyZ2V0IChnZXRfcGVybSBj b24pIH5wZXJtczpbUGVybXMuUkVBRDsgUGVybXMuV1JJVEVdIHRhcmdldF9k b21pZAogCitsZXQgaXNfYmFja2VuZF9tbWFwIGNvbiA9IG1hdGNoIGNvbi54 Yi5YZW5idXMuWGIuYmFja2VuZCB3aXRoCisJfCBYZW5idXMuWGIuWGVubW1h cCBfIC0+IHRydWUKKwl8IF8gLT4gZmFsc2UKKwogbGV0IHNlbmRfcmVwbHkg Y29uIHRpZCByaWQgdHkgZGF0YSA9Ci0JWGVuYnVzLlhiLnF1ZXVlIGNvbi54 YiAoWGVuYnVzLlhiLlBhY2tldC5jcmVhdGUgdGlkIHJpZCB0eSBkYXRhKQor CWlmIChTdHJpbmcubGVuZ3RoIGRhdGEpID4geGVuc3RvcmVfcGF5bG9hZF9t YXggJiYgKGlzX2JhY2tlbmRfbW1hcCBjb24pIHRoZW4KKwkJWGVuYnVzLlhi LnF1ZXVlIGNvbi54YiAoWGVuYnVzLlhiLlBhY2tldC5jcmVhdGUgdGlkIHJp ZCBYZW5idXMuWGIuT3AuRXJyb3IgIkUyQklHXDAwMCIpCisJZWxzZQorCQlY ZW5idXMuWGIucXVldWUgY29uLnhiIChYZW5idXMuWGIuUGFja2V0LmNyZWF0 ZSB0aWQgcmlkIHR5IGRhdGEpCiAKIGxldCBzZW5kX2Vycm9yIGNvbiB0aWQg cmlkIGVyciA9IHNlbmRfcmVwbHkgY29uIHRpZCByaWQgWGVuYnVzLlhiLk9w LkVycm9yIChlcnIgXiAiXDAwMCIpCiBsZXQgc2VuZF9hY2sgY29uIHRpZCBy aWQgdHkgPSBzZW5kX3JlcGx5IGNvbiB0aWQgcmlkIHR5ICJPS1wwMDAiCmRp ZmYgLS1naXQgYS90b29scy94ZW5zdG9yZS94ZW5zdG9yZWRfY29yZS5jIGIv dG9vbHMveGVuc3RvcmUveGVuc3RvcmVkX2NvcmUuYwppbmRleCAwZjhiYTY0 Li5jY2ZkYWEzIDEwMDY0NAotLS0gYS90b29scy94ZW5zdG9yZS94ZW5zdG9y ZWRfY29yZS5jCisrKyBiL3Rvb2xzL3hlbnN0b3JlL3hlbnN0b3JlZF9jb3Jl LmMKQEAgLTYyOSw2ICs2MjksMTEgQEAgdm9pZCBzZW5kX3JlcGx5KHN0cnVj dCBjb25uZWN0aW9uICpjb25uLCBlbnVtIHhzZF9zb2NrbXNnX3R5cGUgdHlw ZSwKIHsKIAlzdHJ1Y3QgYnVmZmVyZWRfZGF0YSAqYmRhdGE7CiAKKwlpZiAo IGxlbiA+IFhFTlNUT1JFX1BBWUxPQURfTUFYICkgeworCQlzZW5kX2Vycm9y KGNvbm4sIEUyQklHKTsKKwkJcmV0dXJuOworCX0KKwogCS8qIE1lc3NhZ2Ug aXMgYSBjaGlsZCBvZiB0aGUgY29ubmVjdGlvbiBjb250ZXh0IGZvciBhdXRv LWNsZWFudXAuICovCiAJYmRhdGEgPSBuZXdfYnVmZmVyKGNvbm4pOwogCWJk YXRhLT5idWZmZXIgPSB0YWxsb2NfYXJyYXkoYmRhdGEsIGNoYXIsIGxlbik7 CmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9wdWJsaWMvaW8veHNfd2lyZS5o IGIveGVuL2luY2x1ZGUvcHVibGljL2lvL3hzX3dpcmUuaAppbmRleCA5OWQy NGUzLi41ODVmMGM4IDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9wdWJsaWMv aW8veHNfd2lyZS5oCisrKyBiL3hlbi9pbmNsdWRlL3B1YmxpYy9pby94c193 aXJlLmgKQEAgLTgzLDcgKzgzLDggQEAgX19hdHRyaWJ1dGVfXygodW51c2Vk KSkKICAgICBYU0RfRVJST1IoRVJPRlMpLAogICAgIFhTRF9FUlJPUihFQlVT WSksCiAgICAgWFNEX0VSUk9SKEVBR0FJTiksCi0gICAgWFNEX0VSUk9SKEVJ U0NPTk4pCisgICAgWFNEX0VSUk9SKEVJU0NPTk4pLAorICAgIFhTRF9FUlJP UihFMkJJRykKIH07CiAjZW5kaWYKIAo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator--