From xen-announce-bounces@lists.xen.org Fri Nov 01 15:10:16 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Nov 2013 15:10:16 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VcGKl-0006Yn-Iu; Fri, 01 Nov 2013 15:08:23 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VcGKk-0006YZ-9V; Fri, 01 Nov 2013 15:08:22 +0000 Received: from [193.109.254.147:51581] by server-2.bemta-14.messagelabs.com id 0E/5F-08076-5E3C3725; Fri, 01 Nov 2013 15:08:21 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-7.tower-27.messagelabs.com!1383318499!120859!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.13; banners=-,-,- X-VirusChecked: Checked Received: (qmail 18822 invoked from network); 1 Nov 2013 15:08:20 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-7.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 1 Nov 2013 15:08:20 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VcGJe-00052s-MI; Fri, 01 Nov 2013 15:07:14 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VcGJe-000443-7V; Fri, 01 Nov 2013 15:07:14 +0000 Date: Fri, 01 Nov 2013 15:07:14 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 73 - Lock order reversal between page allocation and grant table locks X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-73 Lock order reversal between page allocation and grant table locks NOTE REGARDING LACK OF EMBARGO ============================== While the response to this issue was being prepared by the security team, the bug was independently discovered by a third party who publicly disclosed it without realising the security impact. ISSUE DESCRIPTION ================= The locks page_alloc_lock and grant_table.lock are not always taken in the same order. This opens the possibility of deadlock. IMPACT ====== A malicious guest administrator can deny service to the entire host. VULNERABLE SYSTEMS ================== Xen versions going back to at least Xen 3.2 are vulnerable. To exploit the vulnerability, the attacker must have control of more than one vcpu, either by controlling a malicious multi-vcpu guest, or by controlling more than one guest. MITIGATION ========== There is no practical mitigation for this issue. CREDITS ======= This issue was discovered by Coverity Scan and diagnosed by Andrew Cooper. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa73-4.3-unstable.patch Xen 4.3.x, xen-unstable xsa73-4.2.patch Xen 4.2.x xsa73-4.1.patch Xen 4.1.x $ sha256sum xsa73*.patch b828ff085f2dc1f2042bda1dc8a6c52b56ad1c1e3639c3efe32e5706e4ef424f xsa73-4.1.patch 10b809c39582a7f29150f0635b78bc2ce40df0bded963b78f42db3e21775da8c xsa73-4.2.patch 48411cd6b15e4e4fa3c4335298179a4b1094c5e1ae8dc7582bbfb9439d97037b xsa73-4.3-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSc8OAAAoJEIP+FMlX6CvZNoMH/Al1MD/FJXpJ6BnLZH3zV505 wKc1x38OGpM61X2PrMLCqaqZfRTDuUWFkAx4wOdp1OXx6Do8nwtyzXYInNYKHjse xS5JhBM0GPY+pABVYJ4IDcskKHDCLew/L4RcPK3oDiS9sZACSrVRXGVLnNUupLit KmCbN1sZkFwUZSCpF+TBH7QbSkk9h2ytTGDaiZKgmrsmL7TMEOP4ikqxjBDC6gM7 Ty6NzaGJUpIx3nIEjFTnggE8UYN0NkQVDjZlhsDJPbcEWCuHXMYNaXrqFjSY68ac 4uDmwmR6exk38AGQhRir2FkwoXg2Gyim4pxWx7SYge/Ssc2Mft1aMNOdz7uCr3c= =6AqT -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa73-4.1.patch" Content-Disposition: attachment; filename="xsa73-4.1.patch" Content-Transfer-Encoding: base64 RnJvbSA4MmYyZjdjMzA0MzIxMmNiYjRlMTI4Nzg3ZjU4YWU4YmI1NWEwYmQw IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBUaHUsIDMxIE9j dCAyMDEzIDIwOjQ5OjAwICswMDAwClN1YmplY3Q6IFtQQVRDSF0gZ250dGFi OiBjb3JyZWN0IGxvY2tpbmcgb3JkZXIgcmV2ZXJzYWwKCkNvdmVyaXR5IElE IDEwODcxODkKCkNvcnJlY3QgYSBsb2NrIG9yZGVyIHJldmVyc2FsIGJldHdl ZW4gYSBkb21haW5zIHBhZ2UgYWxsb2NhdGlvbiBhbmQgZ3JhbnQKdGFibGUg bG9ja3MuCgpUaGlzIGlzIFhTQS03My4KClNpZ25lZC1vZmYtYnk6IEFuZHJl dyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+CgpDb25zb2xp ZGF0ZSBlcnJvciBoYW5kbGluZy4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVs aWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEtlaXIgRnJh c2VyIDxrZWlyQHhlbi5vcmc+ClRlc3RlZC1ieTogTWF0dGhldyBEYWxleSA8 bWF0dGpkQGdtYWlsLmNvbT4KCkJhY2twb3J0ZWQgdG8gWGVuLTQuMQpTaWdu ZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRy aXguY29tPgotLS0KIHhlbi9jb21tb24vZ3JhbnRfdGFibGUuYyB8ICAgNTEg KysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKystLS0tLS0t LQogMSBmaWxlIGNoYW5nZWQsIDQzIGluc2VydGlvbnMoKyksIDggZGVsZXRp b25zKC0pCgpkaWZmIC0tZ2l0IGEveGVuL2NvbW1vbi9ncmFudF90YWJsZS5j IGIveGVuL2NvbW1vbi9ncmFudF90YWJsZS5jCmluZGV4IGUwZjkxYWIuLmMx ZTM3ODQgMTAwNjQ0Ci0tLSBhL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwor KysgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMKQEAgLTE0NTksNiArMTQ1 OSw4IEBAIGdudHRhYl90cmFuc2ZlcigKIAogICAgIGZvciAoIGkgPSAwOyBp IDwgY291bnQ7IGkrKyApCiAgICAgeworICAgICAgICBib29sX3Qgb2theTsK KwogICAgICAgICBpZiAoaSAmJiBoeXBlcmNhbGxfcHJlZW1wdF9jaGVjaygp KQogICAgICAgICAgICAgcmV0dXJuIGk7CiAKQEAgLTE1NTUsMTYgKzE1NTcs MTggQEAgZ250dGFiX3RyYW5zZmVyKAogICAgICAgICAgKiBwYWdlcyB3aGVu IGl0IGlzIGR5aW5nLgogICAgICAgICAgKi8KICAgICAgICAgaWYgKCB1bmxp a2VseShlLT5pc19keWluZykgfHwKLSAgICAgICAgICAgICB1bmxpa2VseShl LT50b3RfcGFnZXMgPj0gZS0+bWF4X3BhZ2VzKSB8fAotICAgICAgICAgICAg IHVubGlrZWx5KCFnbnR0YWJfcHJlcGFyZV9mb3JfdHJhbnNmZXIoZSwgZCwg Z29wLnJlZikpICkKKyAgICAgICAgICAgICB1bmxpa2VseShlLT50b3RfcGFn ZXMgPj0gZS0+bWF4X3BhZ2VzKSApCiAgICAgICAgIHsKLSAgICAgICAgICAg IGlmICggIWUtPmlzX2R5aW5nICkKLSAgICAgICAgICAgICAgICBnZHByaW50 ayhYRU5MT0dfSU5GTywgImdudHRhYl90cmFuc2ZlcjogIgotICAgICAgICAg ICAgICAgICAgICAgICAgIlRyYW5zZmVyZWUgaGFzIG5vIHJlc2VydmF0aW9u ICIKLSAgICAgICAgICAgICAgICAgICAgICAgICJoZWFkcm9vbSAoJWQsJWQp IG9yIHByb3ZpZGVkIGEgYmFkIGdyYW50IHJlZiAoJTA4eCkgIgotICAgICAg ICAgICAgICAgICAgICAgICAgIm9yIGlzIGR5aW5nICglZClcbiIsCi0gICAg ICAgICAgICAgICAgICAgICAgICBlLT50b3RfcGFnZXMsIGUtPm1heF9wYWdl cywgZ29wLnJlZiwgZS0+aXNfZHlpbmcpOwogICAgICAgICAgICAgc3Bpbl91 bmxvY2soJmUtPnBhZ2VfYWxsb2NfbG9jayk7CisKKyAgICAgICAgICAgIGlm ICggZS0+aXNfZHlpbmcgKQorICAgICAgICAgICAgICAgIGdkcHJpbnRrKFhF TkxPR19JTkZPLCAiZ250dGFiX3RyYW5zZmVyOiAiCisgICAgICAgICAgICAg ICAgICAgICAgICAgIlRyYW5zZmVyZWUgKGQlZCkgaXMgZHlpbmdcbiIsIGUt PmRvbWFpbl9pZCk7CisgICAgICAgICAgICBlbHNlCisgICAgICAgICAgICAg ICAgZ2RwcmludGsoWEVOTE9HX0lORk8sICJnbnR0YWJfdHJhbnNmZXI6ICIK KyAgICAgICAgICAgICAgICAgICAgICAgICAiVHJhbnNmZXJlZSAoZCVkKSBo YXMgbm8gaGVhZHJvb20gKHRvdCAldSwgbWF4ICV1KVxuIiwKKyAgICAgICAg ICAgICAgICAgICAgICAgICBlLT5kb21haW5faWQsIGUtPnRvdF9wYWdlcywg ZS0+bWF4X3BhZ2VzKTsKKwogICAgICAgICAgICAgcmN1X3VubG9ja19kb21h aW4oZSk7CiAgICAgICAgICAgICBwYWdlLT5jb3VudF9pbmZvICY9IH4oUEdD X2NvdW50X21hc2t8UEdDX2FsbG9jYXRlZCk7CiAgICAgICAgICAgICBmcmVl X2RvbWhlYXBfcGFnZShwYWdlKTsKQEAgLTE1NzUsNiArMTU3OSwzNyBAQCBn bnR0YWJfdHJhbnNmZXIoCiAgICAgICAgIC8qIE9rYXksIGFkZCB0aGUgcGFn ZSB0byAnZScuICovCiAgICAgICAgIGlmICggdW5saWtlbHkoZS0+dG90X3Bh Z2VzKysgPT0gMCkgKQogICAgICAgICAgICAgZ2V0X2tub3duYWxpdmVfZG9t YWluKGUpOworCisgICAgICAgIC8qCisgICAgICAgICAqIFdlIG11c3QgZHJv cCB0aGUgbG9jayB0byBhdm9pZCBhIHBvc3NpYmxlIGRlYWRsb2NrIGluCisg ICAgICAgICAqIGdudHRhYl9wcmVwYXJlX2Zvcl90cmFuc2Zlci4gIFdlIGhh dmUgcmVzZXJ2ZWQgYSBwYWdlIGluIGUgc28gY2FuCisgICAgICAgICAqIHNh ZmVseSBkcm9wIHRoZSBsb2NrIGFuZCByZS1hcXVpcmUgaXQgbGF0ZXIgdG8g YWRkIHBhZ2UgdG8gdGhlCisgICAgICAgICAqIHBhZ2VsaXN0LgorICAgICAg ICAgKi8KKyAgICAgICAgc3Bpbl91bmxvY2soJmUtPnBhZ2VfYWxsb2NfbG9j ayk7CisgICAgICAgIG9rYXkgPSBnbnR0YWJfcHJlcGFyZV9mb3JfdHJhbnNm ZXIoZSwgZCwgZ29wLnJlZik7CisgICAgICAgIHNwaW5fbG9jaygmZS0+cGFn ZV9hbGxvY19sb2NrKTsKKworICAgICAgICBpZiAoIHVubGlrZWx5KCFva2F5 KSB8fCB1bmxpa2VseShlLT5pc19keWluZykgKQorICAgICAgICB7CisgICAg ICAgICAgICBib29sX3QgZHJvcF9kb21fcmVmID0gKGUtPnRvdF9wYWdlcy0t ID09IDApOworCisgICAgICAgICAgICBzcGluX3VubG9jaygmZS0+cGFnZV9h bGxvY19sb2NrKTsKKworICAgICAgICAgICAgaWYgKCBva2F5IC8qIGkuZS4g ZS0+aXNfZHlpbmcgZHVlIHRvIHRoZSBzdXJyb3VuZGluZyBpZigpICovICkK KyAgICAgICAgICAgICAgICBnZHByaW50ayhYRU5MT0dfSU5GTywgImdudHRh Yl90cmFuc2ZlcjogIgorICAgICAgICAgICAgICAgICAgICAgICAgICJUcmFu c2ZlcmVlIChkJWQpIGlzIG5vdyBkeWluZ1xuIiwgZS0+ZG9tYWluX2lkKTsK KworICAgICAgICAgICAgaWYgKCBkcm9wX2RvbV9yZWYgKQorICAgICAgICAg ICAgICAgIHB1dF9kb21haW4oZSk7CisgICAgICAgICAgICByY3VfdW5sb2Nr X2RvbWFpbihlKTsKKworICAgICAgICAgICAgcGFnZS0+Y291bnRfaW5mbyAm PSB+KFBHQ19jb3VudF9tYXNrfFBHQ19hbGxvY2F0ZWQpOworICAgICAgICAg ICAgZnJlZV9kb21oZWFwX3BhZ2UocGFnZSk7CisgICAgICAgICAgICBnb3Au c3RhdHVzID0gR05UU1RfZ2VuZXJhbF9lcnJvcjsKKyAgICAgICAgICAgIGdv dG8gY29weWJhY2s7CisgICAgICAgIH0KKwogICAgICAgICBwYWdlX2xpc3Rf YWRkX3RhaWwocGFnZSwgJmUtPnBhZ2VfbGlzdCk7CiAgICAgICAgIHBhZ2Vf c2V0X293bmVyKHBhZ2UsIGUpOwogCi0tIAoxLjcuMTAuNAoK --=separator Content-Type: application/octet-stream; name="xsa73-4.2.patch" Content-Disposition: attachment; filename="xsa73-4.2.patch" Content-Transfer-Encoding: base64 RnJvbSA1MmIyYzMxNDhiZGNhYTQ2YmVmY2RjYTY0ZTE0ZDAyMDFkN2NhNjQy IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBUaHUsIDMxIE9j dCAyMDEzIDIwOjQ5OjAwICswMDAwClN1YmplY3Q6IFtQQVRDSF0gZ250dGFi OiBjb3JyZWN0IGxvY2tpbmcgb3JkZXIgcmV2ZXJzYWwKCkNvdmVyaXR5IElE IDEwODcxODkKCkNvcnJlY3QgYSBsb2NrIG9yZGVyIHJldmVyc2FsIGJldHdl ZW4gYSBkb21haW5zIHBhZ2UgYWxsb2NhdGlvbiBhbmQgZ3JhbnQKdGFibGUg bG9ja3MuCgpUaGlzIGlzIFhTQS03My4KClNpZ25lZC1vZmYtYnk6IEFuZHJl dyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+CgpDb25zb2xp ZGF0ZSBlcnJvciBoYW5kbGluZy4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVs aWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEtlaXIgRnJh c2VyIDxrZWlyQHhlbi5vcmc+ClRlc3RlZC1ieTogTWF0dGhldyBEYWxleSA8 bWF0dGpkQGdtYWlsLmNvbT4KCkJhY2twb3J0ZWQgdG8gWGVuLTQuMgpTaWdu ZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRy aXguY29tPgotLS0KIHhlbi9jb21tb24vZ3JhbnRfdGFibGUuYyB8ICAgNTIg KysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrLS0tLS0t LQogMSBmaWxlIGNoYW5nZWQsIDQ0IGluc2VydGlvbnMoKyksIDggZGVsZXRp b25zKC0pCgpkaWZmIC0tZ2l0IGEveGVuL2NvbW1vbi9ncmFudF90YWJsZS5j IGIveGVuL2NvbW1vbi9ncmFudF90YWJsZS5jCmluZGV4IDBlMzQ5Y2MuLjA2 NzJiYWQgMTAwNjQ0Ci0tLSBhL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwor KysgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMKQEAgLTE0OTksNiArMTQ5 OSw4IEBAIGdudHRhYl90cmFuc2ZlcigKIAogICAgIGZvciAoIGkgPSAwOyBp IDwgY291bnQ7IGkrKyApCiAgICAgeworICAgICAgICBib29sX3Qgb2theTsK KwogICAgICAgICBpZiAoaSAmJiBoeXBlcmNhbGxfcHJlZW1wdF9jaGVjaygp KQogICAgICAgICAgICAgcmV0dXJuIGk7CiAKQEAgLTE2MDcsMTYgKzE2MDks MTggQEAgZ250dGFiX3RyYW5zZmVyKAogICAgICAgICAgKiBwYWdlcyB3aGVu IGl0IGlzIGR5aW5nLgogICAgICAgICAgKi8KICAgICAgICAgaWYgKCB1bmxp a2VseShlLT5pc19keWluZykgfHwKLSAgICAgICAgICAgICB1bmxpa2VseShl LT50b3RfcGFnZXMgPj0gZS0+bWF4X3BhZ2VzKSB8fAotICAgICAgICAgICAg IHVubGlrZWx5KCFnbnR0YWJfcHJlcGFyZV9mb3JfdHJhbnNmZXIoZSwgZCwg Z29wLnJlZikpICkKKyAgICAgICAgICAgICB1bmxpa2VseShlLT50b3RfcGFn ZXMgPj0gZS0+bWF4X3BhZ2VzKSApCiAgICAgICAgIHsKLSAgICAgICAgICAg IGlmICggIWUtPmlzX2R5aW5nICkKLSAgICAgICAgICAgICAgICBnZHByaW50 ayhYRU5MT0dfSU5GTywgImdudHRhYl90cmFuc2ZlcjogIgotICAgICAgICAg ICAgICAgICAgICAgICAgIlRyYW5zZmVyZWUgaGFzIG5vIHJlc2VydmF0aW9u ICIKLSAgICAgICAgICAgICAgICAgICAgICAgICJoZWFkcm9vbSAoJWQsJWQp IG9yIHByb3ZpZGVkIGEgYmFkIGdyYW50IHJlZiAoJTA4eCkgIgotICAgICAg ICAgICAgICAgICAgICAgICAgIm9yIGlzIGR5aW5nICglZClcbiIsCi0gICAg ICAgICAgICAgICAgICAgICAgICBlLT50b3RfcGFnZXMsIGUtPm1heF9wYWdl cywgZ29wLnJlZiwgZS0+aXNfZHlpbmcpOwogICAgICAgICAgICAgc3Bpbl91 bmxvY2soJmUtPnBhZ2VfYWxsb2NfbG9jayk7CisKKyAgICAgICAgICAgIGlm ICggZS0+aXNfZHlpbmcgKQorICAgICAgICAgICAgICAgIGdkcHJpbnRrKFhF TkxPR19JTkZPLCAiZ250dGFiX3RyYW5zZmVyOiAiCisgICAgICAgICAgICAg ICAgICAgICAgICAgIlRyYW5zZmVyZWUgKGQlZCkgaXMgZHlpbmdcbiIsIGUt PmRvbWFpbl9pZCk7CisgICAgICAgICAgICBlbHNlCisgICAgICAgICAgICAg ICAgZ2RwcmludGsoWEVOTE9HX0lORk8sICJnbnR0YWJfdHJhbnNmZXI6ICIK KyAgICAgICAgICAgICAgICAgICAgICAgICAiVHJhbnNmZXJlZSAoZCVkKSBo YXMgbm8gaGVhZHJvb20gKHRvdCAldSwgbWF4ICV1KVxuIiwKKyAgICAgICAg ICAgICAgICAgICAgICAgICBlLT5kb21haW5faWQsIGUtPnRvdF9wYWdlcywg ZS0+bWF4X3BhZ2VzKTsKKwogICAgICAgICAgICAgcmN1X3VubG9ja19kb21h aW4oZSk7CiAgICAgICAgICAgICBwdXRfZ2ZuKGQsIGdvcC5tZm4pOwogICAg ICAgICAgICAgcGFnZS0+Y291bnRfaW5mbyAmPSB+KFBHQ19jb3VudF9tYXNr fFBHQ19hbGxvY2F0ZWQpOwpAQCAtMTYyOCw2ICsxNjMyLDM4IEBAIGdudHRh Yl90cmFuc2ZlcigKICAgICAgICAgLyogT2theSwgYWRkIHRoZSBwYWdlIHRv ICdlJy4gKi8KICAgICAgICAgaWYgKCB1bmxpa2VseShlLT50b3RfcGFnZXMr KyA9PSAwKSApCiAgICAgICAgICAgICBnZXRfa25vd25hbGl2ZV9kb21haW4o ZSk7CisKKyAgICAgICAgLyoKKyAgICAgICAgICogV2UgbXVzdCBkcm9wIHRo ZSBsb2NrIHRvIGF2b2lkIGEgcG9zc2libGUgZGVhZGxvY2sgaW4KKyAgICAg ICAgICogZ250dGFiX3ByZXBhcmVfZm9yX3RyYW5zZmVyLiAgV2UgaGF2ZSBy ZXNlcnZlZCBhIHBhZ2UgaW4gZSBzbyBjYW4KKyAgICAgICAgICogc2FmZWx5 IGRyb3AgdGhlIGxvY2sgYW5kIHJlLWFxdWlyZSBpdCBsYXRlciB0byBhZGQg cGFnZSB0byB0aGUKKyAgICAgICAgICogcGFnZWxpc3QuCisgICAgICAgICAq LworICAgICAgICBzcGluX3VubG9jaygmZS0+cGFnZV9hbGxvY19sb2NrKTsK KyAgICAgICAgb2theSA9IGdudHRhYl9wcmVwYXJlX2Zvcl90cmFuc2Zlcihl LCBkLCBnb3AucmVmKTsKKyAgICAgICAgc3Bpbl9sb2NrKCZlLT5wYWdlX2Fs bG9jX2xvY2spOworCisgICAgICAgIGlmICggdW5saWtlbHkoIW9rYXkpIHx8 IHVubGlrZWx5KGUtPmlzX2R5aW5nKSApCisgICAgICAgIHsKKyAgICAgICAg ICAgIGJvb2xfdCBkcm9wX2RvbV9yZWYgPSAoZS0+dG90X3BhZ2VzLS0gPT0g MSk7CisKKyAgICAgICAgICAgIHNwaW5fdW5sb2NrKCZlLT5wYWdlX2FsbG9j X2xvY2spOworCisgICAgICAgICAgICBpZiAoIG9rYXkgLyogaS5lLiBlLT5p c19keWluZyBkdWUgdG8gdGhlIHN1cnJvdW5kaW5nIGlmKCkgKi8gKQorICAg ICAgICAgICAgICAgIGdkcHJpbnRrKFhFTkxPR19JTkZPLCAiZ250dGFiX3Ry YW5zZmVyOiAiCisgICAgICAgICAgICAgICAgICAgICAgICAgIlRyYW5zZmVy ZWUgKGQlZCkgaXMgbm93IGR5aW5nXG4iLCBlLT5kb21haW5faWQpOworCisg ICAgICAgICAgICBpZiAoIGRyb3BfZG9tX3JlZiApCisgICAgICAgICAgICAg ICAgcHV0X2RvbWFpbihlKTsKKyAgICAgICAgICAgIHJjdV91bmxvY2tfZG9t YWluKGUpOworCisgICAgICAgICAgICBwdXRfZ2ZuKGQsIGdvcC5tZm4pOwor ICAgICAgICAgICAgcGFnZS0+Y291bnRfaW5mbyAmPSB+KFBHQ19jb3VudF9t YXNrfFBHQ19hbGxvY2F0ZWQpOworICAgICAgICAgICAgZnJlZV9kb21oZWFw X3BhZ2UocGFnZSk7CisgICAgICAgICAgICBnb3Auc3RhdHVzID0gR05UU1Rf Z2VuZXJhbF9lcnJvcjsKKyAgICAgICAgICAgIGdvdG8gY29weWJhY2s7Cisg ICAgICAgIH0KKwogICAgICAgICBwYWdlX2xpc3RfYWRkX3RhaWwocGFnZSwg JmUtPnBhZ2VfbGlzdCk7CiAgICAgICAgIHBhZ2Vfc2V0X293bmVyKHBhZ2Us IGUpOwogCi0tIAoxLjcuMTAuNAoK --=separator Content-Type: application/octet-stream; name="xsa73-4.3-unstable.patch" Content-Disposition: attachment; filename="xsa73-4.3-unstable.patch" Content-Transfer-Encoding: base64 RnJvbSAwNjhiZmE3NmJiZDUyNDMwZTY1ODUzMzc1ZTFkNWRiOTlkMTkzZTJm IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBUaHUsIDMxIE9j dCAyMDEzIDIwOjQ5OjAwICswMDAwClN1YmplY3Q6IFtQQVRDSF0gZ250dGFi OiBjb3JyZWN0IGxvY2tpbmcgb3JkZXIgcmV2ZXJzYWwKCkNvdmVyaXR5IElE IDEwODcxODkKCkNvcnJlY3QgYSBsb2NrIG9yZGVyIHJldmVyc2FsIGJldHdl ZW4gYSBkb21haW5zIHBhZ2UgYWxsb2NhdGlvbiBhbmQgZ3JhbnQKdGFibGUg bG9ja3MuCgpUaGlzIGlzIFhTQS03My4KClNpZ25lZC1vZmYtYnk6IEFuZHJl dyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+CgpDb25zb2xp ZGF0ZSBlcnJvciBoYW5kbGluZy4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVs aWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEtlaXIgRnJh c2VyIDxrZWlyQHhlbi5vcmc+ClRlc3RlZC1ieTogTWF0dGhldyBEYWxleSA8 bWF0dGpkQGdtYWlsLmNvbT4KLS0tCiB4ZW4vY29tbW9uL2dyYW50X3RhYmxl LmMgfCAgIDUyICsrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysr KysrKy0tLS0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA0NCBpbnNlcnRpb25zKCsp LCA4IGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL3hlbi9jb21tb24vZ3Jh bnRfdGFibGUuYyBiL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwppbmRleCBm NDJiYzdhLi40OGRmOTI4IDEwMDY0NAotLS0gYS94ZW4vY29tbW9uL2dyYW50 X3RhYmxlLmMKKysrIGIveGVuL2NvbW1vbi9ncmFudF90YWJsZS5jCkBAIC0x NTE3LDYgKzE1MTcsOCBAQCBnbnR0YWJfdHJhbnNmZXIoCiAKICAgICBmb3Ig KCBpID0gMDsgaSA8IGNvdW50OyBpKysgKQogICAgIHsKKyAgICAgICAgYm9v bF90IG9rYXk7CisKICAgICAgICAgaWYgKGkgJiYgaHlwZXJjYWxsX3ByZWVt cHRfY2hlY2soKSkKICAgICAgICAgICAgIHJldHVybiBpOwogCkBAIC0xNjI1 LDE2ICsxNjI3LDE4IEBAIGdudHRhYl90cmFuc2ZlcigKICAgICAgICAgICog cGFnZXMgd2hlbiBpdCBpcyBkeWluZy4KICAgICAgICAgICovCiAgICAgICAg IGlmICggdW5saWtlbHkoZS0+aXNfZHlpbmcpIHx8Ci0gICAgICAgICAgICAg dW5saWtlbHkoZS0+dG90X3BhZ2VzID49IGUtPm1heF9wYWdlcykgfHwKLSAg ICAgICAgICAgICB1bmxpa2VseSghZ250dGFiX3ByZXBhcmVfZm9yX3RyYW5z ZmVyKGUsIGQsIGdvcC5yZWYpKSApCisgICAgICAgICAgICAgdW5saWtlbHko ZS0+dG90X3BhZ2VzID49IGUtPm1heF9wYWdlcykgKQogICAgICAgICB7Ci0g ICAgICAgICAgICBpZiAoICFlLT5pc19keWluZyApCi0gICAgICAgICAgICAg ICAgZ2RwcmludGsoWEVOTE9HX0lORk8sICJnbnR0YWJfdHJhbnNmZXI6ICIK LSAgICAgICAgICAgICAgICAgICAgICAgICJUcmFuc2ZlcmVlIGhhcyBubyBy ZXNlcnZhdGlvbiAiCi0gICAgICAgICAgICAgICAgICAgICAgICAiaGVhZHJv b20gKCVkLCVkKSBvciBwcm92aWRlZCBhIGJhZCBncmFudCByZWYgKCUwOHgp ICIKLSAgICAgICAgICAgICAgICAgICAgICAgICJvciBpcyBkeWluZyAoJWQp XG4iLAotICAgICAgICAgICAgICAgICAgICAgICAgZS0+dG90X3BhZ2VzLCBl LT5tYXhfcGFnZXMsIGdvcC5yZWYsIGUtPmlzX2R5aW5nKTsKICAgICAgICAg ICAgIHNwaW5fdW5sb2NrKCZlLT5wYWdlX2FsbG9jX2xvY2spOworCisgICAg ICAgICAgICBpZiAoIGUtPmlzX2R5aW5nICkKKyAgICAgICAgICAgICAgICBn ZHByaW50ayhYRU5MT0dfSU5GTywgImdudHRhYl90cmFuc2ZlcjogIgorICAg ICAgICAgICAgICAgICAgICAgICAgICJUcmFuc2ZlcmVlIChkJWQpIGlzIGR5 aW5nXG4iLCBlLT5kb21haW5faWQpOworICAgICAgICAgICAgZWxzZQorICAg ICAgICAgICAgICAgIGdkcHJpbnRrKFhFTkxPR19JTkZPLCAiZ250dGFiX3Ry YW5zZmVyOiAiCisgICAgICAgICAgICAgICAgICAgICAgICAgIlRyYW5zZmVy ZWUgKGQlZCkgaGFzIG5vIGhlYWRyb29tICh0b3QgJXUsIG1heCAldSlcbiIs CisgICAgICAgICAgICAgICAgICAgICAgICAgZS0+ZG9tYWluX2lkLCBlLT50 b3RfcGFnZXMsIGUtPm1heF9wYWdlcyk7CisKICAgICAgICAgICAgIHJjdV91 bmxvY2tfZG9tYWluKGUpOwogICAgICAgICAgICAgcHV0X2dmbihkLCBnb3Au bWZuKTsKICAgICAgICAgICAgIHBhZ2UtPmNvdW50X2luZm8gJj0gfihQR0Nf Y291bnRfbWFza3xQR0NfYWxsb2NhdGVkKTsKQEAgLTE2NDYsNiArMTY1MCwz OCBAQCBnbnR0YWJfdHJhbnNmZXIoCiAgICAgICAgIC8qIE9rYXksIGFkZCB0 aGUgcGFnZSB0byAnZScuICovCiAgICAgICAgIGlmICggdW5saWtlbHkoZG9t YWluX2FkanVzdF90b3RfcGFnZXMoZSwgMSkgPT0gMSkgKQogICAgICAgICAg ICAgZ2V0X2tub3duYWxpdmVfZG9tYWluKGUpOworCisgICAgICAgIC8qCisg ICAgICAgICAqIFdlIG11c3QgZHJvcCB0aGUgbG9jayB0byBhdm9pZCBhIHBv c3NpYmxlIGRlYWRsb2NrIGluCisgICAgICAgICAqIGdudHRhYl9wcmVwYXJl X2Zvcl90cmFuc2Zlci4gIFdlIGhhdmUgcmVzZXJ2ZWQgYSBwYWdlIGluIGUg c28gY2FuCisgICAgICAgICAqIHNhZmVseSBkcm9wIHRoZSBsb2NrIGFuZCBy ZS1hcXVpcmUgaXQgbGF0ZXIgdG8gYWRkIHBhZ2UgdG8gdGhlCisgICAgICAg ICAqIHBhZ2VsaXN0LgorICAgICAgICAgKi8KKyAgICAgICAgc3Bpbl91bmxv Y2soJmUtPnBhZ2VfYWxsb2NfbG9jayk7CisgICAgICAgIG9rYXkgPSBnbnR0 YWJfcHJlcGFyZV9mb3JfdHJhbnNmZXIoZSwgZCwgZ29wLnJlZik7CisgICAg ICAgIHNwaW5fbG9jaygmZS0+cGFnZV9hbGxvY19sb2NrKTsKKworICAgICAg ICBpZiAoIHVubGlrZWx5KCFva2F5KSB8fCB1bmxpa2VseShlLT5pc19keWlu ZykgKQorICAgICAgICB7CisgICAgICAgICAgICBib29sX3QgZHJvcF9kb21f cmVmID0gKGRvbWFpbl9hZGp1c3RfdG90X3BhZ2VzKGUsIC0xKSA9PSAwKTsK KworICAgICAgICAgICAgc3Bpbl91bmxvY2soJmUtPnBhZ2VfYWxsb2NfbG9j ayk7CisKKyAgICAgICAgICAgIGlmICggb2theSAvKiBpLmUuIGUtPmlzX2R5 aW5nIGR1ZSB0byB0aGUgc3Vycm91bmRpbmcgaWYoKSAqLyApCisgICAgICAg ICAgICAgICAgZ2RwcmludGsoWEVOTE9HX0lORk8sICJnbnR0YWJfdHJhbnNm ZXI6ICIKKyAgICAgICAgICAgICAgICAgICAgICAgICAiVHJhbnNmZXJlZSAo ZCVkKSBpcyBub3cgZHlpbmdcbiIsIGUtPmRvbWFpbl9pZCk7CisKKyAgICAg ICAgICAgIGlmICggZHJvcF9kb21fcmVmICkKKyAgICAgICAgICAgICAgICBw dXRfZG9tYWluKGUpOworICAgICAgICAgICAgcmN1X3VubG9ja19kb21haW4o ZSk7CisKKyAgICAgICAgICAgIHB1dF9nZm4oZCwgZ29wLm1mbik7CisgICAg ICAgICAgICBwYWdlLT5jb3VudF9pbmZvICY9IH4oUEdDX2NvdW50X21hc2t8 UEdDX2FsbG9jYXRlZCk7CisgICAgICAgICAgICBmcmVlX2RvbWhlYXBfcGFn ZShwYWdlKTsKKyAgICAgICAgICAgIGdvcC5zdGF0dXMgPSBHTlRTVF9nZW5l cmFsX2Vycm9yOworICAgICAgICAgICAgZ290byBjb3B5YmFjazsKKyAgICAg ICAgfQorCiAgICAgICAgIHBhZ2VfbGlzdF9hZGRfdGFpbChwYWdlLCAmZS0+ cGFnZV9saXN0KTsKICAgICAgICAgcGFnZV9zZXRfb3duZXIocGFnZSwgZSk7 CiAKLS0gCjEuNy4xMC40Cgo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Fri Nov 01 15:10:16 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Nov 2013 15:10:16 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VcGKl-0006Yn-Iu; Fri, 01 Nov 2013 15:08:23 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VcGKk-0006YZ-9V; Fri, 01 Nov 2013 15:08:22 +0000 Received: from [193.109.254.147:51581] by server-2.bemta-14.messagelabs.com id 0E/5F-08076-5E3C3725; Fri, 01 Nov 2013 15:08:21 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-7.tower-27.messagelabs.com!1383318499!120859!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.13; banners=-,-,- X-VirusChecked: Checked Received: (qmail 18822 invoked from network); 1 Nov 2013 15:08:20 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-7.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 1 Nov 2013 15:08:20 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VcGJe-00052s-MI; Fri, 01 Nov 2013 15:07:14 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VcGJe-000443-7V; Fri, 01 Nov 2013 15:07:14 +0000 Date: Fri, 01 Nov 2013 15:07:14 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 73 - Lock order reversal between page allocation and grant table locks X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-73 Lock order reversal between page allocation and grant table locks NOTE REGARDING LACK OF EMBARGO ============================== While the response to this issue was being prepared by the security team, the bug was independently discovered by a third party who publicly disclosed it without realising the security impact. ISSUE DESCRIPTION ================= The locks page_alloc_lock and grant_table.lock are not always taken in the same order. This opens the possibility of deadlock. IMPACT ====== A malicious guest administrator can deny service to the entire host. VULNERABLE SYSTEMS ================== Xen versions going back to at least Xen 3.2 are vulnerable. To exploit the vulnerability, the attacker must have control of more than one vcpu, either by controlling a malicious multi-vcpu guest, or by controlling more than one guest. MITIGATION ========== There is no practical mitigation for this issue. CREDITS ======= This issue was discovered by Coverity Scan and diagnosed by Andrew Cooper. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa73-4.3-unstable.patch Xen 4.3.x, xen-unstable xsa73-4.2.patch Xen 4.2.x xsa73-4.1.patch Xen 4.1.x $ sha256sum xsa73*.patch b828ff085f2dc1f2042bda1dc8a6c52b56ad1c1e3639c3efe32e5706e4ef424f xsa73-4.1.patch 10b809c39582a7f29150f0635b78bc2ce40df0bded963b78f42db3e21775da8c xsa73-4.2.patch 48411cd6b15e4e4fa3c4335298179a4b1094c5e1ae8dc7582bbfb9439d97037b xsa73-4.3-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSc8OAAAoJEIP+FMlX6CvZNoMH/Al1MD/FJXpJ6BnLZH3zV505 wKc1x38OGpM61X2PrMLCqaqZfRTDuUWFkAx4wOdp1OXx6Do8nwtyzXYInNYKHjse xS5JhBM0GPY+pABVYJ4IDcskKHDCLew/L4RcPK3oDiS9sZACSrVRXGVLnNUupLit KmCbN1sZkFwUZSCpF+TBH7QbSkk9h2ytTGDaiZKgmrsmL7TMEOP4ikqxjBDC6gM7 Ty6NzaGJUpIx3nIEjFTnggE8UYN0NkQVDjZlhsDJPbcEWCuHXMYNaXrqFjSY68ac 4uDmwmR6exk38AGQhRir2FkwoXg2Gyim4pxWx7SYge/Ssc2Mft1aMNOdz7uCr3c= =6AqT -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa73-4.1.patch" Content-Disposition: attachment; filename="xsa73-4.1.patch" Content-Transfer-Encoding: base64 RnJvbSA4MmYyZjdjMzA0MzIxMmNiYjRlMTI4Nzg3ZjU4YWU4YmI1NWEwYmQw IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBUaHUsIDMxIE9j dCAyMDEzIDIwOjQ5OjAwICswMDAwClN1YmplY3Q6IFtQQVRDSF0gZ250dGFi OiBjb3JyZWN0IGxvY2tpbmcgb3JkZXIgcmV2ZXJzYWwKCkNvdmVyaXR5IElE IDEwODcxODkKCkNvcnJlY3QgYSBsb2NrIG9yZGVyIHJldmVyc2FsIGJldHdl ZW4gYSBkb21haW5zIHBhZ2UgYWxsb2NhdGlvbiBhbmQgZ3JhbnQKdGFibGUg bG9ja3MuCgpUaGlzIGlzIFhTQS03My4KClNpZ25lZC1vZmYtYnk6IEFuZHJl dyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+CgpDb25zb2xp ZGF0ZSBlcnJvciBoYW5kbGluZy4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVs aWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEtlaXIgRnJh c2VyIDxrZWlyQHhlbi5vcmc+ClRlc3RlZC1ieTogTWF0dGhldyBEYWxleSA8 bWF0dGpkQGdtYWlsLmNvbT4KCkJhY2twb3J0ZWQgdG8gWGVuLTQuMQpTaWdu ZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRy aXguY29tPgotLS0KIHhlbi9jb21tb24vZ3JhbnRfdGFibGUuYyB8ICAgNTEg KysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKystLS0tLS0t LQogMSBmaWxlIGNoYW5nZWQsIDQzIGluc2VydGlvbnMoKyksIDggZGVsZXRp b25zKC0pCgpkaWZmIC0tZ2l0IGEveGVuL2NvbW1vbi9ncmFudF90YWJsZS5j IGIveGVuL2NvbW1vbi9ncmFudF90YWJsZS5jCmluZGV4IGUwZjkxYWIuLmMx ZTM3ODQgMTAwNjQ0Ci0tLSBhL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwor KysgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMKQEAgLTE0NTksNiArMTQ1 OSw4IEBAIGdudHRhYl90cmFuc2ZlcigKIAogICAgIGZvciAoIGkgPSAwOyBp IDwgY291bnQ7IGkrKyApCiAgICAgeworICAgICAgICBib29sX3Qgb2theTsK KwogICAgICAgICBpZiAoaSAmJiBoeXBlcmNhbGxfcHJlZW1wdF9jaGVjaygp KQogICAgICAgICAgICAgcmV0dXJuIGk7CiAKQEAgLTE1NTUsMTYgKzE1NTcs MTggQEAgZ250dGFiX3RyYW5zZmVyKAogICAgICAgICAgKiBwYWdlcyB3aGVu IGl0IGlzIGR5aW5nLgogICAgICAgICAgKi8KICAgICAgICAgaWYgKCB1bmxp a2VseShlLT5pc19keWluZykgfHwKLSAgICAgICAgICAgICB1bmxpa2VseShl LT50b3RfcGFnZXMgPj0gZS0+bWF4X3BhZ2VzKSB8fAotICAgICAgICAgICAg IHVubGlrZWx5KCFnbnR0YWJfcHJlcGFyZV9mb3JfdHJhbnNmZXIoZSwgZCwg Z29wLnJlZikpICkKKyAgICAgICAgICAgICB1bmxpa2VseShlLT50b3RfcGFn ZXMgPj0gZS0+bWF4X3BhZ2VzKSApCiAgICAgICAgIHsKLSAgICAgICAgICAg IGlmICggIWUtPmlzX2R5aW5nICkKLSAgICAgICAgICAgICAgICBnZHByaW50 ayhYRU5MT0dfSU5GTywgImdudHRhYl90cmFuc2ZlcjogIgotICAgICAgICAg ICAgICAgICAgICAgICAgIlRyYW5zZmVyZWUgaGFzIG5vIHJlc2VydmF0aW9u ICIKLSAgICAgICAgICAgICAgICAgICAgICAgICJoZWFkcm9vbSAoJWQsJWQp IG9yIHByb3ZpZGVkIGEgYmFkIGdyYW50IHJlZiAoJTA4eCkgIgotICAgICAg ICAgICAgICAgICAgICAgICAgIm9yIGlzIGR5aW5nICglZClcbiIsCi0gICAg ICAgICAgICAgICAgICAgICAgICBlLT50b3RfcGFnZXMsIGUtPm1heF9wYWdl cywgZ29wLnJlZiwgZS0+aXNfZHlpbmcpOwogICAgICAgICAgICAgc3Bpbl91 bmxvY2soJmUtPnBhZ2VfYWxsb2NfbG9jayk7CisKKyAgICAgICAgICAgIGlm ICggZS0+aXNfZHlpbmcgKQorICAgICAgICAgICAgICAgIGdkcHJpbnRrKFhF TkxPR19JTkZPLCAiZ250dGFiX3RyYW5zZmVyOiAiCisgICAgICAgICAgICAg ICAgICAgICAgICAgIlRyYW5zZmVyZWUgKGQlZCkgaXMgZHlpbmdcbiIsIGUt PmRvbWFpbl9pZCk7CisgICAgICAgICAgICBlbHNlCisgICAgICAgICAgICAg ICAgZ2RwcmludGsoWEVOTE9HX0lORk8sICJnbnR0YWJfdHJhbnNmZXI6ICIK KyAgICAgICAgICAgICAgICAgICAgICAgICAiVHJhbnNmZXJlZSAoZCVkKSBo YXMgbm8gaGVhZHJvb20gKHRvdCAldSwgbWF4ICV1KVxuIiwKKyAgICAgICAg ICAgICAgICAgICAgICAgICBlLT5kb21haW5faWQsIGUtPnRvdF9wYWdlcywg ZS0+bWF4X3BhZ2VzKTsKKwogICAgICAgICAgICAgcmN1X3VubG9ja19kb21h aW4oZSk7CiAgICAgICAgICAgICBwYWdlLT5jb3VudF9pbmZvICY9IH4oUEdD X2NvdW50X21hc2t8UEdDX2FsbG9jYXRlZCk7CiAgICAgICAgICAgICBmcmVl X2RvbWhlYXBfcGFnZShwYWdlKTsKQEAgLTE1NzUsNiArMTU3OSwzNyBAQCBn bnR0YWJfdHJhbnNmZXIoCiAgICAgICAgIC8qIE9rYXksIGFkZCB0aGUgcGFn ZSB0byAnZScuICovCiAgICAgICAgIGlmICggdW5saWtlbHkoZS0+dG90X3Bh Z2VzKysgPT0gMCkgKQogICAgICAgICAgICAgZ2V0X2tub3duYWxpdmVfZG9t YWluKGUpOworCisgICAgICAgIC8qCisgICAgICAgICAqIFdlIG11c3QgZHJv cCB0aGUgbG9jayB0byBhdm9pZCBhIHBvc3NpYmxlIGRlYWRsb2NrIGluCisg ICAgICAgICAqIGdudHRhYl9wcmVwYXJlX2Zvcl90cmFuc2Zlci4gIFdlIGhh dmUgcmVzZXJ2ZWQgYSBwYWdlIGluIGUgc28gY2FuCisgICAgICAgICAqIHNh ZmVseSBkcm9wIHRoZSBsb2NrIGFuZCByZS1hcXVpcmUgaXQgbGF0ZXIgdG8g YWRkIHBhZ2UgdG8gdGhlCisgICAgICAgICAqIHBhZ2VsaXN0LgorICAgICAg ICAgKi8KKyAgICAgICAgc3Bpbl91bmxvY2soJmUtPnBhZ2VfYWxsb2NfbG9j ayk7CisgICAgICAgIG9rYXkgPSBnbnR0YWJfcHJlcGFyZV9mb3JfdHJhbnNm ZXIoZSwgZCwgZ29wLnJlZik7CisgICAgICAgIHNwaW5fbG9jaygmZS0+cGFn ZV9hbGxvY19sb2NrKTsKKworICAgICAgICBpZiAoIHVubGlrZWx5KCFva2F5 KSB8fCB1bmxpa2VseShlLT5pc19keWluZykgKQorICAgICAgICB7CisgICAg ICAgICAgICBib29sX3QgZHJvcF9kb21fcmVmID0gKGUtPnRvdF9wYWdlcy0t ID09IDApOworCisgICAgICAgICAgICBzcGluX3VubG9jaygmZS0+cGFnZV9h bGxvY19sb2NrKTsKKworICAgICAgICAgICAgaWYgKCBva2F5IC8qIGkuZS4g ZS0+aXNfZHlpbmcgZHVlIHRvIHRoZSBzdXJyb3VuZGluZyBpZigpICovICkK KyAgICAgICAgICAgICAgICBnZHByaW50ayhYRU5MT0dfSU5GTywgImdudHRh Yl90cmFuc2ZlcjogIgorICAgICAgICAgICAgICAgICAgICAgICAgICJUcmFu c2ZlcmVlIChkJWQpIGlzIG5vdyBkeWluZ1xuIiwgZS0+ZG9tYWluX2lkKTsK KworICAgICAgICAgICAgaWYgKCBkcm9wX2RvbV9yZWYgKQorICAgICAgICAg ICAgICAgIHB1dF9kb21haW4oZSk7CisgICAgICAgICAgICByY3VfdW5sb2Nr X2RvbWFpbihlKTsKKworICAgICAgICAgICAgcGFnZS0+Y291bnRfaW5mbyAm PSB+KFBHQ19jb3VudF9tYXNrfFBHQ19hbGxvY2F0ZWQpOworICAgICAgICAg ICAgZnJlZV9kb21oZWFwX3BhZ2UocGFnZSk7CisgICAgICAgICAgICBnb3Au c3RhdHVzID0gR05UU1RfZ2VuZXJhbF9lcnJvcjsKKyAgICAgICAgICAgIGdv dG8gY29weWJhY2s7CisgICAgICAgIH0KKwogICAgICAgICBwYWdlX2xpc3Rf YWRkX3RhaWwocGFnZSwgJmUtPnBhZ2VfbGlzdCk7CiAgICAgICAgIHBhZ2Vf c2V0X293bmVyKHBhZ2UsIGUpOwogCi0tIAoxLjcuMTAuNAoK --=separator Content-Type: application/octet-stream; name="xsa73-4.2.patch" Content-Disposition: attachment; filename="xsa73-4.2.patch" Content-Transfer-Encoding: base64 RnJvbSA1MmIyYzMxNDhiZGNhYTQ2YmVmY2RjYTY0ZTE0ZDAyMDFkN2NhNjQy IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBUaHUsIDMxIE9j dCAyMDEzIDIwOjQ5OjAwICswMDAwClN1YmplY3Q6IFtQQVRDSF0gZ250dGFi OiBjb3JyZWN0IGxvY2tpbmcgb3JkZXIgcmV2ZXJzYWwKCkNvdmVyaXR5IElE IDEwODcxODkKCkNvcnJlY3QgYSBsb2NrIG9yZGVyIHJldmVyc2FsIGJldHdl ZW4gYSBkb21haW5zIHBhZ2UgYWxsb2NhdGlvbiBhbmQgZ3JhbnQKdGFibGUg bG9ja3MuCgpUaGlzIGlzIFhTQS03My4KClNpZ25lZC1vZmYtYnk6IEFuZHJl dyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+CgpDb25zb2xp ZGF0ZSBlcnJvciBoYW5kbGluZy4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVs aWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEtlaXIgRnJh c2VyIDxrZWlyQHhlbi5vcmc+ClRlc3RlZC1ieTogTWF0dGhldyBEYWxleSA8 bWF0dGpkQGdtYWlsLmNvbT4KCkJhY2twb3J0ZWQgdG8gWGVuLTQuMgpTaWdu ZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRy aXguY29tPgotLS0KIHhlbi9jb21tb24vZ3JhbnRfdGFibGUuYyB8ICAgNTIg KysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrLS0tLS0t LQogMSBmaWxlIGNoYW5nZWQsIDQ0IGluc2VydGlvbnMoKyksIDggZGVsZXRp b25zKC0pCgpkaWZmIC0tZ2l0IGEveGVuL2NvbW1vbi9ncmFudF90YWJsZS5j IGIveGVuL2NvbW1vbi9ncmFudF90YWJsZS5jCmluZGV4IDBlMzQ5Y2MuLjA2 NzJiYWQgMTAwNjQ0Ci0tLSBhL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwor KysgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMKQEAgLTE0OTksNiArMTQ5 OSw4IEBAIGdudHRhYl90cmFuc2ZlcigKIAogICAgIGZvciAoIGkgPSAwOyBp IDwgY291bnQ7IGkrKyApCiAgICAgeworICAgICAgICBib29sX3Qgb2theTsK KwogICAgICAgICBpZiAoaSAmJiBoeXBlcmNhbGxfcHJlZW1wdF9jaGVjaygp KQogICAgICAgICAgICAgcmV0dXJuIGk7CiAKQEAgLTE2MDcsMTYgKzE2MDks MTggQEAgZ250dGFiX3RyYW5zZmVyKAogICAgICAgICAgKiBwYWdlcyB3aGVu IGl0IGlzIGR5aW5nLgogICAgICAgICAgKi8KICAgICAgICAgaWYgKCB1bmxp a2VseShlLT5pc19keWluZykgfHwKLSAgICAgICAgICAgICB1bmxpa2VseShl LT50b3RfcGFnZXMgPj0gZS0+bWF4X3BhZ2VzKSB8fAotICAgICAgICAgICAg IHVubGlrZWx5KCFnbnR0YWJfcHJlcGFyZV9mb3JfdHJhbnNmZXIoZSwgZCwg Z29wLnJlZikpICkKKyAgICAgICAgICAgICB1bmxpa2VseShlLT50b3RfcGFn ZXMgPj0gZS0+bWF4X3BhZ2VzKSApCiAgICAgICAgIHsKLSAgICAgICAgICAg IGlmICggIWUtPmlzX2R5aW5nICkKLSAgICAgICAgICAgICAgICBnZHByaW50 ayhYRU5MT0dfSU5GTywgImdudHRhYl90cmFuc2ZlcjogIgotICAgICAgICAg ICAgICAgICAgICAgICAgIlRyYW5zZmVyZWUgaGFzIG5vIHJlc2VydmF0aW9u ICIKLSAgICAgICAgICAgICAgICAgICAgICAgICJoZWFkcm9vbSAoJWQsJWQp IG9yIHByb3ZpZGVkIGEgYmFkIGdyYW50IHJlZiAoJTA4eCkgIgotICAgICAg ICAgICAgICAgICAgICAgICAgIm9yIGlzIGR5aW5nICglZClcbiIsCi0gICAg ICAgICAgICAgICAgICAgICAgICBlLT50b3RfcGFnZXMsIGUtPm1heF9wYWdl cywgZ29wLnJlZiwgZS0+aXNfZHlpbmcpOwogICAgICAgICAgICAgc3Bpbl91 bmxvY2soJmUtPnBhZ2VfYWxsb2NfbG9jayk7CisKKyAgICAgICAgICAgIGlm ICggZS0+aXNfZHlpbmcgKQorICAgICAgICAgICAgICAgIGdkcHJpbnRrKFhF TkxPR19JTkZPLCAiZ250dGFiX3RyYW5zZmVyOiAiCisgICAgICAgICAgICAg ICAgICAgICAgICAgIlRyYW5zZmVyZWUgKGQlZCkgaXMgZHlpbmdcbiIsIGUt PmRvbWFpbl9pZCk7CisgICAgICAgICAgICBlbHNlCisgICAgICAgICAgICAg ICAgZ2RwcmludGsoWEVOTE9HX0lORk8sICJnbnR0YWJfdHJhbnNmZXI6ICIK KyAgICAgICAgICAgICAgICAgICAgICAgICAiVHJhbnNmZXJlZSAoZCVkKSBo YXMgbm8gaGVhZHJvb20gKHRvdCAldSwgbWF4ICV1KVxuIiwKKyAgICAgICAg ICAgICAgICAgICAgICAgICBlLT5kb21haW5faWQsIGUtPnRvdF9wYWdlcywg ZS0+bWF4X3BhZ2VzKTsKKwogICAgICAgICAgICAgcmN1X3VubG9ja19kb21h aW4oZSk7CiAgICAgICAgICAgICBwdXRfZ2ZuKGQsIGdvcC5tZm4pOwogICAg ICAgICAgICAgcGFnZS0+Y291bnRfaW5mbyAmPSB+KFBHQ19jb3VudF9tYXNr fFBHQ19hbGxvY2F0ZWQpOwpAQCAtMTYyOCw2ICsxNjMyLDM4IEBAIGdudHRh Yl90cmFuc2ZlcigKICAgICAgICAgLyogT2theSwgYWRkIHRoZSBwYWdlIHRv ICdlJy4gKi8KICAgICAgICAgaWYgKCB1bmxpa2VseShlLT50b3RfcGFnZXMr KyA9PSAwKSApCiAgICAgICAgICAgICBnZXRfa25vd25hbGl2ZV9kb21haW4o ZSk7CisKKyAgICAgICAgLyoKKyAgICAgICAgICogV2UgbXVzdCBkcm9wIHRo ZSBsb2NrIHRvIGF2b2lkIGEgcG9zc2libGUgZGVhZGxvY2sgaW4KKyAgICAg ICAgICogZ250dGFiX3ByZXBhcmVfZm9yX3RyYW5zZmVyLiAgV2UgaGF2ZSBy ZXNlcnZlZCBhIHBhZ2UgaW4gZSBzbyBjYW4KKyAgICAgICAgICogc2FmZWx5 IGRyb3AgdGhlIGxvY2sgYW5kIHJlLWFxdWlyZSBpdCBsYXRlciB0byBhZGQg cGFnZSB0byB0aGUKKyAgICAgICAgICogcGFnZWxpc3QuCisgICAgICAgICAq LworICAgICAgICBzcGluX3VubG9jaygmZS0+cGFnZV9hbGxvY19sb2NrKTsK KyAgICAgICAgb2theSA9IGdudHRhYl9wcmVwYXJlX2Zvcl90cmFuc2Zlcihl LCBkLCBnb3AucmVmKTsKKyAgICAgICAgc3Bpbl9sb2NrKCZlLT5wYWdlX2Fs bG9jX2xvY2spOworCisgICAgICAgIGlmICggdW5saWtlbHkoIW9rYXkpIHx8 IHVubGlrZWx5KGUtPmlzX2R5aW5nKSApCisgICAgICAgIHsKKyAgICAgICAg ICAgIGJvb2xfdCBkcm9wX2RvbV9yZWYgPSAoZS0+dG90X3BhZ2VzLS0gPT0g MSk7CisKKyAgICAgICAgICAgIHNwaW5fdW5sb2NrKCZlLT5wYWdlX2FsbG9j X2xvY2spOworCisgICAgICAgICAgICBpZiAoIG9rYXkgLyogaS5lLiBlLT5p c19keWluZyBkdWUgdG8gdGhlIHN1cnJvdW5kaW5nIGlmKCkgKi8gKQorICAg ICAgICAgICAgICAgIGdkcHJpbnRrKFhFTkxPR19JTkZPLCAiZ250dGFiX3Ry YW5zZmVyOiAiCisgICAgICAgICAgICAgICAgICAgICAgICAgIlRyYW5zZmVy ZWUgKGQlZCkgaXMgbm93IGR5aW5nXG4iLCBlLT5kb21haW5faWQpOworCisg ICAgICAgICAgICBpZiAoIGRyb3BfZG9tX3JlZiApCisgICAgICAgICAgICAg ICAgcHV0X2RvbWFpbihlKTsKKyAgICAgICAgICAgIHJjdV91bmxvY2tfZG9t YWluKGUpOworCisgICAgICAgICAgICBwdXRfZ2ZuKGQsIGdvcC5tZm4pOwor ICAgICAgICAgICAgcGFnZS0+Y291bnRfaW5mbyAmPSB+KFBHQ19jb3VudF9t YXNrfFBHQ19hbGxvY2F0ZWQpOworICAgICAgICAgICAgZnJlZV9kb21oZWFw X3BhZ2UocGFnZSk7CisgICAgICAgICAgICBnb3Auc3RhdHVzID0gR05UU1Rf Z2VuZXJhbF9lcnJvcjsKKyAgICAgICAgICAgIGdvdG8gY29weWJhY2s7Cisg ICAgICAgIH0KKwogICAgICAgICBwYWdlX2xpc3RfYWRkX3RhaWwocGFnZSwg JmUtPnBhZ2VfbGlzdCk7CiAgICAgICAgIHBhZ2Vfc2V0X293bmVyKHBhZ2Us IGUpOwogCi0tIAoxLjcuMTAuNAoK --=separator Content-Type: application/octet-stream; name="xsa73-4.3-unstable.patch" Content-Disposition: attachment; filename="xsa73-4.3-unstable.patch" Content-Transfer-Encoding: base64 RnJvbSAwNjhiZmE3NmJiZDUyNDMwZTY1ODUzMzc1ZTFkNWRiOTlkMTkzZTJm IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBUaHUsIDMxIE9j dCAyMDEzIDIwOjQ5OjAwICswMDAwClN1YmplY3Q6IFtQQVRDSF0gZ250dGFi OiBjb3JyZWN0IGxvY2tpbmcgb3JkZXIgcmV2ZXJzYWwKCkNvdmVyaXR5IElE IDEwODcxODkKCkNvcnJlY3QgYSBsb2NrIG9yZGVyIHJldmVyc2FsIGJldHdl ZW4gYSBkb21haW5zIHBhZ2UgYWxsb2NhdGlvbiBhbmQgZ3JhbnQKdGFibGUg bG9ja3MuCgpUaGlzIGlzIFhTQS03My4KClNpZ25lZC1vZmYtYnk6IEFuZHJl dyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+CgpDb25zb2xp ZGF0ZSBlcnJvciBoYW5kbGluZy4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVs aWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEtlaXIgRnJh c2VyIDxrZWlyQHhlbi5vcmc+ClRlc3RlZC1ieTogTWF0dGhldyBEYWxleSA8 bWF0dGpkQGdtYWlsLmNvbT4KLS0tCiB4ZW4vY29tbW9uL2dyYW50X3RhYmxl LmMgfCAgIDUyICsrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysr KysrKy0tLS0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA0NCBpbnNlcnRpb25zKCsp LCA4IGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL3hlbi9jb21tb24vZ3Jh bnRfdGFibGUuYyBiL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwppbmRleCBm NDJiYzdhLi40OGRmOTI4IDEwMDY0NAotLS0gYS94ZW4vY29tbW9uL2dyYW50 X3RhYmxlLmMKKysrIGIveGVuL2NvbW1vbi9ncmFudF90YWJsZS5jCkBAIC0x NTE3LDYgKzE1MTcsOCBAQCBnbnR0YWJfdHJhbnNmZXIoCiAKICAgICBmb3Ig KCBpID0gMDsgaSA8IGNvdW50OyBpKysgKQogICAgIHsKKyAgICAgICAgYm9v bF90IG9rYXk7CisKICAgICAgICAgaWYgKGkgJiYgaHlwZXJjYWxsX3ByZWVt cHRfY2hlY2soKSkKICAgICAgICAgICAgIHJldHVybiBpOwogCkBAIC0xNjI1 LDE2ICsxNjI3LDE4IEBAIGdudHRhYl90cmFuc2ZlcigKICAgICAgICAgICog cGFnZXMgd2hlbiBpdCBpcyBkeWluZy4KICAgICAgICAgICovCiAgICAgICAg IGlmICggdW5saWtlbHkoZS0+aXNfZHlpbmcpIHx8Ci0gICAgICAgICAgICAg dW5saWtlbHkoZS0+dG90X3BhZ2VzID49IGUtPm1heF9wYWdlcykgfHwKLSAg ICAgICAgICAgICB1bmxpa2VseSghZ250dGFiX3ByZXBhcmVfZm9yX3RyYW5z ZmVyKGUsIGQsIGdvcC5yZWYpKSApCisgICAgICAgICAgICAgdW5saWtlbHko ZS0+dG90X3BhZ2VzID49IGUtPm1heF9wYWdlcykgKQogICAgICAgICB7Ci0g ICAgICAgICAgICBpZiAoICFlLT5pc19keWluZyApCi0gICAgICAgICAgICAg ICAgZ2RwcmludGsoWEVOTE9HX0lORk8sICJnbnR0YWJfdHJhbnNmZXI6ICIK LSAgICAgICAgICAgICAgICAgICAgICAgICJUcmFuc2ZlcmVlIGhhcyBubyBy ZXNlcnZhdGlvbiAiCi0gICAgICAgICAgICAgICAgICAgICAgICAiaGVhZHJv b20gKCVkLCVkKSBvciBwcm92aWRlZCBhIGJhZCBncmFudCByZWYgKCUwOHgp ICIKLSAgICAgICAgICAgICAgICAgICAgICAgICJvciBpcyBkeWluZyAoJWQp XG4iLAotICAgICAgICAgICAgICAgICAgICAgICAgZS0+dG90X3BhZ2VzLCBl LT5tYXhfcGFnZXMsIGdvcC5yZWYsIGUtPmlzX2R5aW5nKTsKICAgICAgICAg ICAgIHNwaW5fdW5sb2NrKCZlLT5wYWdlX2FsbG9jX2xvY2spOworCisgICAg ICAgICAgICBpZiAoIGUtPmlzX2R5aW5nICkKKyAgICAgICAgICAgICAgICBn ZHByaW50ayhYRU5MT0dfSU5GTywgImdudHRhYl90cmFuc2ZlcjogIgorICAg ICAgICAgICAgICAgICAgICAgICAgICJUcmFuc2ZlcmVlIChkJWQpIGlzIGR5 aW5nXG4iLCBlLT5kb21haW5faWQpOworICAgICAgICAgICAgZWxzZQorICAg ICAgICAgICAgICAgIGdkcHJpbnRrKFhFTkxPR19JTkZPLCAiZ250dGFiX3Ry YW5zZmVyOiAiCisgICAgICAgICAgICAgICAgICAgICAgICAgIlRyYW5zZmVy ZWUgKGQlZCkgaGFzIG5vIGhlYWRyb29tICh0b3QgJXUsIG1heCAldSlcbiIs CisgICAgICAgICAgICAgICAgICAgICAgICAgZS0+ZG9tYWluX2lkLCBlLT50 b3RfcGFnZXMsIGUtPm1heF9wYWdlcyk7CisKICAgICAgICAgICAgIHJjdV91 bmxvY2tfZG9tYWluKGUpOwogICAgICAgICAgICAgcHV0X2dmbihkLCBnb3Au bWZuKTsKICAgICAgICAgICAgIHBhZ2UtPmNvdW50X2luZm8gJj0gfihQR0Nf Y291bnRfbWFza3xQR0NfYWxsb2NhdGVkKTsKQEAgLTE2NDYsNiArMTY1MCwz OCBAQCBnbnR0YWJfdHJhbnNmZXIoCiAgICAgICAgIC8qIE9rYXksIGFkZCB0 aGUgcGFnZSB0byAnZScuICovCiAgICAgICAgIGlmICggdW5saWtlbHkoZG9t YWluX2FkanVzdF90b3RfcGFnZXMoZSwgMSkgPT0gMSkgKQogICAgICAgICAg ICAgZ2V0X2tub3duYWxpdmVfZG9tYWluKGUpOworCisgICAgICAgIC8qCisg ICAgICAgICAqIFdlIG11c3QgZHJvcCB0aGUgbG9jayB0byBhdm9pZCBhIHBv c3NpYmxlIGRlYWRsb2NrIGluCisgICAgICAgICAqIGdudHRhYl9wcmVwYXJl X2Zvcl90cmFuc2Zlci4gIFdlIGhhdmUgcmVzZXJ2ZWQgYSBwYWdlIGluIGUg c28gY2FuCisgICAgICAgICAqIHNhZmVseSBkcm9wIHRoZSBsb2NrIGFuZCBy ZS1hcXVpcmUgaXQgbGF0ZXIgdG8gYWRkIHBhZ2UgdG8gdGhlCisgICAgICAg ICAqIHBhZ2VsaXN0LgorICAgICAgICAgKi8KKyAgICAgICAgc3Bpbl91bmxv Y2soJmUtPnBhZ2VfYWxsb2NfbG9jayk7CisgICAgICAgIG9rYXkgPSBnbnR0 YWJfcHJlcGFyZV9mb3JfdHJhbnNmZXIoZSwgZCwgZ29wLnJlZik7CisgICAg ICAgIHNwaW5fbG9jaygmZS0+cGFnZV9hbGxvY19sb2NrKTsKKworICAgICAg ICBpZiAoIHVubGlrZWx5KCFva2F5KSB8fCB1bmxpa2VseShlLT5pc19keWlu ZykgKQorICAgICAgICB7CisgICAgICAgICAgICBib29sX3QgZHJvcF9kb21f cmVmID0gKGRvbWFpbl9hZGp1c3RfdG90X3BhZ2VzKGUsIC0xKSA9PSAwKTsK KworICAgICAgICAgICAgc3Bpbl91bmxvY2soJmUtPnBhZ2VfYWxsb2NfbG9j ayk7CisKKyAgICAgICAgICAgIGlmICggb2theSAvKiBpLmUuIGUtPmlzX2R5 aW5nIGR1ZSB0byB0aGUgc3Vycm91bmRpbmcgaWYoKSAqLyApCisgICAgICAg ICAgICAgICAgZ2RwcmludGsoWEVOTE9HX0lORk8sICJnbnR0YWJfdHJhbnNm ZXI6ICIKKyAgICAgICAgICAgICAgICAgICAgICAgICAiVHJhbnNmZXJlZSAo ZCVkKSBpcyBub3cgZHlpbmdcbiIsIGUtPmRvbWFpbl9pZCk7CisKKyAgICAg ICAgICAgIGlmICggZHJvcF9kb21fcmVmICkKKyAgICAgICAgICAgICAgICBw dXRfZG9tYWluKGUpOworICAgICAgICAgICAgcmN1X3VubG9ja19kb21haW4o ZSk7CisKKyAgICAgICAgICAgIHB1dF9nZm4oZCwgZ29wLm1mbik7CisgICAg ICAgICAgICBwYWdlLT5jb3VudF9pbmZvICY9IH4oUEdDX2NvdW50X21hc2t8 UEdDX2FsbG9jYXRlZCk7CisgICAgICAgICAgICBmcmVlX2RvbWhlYXBfcGFn ZShwYWdlKTsKKyAgICAgICAgICAgIGdvcC5zdGF0dXMgPSBHTlRTVF9nZW5l cmFsX2Vycm9yOworICAgICAgICAgICAgZ290byBjb3B5YmFjazsKKyAgICAg ICAgfQorCiAgICAgICAgIHBhZ2VfbGlzdF9hZGRfdGFpbChwYWdlLCAmZS0+ cGFnZV9saXN0KTsKICAgICAgICAgcGFnZV9zZXRfb3duZXIocGFnZSwgZSk7 CiAKLS0gCjEuNy4xMC40Cgo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Fri Nov 01 15:27:10 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Nov 2013 15:27:10 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VcGbj-0007TR-4J; Fri, 01 Nov 2013 15:25:55 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VcGbh-0007T4-C4; Fri, 01 Nov 2013 15:25:53 +0000 Received: from [85.158.143.35:57466] by server-1.bemta-4.messagelabs.com id AE/E8-17304-008C3725; Fri, 01 Nov 2013 15:25:52 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-16.tower-21.messagelabs.com!1383319550!384711!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.13; banners=-,-,- X-VirusChecked: Checked Received: (qmail 16361 invoked from network); 1 Nov 2013 15:25:51 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-16.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 1 Nov 2013 15:25:51 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VcGbZ-0005Ez-Lg; Fri, 01 Nov 2013 15:25:45 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VcGbZ-0004u7-9o; Fri, 01 Nov 2013 15:25:45 +0000 Date: Fri, 01 Nov 2013 15:25:45 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 73 - Lock order reversal between page allocation and grant table locks X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-73 version 2 Lock order reversal between page allocation and grant table locks UPDATES IN VERSION 2 ==================== Corrected typo in xsa73-4.1.patch. The other patches were already correct. NOTE REGARDING LACK OF EMBARGO ============================== While the response to this issue was being prepared by the security team, the bug was independently discovered by a third party who publicly disclosed it without realising the security impact. ISSUE DESCRIPTION ================= The locks page_alloc_lock and grant_table.lock are not always taken in the same order. This opens the possibility of deadlock. IMPACT ====== A malicious guest administrator can deny service to the entire host. VULNERABLE SYSTEMS ================== Xen versions going back to at least Xen 3.2 are vulnerable. To exploit the vulnerability, the attacker must have control of more than one vcpu, either by controlling a malicious multi-vcpu guest, or by controlling more than one guest. MITIGATION ========== There is no practical mitigation for this issue. CREDITS ======= This issue was discovered by Coverity Scan and diagnosed by Andrew Cooper. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa73-4.3-unstable.patch Xen 4.3.x, xen-unstable xsa73-4.2.patch Xen 4.2.x xsa73-4.1.patch Xen 4.1.x $ sha256sum xsa73*.patch c9284e2c12b1c4f8c63d11b8802b4f408e6623f857f120b04e47840f433e4823 xsa73-4.1.patch 10b809c39582a7f29150f0635b78bc2ce40df0bded963b78f42db3e21775da8c xsa73-4.2.patch 48411cd6b15e4e4fa3c4335298179a4b1094c5e1ae8dc7582bbfb9439d97037b xsa73-4.3-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSc8fSAAoJEIP+FMlX6CvZeRUH/Rn+MT2Xj1zteuIs89cLZOBc 5ieh44Nqulyn/kQU+j7tzmq0urzt5w0VEiL7CWDxXe6KktzKZDnZTkXDSXr13sxU pIM682cpaSsGvDFDSKdc6x03cNQ3P+FSrz/uWEWmCFjOuqRT839RkY3NbkC6mhaH O9JUW+uojphJ3TJDfmvl9xsN4W6A3H8SvJp71c6LNGMTUXfAsOahNnrlJev+s8Pu OruXzqVFzOpU1BbWYAakhSgUg/5+FTCcR+ZUN4AgMHgetnXIbR0qGtvWGEP9kTVt wOK/mgAA7T4yHyTySmmVHc/BN422e0xv045Zr25AI2WrteLnpo4gj5GJBuAilEU= =RHfD -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa73-4.1.patch" Content-Disposition: attachment; filename="xsa73-4.1.patch" Content-Transfer-Encoding: base64 RnJvbSA4MmYyZjdjMzA0MzIxMmNiYjRlMTI4Nzg3ZjU4YWU4YmI1NWEwYmQw IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBUaHUsIDMxIE9j dCAyMDEzIDIwOjQ5OjAwICswMDAwClN1YmplY3Q6IFtQQVRDSF0gZ250dGFi OiBjb3JyZWN0IGxvY2tpbmcgb3JkZXIgcmV2ZXJzYWwKCkNvdmVyaXR5IElE IDEwODcxODkKCkNvcnJlY3QgYSBsb2NrIG9yZGVyIHJldmVyc2FsIGJldHdl ZW4gYSBkb21haW5zIHBhZ2UgYWxsb2NhdGlvbiBhbmQgZ3JhbnQKdGFibGUg bG9ja3MuCgpUaGlzIGlzIFhTQS03My4KClNpZ25lZC1vZmYtYnk6IEFuZHJl dyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+CgpDb25zb2xp ZGF0ZSBlcnJvciBoYW5kbGluZy4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVs aWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEtlaXIgRnJh c2VyIDxrZWlyQHhlbi5vcmc+ClRlc3RlZC1ieTogTWF0dGhldyBEYWxleSA8 bWF0dGpkQGdtYWlsLmNvbT4KCkJhY2twb3J0ZWQgdG8gWGVuLTQuMQpTaWdu ZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRy aXguY29tPgotLS0KIHhlbi9jb21tb24vZ3JhbnRfdGFibGUuYyB8ICAgNTEg KysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKystLS0tLS0t LQogMSBmaWxlIGNoYW5nZWQsIDQzIGluc2VydGlvbnMoKyksIDggZGVsZXRp b25zKC0pCgpkaWZmIC0tZ2l0IGEveGVuL2NvbW1vbi9ncmFudF90YWJsZS5j IGIveGVuL2NvbW1vbi9ncmFudF90YWJsZS5jCmluZGV4IGUwZjkxYWIuLmMx ZTM3ODQgMTAwNjQ0Ci0tLSBhL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwor KysgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMKQEAgLTE0NTksNiArMTQ1 OSw4IEBAIGdudHRhYl90cmFuc2ZlcigKIAogICAgIGZvciAoIGkgPSAwOyBp IDwgY291bnQ7IGkrKyApCiAgICAgeworICAgICAgICBib29sX3Qgb2theTsK KwogICAgICAgICBpZiAoaSAmJiBoeXBlcmNhbGxfcHJlZW1wdF9jaGVjaygp KQogICAgICAgICAgICAgcmV0dXJuIGk7CiAKQEAgLTE1NTUsMTYgKzE1NTcs MTggQEAgZ250dGFiX3RyYW5zZmVyKAogICAgICAgICAgKiBwYWdlcyB3aGVu IGl0IGlzIGR5aW5nLgogICAgICAgICAgKi8KICAgICAgICAgaWYgKCB1bmxp a2VseShlLT5pc19keWluZykgfHwKLSAgICAgICAgICAgICB1bmxpa2VseShl LT50b3RfcGFnZXMgPj0gZS0+bWF4X3BhZ2VzKSB8fAotICAgICAgICAgICAg IHVubGlrZWx5KCFnbnR0YWJfcHJlcGFyZV9mb3JfdHJhbnNmZXIoZSwgZCwg Z29wLnJlZikpICkKKyAgICAgICAgICAgICB1bmxpa2VseShlLT50b3RfcGFn ZXMgPj0gZS0+bWF4X3BhZ2VzKSApCiAgICAgICAgIHsKLSAgICAgICAgICAg IGlmICggIWUtPmlzX2R5aW5nICkKLSAgICAgICAgICAgICAgICBnZHByaW50 ayhYRU5MT0dfSU5GTywgImdudHRhYl90cmFuc2ZlcjogIgotICAgICAgICAg ICAgICAgICAgICAgICAgIlRyYW5zZmVyZWUgaGFzIG5vIHJlc2VydmF0aW9u ICIKLSAgICAgICAgICAgICAgICAgICAgICAgICJoZWFkcm9vbSAoJWQsJWQp IG9yIHByb3ZpZGVkIGEgYmFkIGdyYW50IHJlZiAoJTA4eCkgIgotICAgICAg ICAgICAgICAgICAgICAgICAgIm9yIGlzIGR5aW5nICglZClcbiIsCi0gICAg ICAgICAgICAgICAgICAgICAgICBlLT50b3RfcGFnZXMsIGUtPm1heF9wYWdl cywgZ29wLnJlZiwgZS0+aXNfZHlpbmcpOwogICAgICAgICAgICAgc3Bpbl91 bmxvY2soJmUtPnBhZ2VfYWxsb2NfbG9jayk7CisKKyAgICAgICAgICAgIGlm ICggZS0+aXNfZHlpbmcgKQorICAgICAgICAgICAgICAgIGdkcHJpbnRrKFhF TkxPR19JTkZPLCAiZ250dGFiX3RyYW5zZmVyOiAiCisgICAgICAgICAgICAg ICAgICAgICAgICAgIlRyYW5zZmVyZWUgKGQlZCkgaXMgZHlpbmdcbiIsIGUt PmRvbWFpbl9pZCk7CisgICAgICAgICAgICBlbHNlCisgICAgICAgICAgICAg ICAgZ2RwcmludGsoWEVOTE9HX0lORk8sICJnbnR0YWJfdHJhbnNmZXI6ICIK KyAgICAgICAgICAgICAgICAgICAgICAgICAiVHJhbnNmZXJlZSAoZCVkKSBo YXMgbm8gaGVhZHJvb20gKHRvdCAldSwgbWF4ICV1KVxuIiwKKyAgICAgICAg ICAgICAgICAgICAgICAgICBlLT5kb21haW5faWQsIGUtPnRvdF9wYWdlcywg ZS0+bWF4X3BhZ2VzKTsKKwogICAgICAgICAgICAgcmN1X3VubG9ja19kb21h aW4oZSk7CiAgICAgICAgICAgICBwYWdlLT5jb3VudF9pbmZvICY9IH4oUEdD X2NvdW50X21hc2t8UEdDX2FsbG9jYXRlZCk7CiAgICAgICAgICAgICBmcmVl X2RvbWhlYXBfcGFnZShwYWdlKTsKQEAgLTE1NzUsNyArMTU3OSwzNyBAQCBn bnR0YWJfdHJhbnNmZXIoCiAgICAgICAgIC8qIE9rYXksIGFkZCB0aGUgcGFn ZSB0byAnZScuICovCiAgICAgICAgIGlmICggdW5saWtlbHkoZS0+dG90X3Bh Z2VzKysgPT0gMCkgKQogICAgICAgICAgICAgZ2V0X2tub3duYWxpdmVfZG9t YWluKGUpOworCisgICAgICAgIC8qCisgICAgICAgICAqIFdlIG11c3QgZHJv cCB0aGUgbG9jayB0byBhdm9pZCBhIHBvc3NpYmxlIGRlYWRsb2NrIGluCisg ICAgICAgICAqIGdudHRhYl9wcmVwYXJlX2Zvcl90cmFuc2Zlci4gIFdlIGhh dmUgcmVzZXJ2ZWQgYSBwYWdlIGluIGUgc28gY2FuCisgICAgICAgICAqIHNh ZmVseSBkcm9wIHRoZSBsb2NrIGFuZCByZS1hcXVpcmUgaXQgbGF0ZXIgdG8g YWRkIHBhZ2UgdG8gdGhlCisgICAgICAgICAqIHBhZ2VsaXN0LgorICAgICAg ICAgKi8KKyAgICAgICAgc3Bpbl91bmxvY2soJmUtPnBhZ2VfYWxsb2NfbG9j ayk7CisgICAgICAgIG9rYXkgPSBnbnR0YWJfcHJlcGFyZV9mb3JfdHJhbnNm ZXIoZSwgZCwgZ29wLnJlZik7CisgICAgICAgIHNwaW5fbG9jaygmZS0+cGFn ZV9hbGxvY19sb2NrKTsKKworICAgICAgICBpZiAoIHVubGlrZWx5KCFva2F5 KSB8fCB1bmxpa2VseShlLT5pc19keWluZykgKQorICAgICAgICB7CisgICAg ICAgICAgICBib29sX3QgZHJvcF9kb21fcmVmID0gKGUtPnRvdF9wYWdlcy0t ID09IDEpOworCisgICAgICAgICAgICBzcGluX3VubG9jaygmZS0+cGFnZV9h bGxvY19sb2NrKTsKKworICAgICAgICAgICAgaWYgKCBva2F5IC8qIGkuZS4g ZS0+aXNfZHlpbmcgZHVlIHRvIHRoZSBzdXJyb3VuZGluZyBpZigpICovICkK KyAgICAgICAgICAgICAgICBnZHByaW50ayhYRU5MT0dfSU5GTywgImdudHRh Yl90cmFuc2ZlcjogIgorICAgICAgICAgICAgICAgICAgICAgICAgICJUcmFu c2ZlcmVlIChkJWQpIGlzIG5vdyBkeWluZ1xuIiwgZS0+ZG9tYWluX2lkKTsK KworICAgICAgICAgICAgaWYgKCBkcm9wX2RvbV9yZWYgKQorICAgICAgICAg ICAgICAgIHB1dF9kb21haW4oZSk7CisgICAgICAgICAgICByY3VfdW5sb2Nr X2RvbWFpbihlKTsKKworICAgICAgICAgICAgcGFnZS0+Y291bnRfaW5mbyAm PSB+KFBHQ19jb3VudF9tYXNrfFBHQ19hbGxvY2F0ZWQpOworICAgICAgICAg ICAgZnJlZV9kb21oZWFwX3BhZ2UocGFnZSk7CisgICAgICAgICAgICBnb3Au c3RhdHVzID0gR05UU1RfZ2VuZXJhbF9lcnJvcjsKKyAgICAgICAgICAgIGdv dG8gY29weWJhY2s7CisgICAgICAgIH0KKwogICAgICAgICBwYWdlX2xpc3Rf YWRkX3RhaWwocGFnZSwgJmUtPnBhZ2VfbGlzdCk7CiAgICAgICAgIHBhZ2Vf c2V0X293bmVyKHBhZ2UsIGUpOwogCi0tIAoxLjcuMTAuNAoK --=separator Content-Type: application/octet-stream; name="xsa73-4.2.patch" Content-Disposition: attachment; filename="xsa73-4.2.patch" Content-Transfer-Encoding: base64 RnJvbSA1MmIyYzMxNDhiZGNhYTQ2YmVmY2RjYTY0ZTE0ZDAyMDFkN2NhNjQy IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBUaHUsIDMxIE9j dCAyMDEzIDIwOjQ5OjAwICswMDAwClN1YmplY3Q6IFtQQVRDSF0gZ250dGFi OiBjb3JyZWN0IGxvY2tpbmcgb3JkZXIgcmV2ZXJzYWwKCkNvdmVyaXR5IElE IDEwODcxODkKCkNvcnJlY3QgYSBsb2NrIG9yZGVyIHJldmVyc2FsIGJldHdl ZW4gYSBkb21haW5zIHBhZ2UgYWxsb2NhdGlvbiBhbmQgZ3JhbnQKdGFibGUg bG9ja3MuCgpUaGlzIGlzIFhTQS03My4KClNpZ25lZC1vZmYtYnk6IEFuZHJl dyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+CgpDb25zb2xp ZGF0ZSBlcnJvciBoYW5kbGluZy4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVs aWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEtlaXIgRnJh c2VyIDxrZWlyQHhlbi5vcmc+ClRlc3RlZC1ieTogTWF0dGhldyBEYWxleSA8 bWF0dGpkQGdtYWlsLmNvbT4KCkJhY2twb3J0ZWQgdG8gWGVuLTQuMgpTaWdu ZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRy aXguY29tPgotLS0KIHhlbi9jb21tb24vZ3JhbnRfdGFibGUuYyB8ICAgNTIg KysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrLS0tLS0t LQogMSBmaWxlIGNoYW5nZWQsIDQ0IGluc2VydGlvbnMoKyksIDggZGVsZXRp b25zKC0pCgpkaWZmIC0tZ2l0IGEveGVuL2NvbW1vbi9ncmFudF90YWJsZS5j IGIveGVuL2NvbW1vbi9ncmFudF90YWJsZS5jCmluZGV4IDBlMzQ5Y2MuLjA2 NzJiYWQgMTAwNjQ0Ci0tLSBhL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwor KysgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMKQEAgLTE0OTksNiArMTQ5 OSw4IEBAIGdudHRhYl90cmFuc2ZlcigKIAogICAgIGZvciAoIGkgPSAwOyBp IDwgY291bnQ7IGkrKyApCiAgICAgeworICAgICAgICBib29sX3Qgb2theTsK KwogICAgICAgICBpZiAoaSAmJiBoeXBlcmNhbGxfcHJlZW1wdF9jaGVjaygp KQogICAgICAgICAgICAgcmV0dXJuIGk7CiAKQEAgLTE2MDcsMTYgKzE2MDks MTggQEAgZ250dGFiX3RyYW5zZmVyKAogICAgICAgICAgKiBwYWdlcyB3aGVu IGl0IGlzIGR5aW5nLgogICAgICAgICAgKi8KICAgICAgICAgaWYgKCB1bmxp a2VseShlLT5pc19keWluZykgfHwKLSAgICAgICAgICAgICB1bmxpa2VseShl LT50b3RfcGFnZXMgPj0gZS0+bWF4X3BhZ2VzKSB8fAotICAgICAgICAgICAg IHVubGlrZWx5KCFnbnR0YWJfcHJlcGFyZV9mb3JfdHJhbnNmZXIoZSwgZCwg Z29wLnJlZikpICkKKyAgICAgICAgICAgICB1bmxpa2VseShlLT50b3RfcGFn ZXMgPj0gZS0+bWF4X3BhZ2VzKSApCiAgICAgICAgIHsKLSAgICAgICAgICAg IGlmICggIWUtPmlzX2R5aW5nICkKLSAgICAgICAgICAgICAgICBnZHByaW50 ayhYRU5MT0dfSU5GTywgImdudHRhYl90cmFuc2ZlcjogIgotICAgICAgICAg ICAgICAgICAgICAgICAgIlRyYW5zZmVyZWUgaGFzIG5vIHJlc2VydmF0aW9u ICIKLSAgICAgICAgICAgICAgICAgICAgICAgICJoZWFkcm9vbSAoJWQsJWQp IG9yIHByb3ZpZGVkIGEgYmFkIGdyYW50IHJlZiAoJTA4eCkgIgotICAgICAg ICAgICAgICAgICAgICAgICAgIm9yIGlzIGR5aW5nICglZClcbiIsCi0gICAg ICAgICAgICAgICAgICAgICAgICBlLT50b3RfcGFnZXMsIGUtPm1heF9wYWdl cywgZ29wLnJlZiwgZS0+aXNfZHlpbmcpOwogICAgICAgICAgICAgc3Bpbl91 bmxvY2soJmUtPnBhZ2VfYWxsb2NfbG9jayk7CisKKyAgICAgICAgICAgIGlm ICggZS0+aXNfZHlpbmcgKQorICAgICAgICAgICAgICAgIGdkcHJpbnRrKFhF TkxPR19JTkZPLCAiZ250dGFiX3RyYW5zZmVyOiAiCisgICAgICAgICAgICAg ICAgICAgICAgICAgIlRyYW5zZmVyZWUgKGQlZCkgaXMgZHlpbmdcbiIsIGUt PmRvbWFpbl9pZCk7CisgICAgICAgICAgICBlbHNlCisgICAgICAgICAgICAg ICAgZ2RwcmludGsoWEVOTE9HX0lORk8sICJnbnR0YWJfdHJhbnNmZXI6ICIK KyAgICAgICAgICAgICAgICAgICAgICAgICAiVHJhbnNmZXJlZSAoZCVkKSBo YXMgbm8gaGVhZHJvb20gKHRvdCAldSwgbWF4ICV1KVxuIiwKKyAgICAgICAg ICAgICAgICAgICAgICAgICBlLT5kb21haW5faWQsIGUtPnRvdF9wYWdlcywg ZS0+bWF4X3BhZ2VzKTsKKwogICAgICAgICAgICAgcmN1X3VubG9ja19kb21h aW4oZSk7CiAgICAgICAgICAgICBwdXRfZ2ZuKGQsIGdvcC5tZm4pOwogICAg ICAgICAgICAgcGFnZS0+Y291bnRfaW5mbyAmPSB+KFBHQ19jb3VudF9tYXNr fFBHQ19hbGxvY2F0ZWQpOwpAQCAtMTYyOCw2ICsxNjMyLDM4IEBAIGdudHRh Yl90cmFuc2ZlcigKICAgICAgICAgLyogT2theSwgYWRkIHRoZSBwYWdlIHRv ICdlJy4gKi8KICAgICAgICAgaWYgKCB1bmxpa2VseShlLT50b3RfcGFnZXMr KyA9PSAwKSApCiAgICAgICAgICAgICBnZXRfa25vd25hbGl2ZV9kb21haW4o ZSk7CisKKyAgICAgICAgLyoKKyAgICAgICAgICogV2UgbXVzdCBkcm9wIHRo ZSBsb2NrIHRvIGF2b2lkIGEgcG9zc2libGUgZGVhZGxvY2sgaW4KKyAgICAg ICAgICogZ250dGFiX3ByZXBhcmVfZm9yX3RyYW5zZmVyLiAgV2UgaGF2ZSBy ZXNlcnZlZCBhIHBhZ2UgaW4gZSBzbyBjYW4KKyAgICAgICAgICogc2FmZWx5 IGRyb3AgdGhlIGxvY2sgYW5kIHJlLWFxdWlyZSBpdCBsYXRlciB0byBhZGQg cGFnZSB0byB0aGUKKyAgICAgICAgICogcGFnZWxpc3QuCisgICAgICAgICAq LworICAgICAgICBzcGluX3VubG9jaygmZS0+cGFnZV9hbGxvY19sb2NrKTsK KyAgICAgICAgb2theSA9IGdudHRhYl9wcmVwYXJlX2Zvcl90cmFuc2Zlcihl LCBkLCBnb3AucmVmKTsKKyAgICAgICAgc3Bpbl9sb2NrKCZlLT5wYWdlX2Fs bG9jX2xvY2spOworCisgICAgICAgIGlmICggdW5saWtlbHkoIW9rYXkpIHx8 IHVubGlrZWx5KGUtPmlzX2R5aW5nKSApCisgICAgICAgIHsKKyAgICAgICAg ICAgIGJvb2xfdCBkcm9wX2RvbV9yZWYgPSAoZS0+dG90X3BhZ2VzLS0gPT0g MSk7CisKKyAgICAgICAgICAgIHNwaW5fdW5sb2NrKCZlLT5wYWdlX2FsbG9j X2xvY2spOworCisgICAgICAgICAgICBpZiAoIG9rYXkgLyogaS5lLiBlLT5p c19keWluZyBkdWUgdG8gdGhlIHN1cnJvdW5kaW5nIGlmKCkgKi8gKQorICAg ICAgICAgICAgICAgIGdkcHJpbnRrKFhFTkxPR19JTkZPLCAiZ250dGFiX3Ry YW5zZmVyOiAiCisgICAgICAgICAgICAgICAgICAgICAgICAgIlRyYW5zZmVy ZWUgKGQlZCkgaXMgbm93IGR5aW5nXG4iLCBlLT5kb21haW5faWQpOworCisg ICAgICAgICAgICBpZiAoIGRyb3BfZG9tX3JlZiApCisgICAgICAgICAgICAg ICAgcHV0X2RvbWFpbihlKTsKKyAgICAgICAgICAgIHJjdV91bmxvY2tfZG9t YWluKGUpOworCisgICAgICAgICAgICBwdXRfZ2ZuKGQsIGdvcC5tZm4pOwor ICAgICAgICAgICAgcGFnZS0+Y291bnRfaW5mbyAmPSB+KFBHQ19jb3VudF9t YXNrfFBHQ19hbGxvY2F0ZWQpOworICAgICAgICAgICAgZnJlZV9kb21oZWFw X3BhZ2UocGFnZSk7CisgICAgICAgICAgICBnb3Auc3RhdHVzID0gR05UU1Rf Z2VuZXJhbF9lcnJvcjsKKyAgICAgICAgICAgIGdvdG8gY29weWJhY2s7Cisg ICAgICAgIH0KKwogICAgICAgICBwYWdlX2xpc3RfYWRkX3RhaWwocGFnZSwg JmUtPnBhZ2VfbGlzdCk7CiAgICAgICAgIHBhZ2Vfc2V0X293bmVyKHBhZ2Us IGUpOwogCi0tIAoxLjcuMTAuNAoK --=separator Content-Type: application/octet-stream; name="xsa73-4.3-unstable.patch" Content-Disposition: attachment; filename="xsa73-4.3-unstable.patch" Content-Transfer-Encoding: base64 RnJvbSAwNjhiZmE3NmJiZDUyNDMwZTY1ODUzMzc1ZTFkNWRiOTlkMTkzZTJm IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBUaHUsIDMxIE9j dCAyMDEzIDIwOjQ5OjAwICswMDAwClN1YmplY3Q6IFtQQVRDSF0gZ250dGFi OiBjb3JyZWN0IGxvY2tpbmcgb3JkZXIgcmV2ZXJzYWwKCkNvdmVyaXR5IElE IDEwODcxODkKCkNvcnJlY3QgYSBsb2NrIG9yZGVyIHJldmVyc2FsIGJldHdl ZW4gYSBkb21haW5zIHBhZ2UgYWxsb2NhdGlvbiBhbmQgZ3JhbnQKdGFibGUg bG9ja3MuCgpUaGlzIGlzIFhTQS03My4KClNpZ25lZC1vZmYtYnk6IEFuZHJl dyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+CgpDb25zb2xp ZGF0ZSBlcnJvciBoYW5kbGluZy4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVs aWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEtlaXIgRnJh c2VyIDxrZWlyQHhlbi5vcmc+ClRlc3RlZC1ieTogTWF0dGhldyBEYWxleSA8 bWF0dGpkQGdtYWlsLmNvbT4KLS0tCiB4ZW4vY29tbW9uL2dyYW50X3RhYmxl LmMgfCAgIDUyICsrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysr KysrKy0tLS0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA0NCBpbnNlcnRpb25zKCsp LCA4IGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL3hlbi9jb21tb24vZ3Jh bnRfdGFibGUuYyBiL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwppbmRleCBm NDJiYzdhLi40OGRmOTI4IDEwMDY0NAotLS0gYS94ZW4vY29tbW9uL2dyYW50 X3RhYmxlLmMKKysrIGIveGVuL2NvbW1vbi9ncmFudF90YWJsZS5jCkBAIC0x NTE3LDYgKzE1MTcsOCBAQCBnbnR0YWJfdHJhbnNmZXIoCiAKICAgICBmb3Ig KCBpID0gMDsgaSA8IGNvdW50OyBpKysgKQogICAgIHsKKyAgICAgICAgYm9v bF90IG9rYXk7CisKICAgICAgICAgaWYgKGkgJiYgaHlwZXJjYWxsX3ByZWVt cHRfY2hlY2soKSkKICAgICAgICAgICAgIHJldHVybiBpOwogCkBAIC0xNjI1 LDE2ICsxNjI3LDE4IEBAIGdudHRhYl90cmFuc2ZlcigKICAgICAgICAgICog cGFnZXMgd2hlbiBpdCBpcyBkeWluZy4KICAgICAgICAgICovCiAgICAgICAg IGlmICggdW5saWtlbHkoZS0+aXNfZHlpbmcpIHx8Ci0gICAgICAgICAgICAg dW5saWtlbHkoZS0+dG90X3BhZ2VzID49IGUtPm1heF9wYWdlcykgfHwKLSAg ICAgICAgICAgICB1bmxpa2VseSghZ250dGFiX3ByZXBhcmVfZm9yX3RyYW5z ZmVyKGUsIGQsIGdvcC5yZWYpKSApCisgICAgICAgICAgICAgdW5saWtlbHko ZS0+dG90X3BhZ2VzID49IGUtPm1heF9wYWdlcykgKQogICAgICAgICB7Ci0g ICAgICAgICAgICBpZiAoICFlLT5pc19keWluZyApCi0gICAgICAgICAgICAg ICAgZ2RwcmludGsoWEVOTE9HX0lORk8sICJnbnR0YWJfdHJhbnNmZXI6ICIK LSAgICAgICAgICAgICAgICAgICAgICAgICJUcmFuc2ZlcmVlIGhhcyBubyBy ZXNlcnZhdGlvbiAiCi0gICAgICAgICAgICAgICAgICAgICAgICAiaGVhZHJv b20gKCVkLCVkKSBvciBwcm92aWRlZCBhIGJhZCBncmFudCByZWYgKCUwOHgp ICIKLSAgICAgICAgICAgICAgICAgICAgICAgICJvciBpcyBkeWluZyAoJWQp XG4iLAotICAgICAgICAgICAgICAgICAgICAgICAgZS0+dG90X3BhZ2VzLCBl LT5tYXhfcGFnZXMsIGdvcC5yZWYsIGUtPmlzX2R5aW5nKTsKICAgICAgICAg ICAgIHNwaW5fdW5sb2NrKCZlLT5wYWdlX2FsbG9jX2xvY2spOworCisgICAg ICAgICAgICBpZiAoIGUtPmlzX2R5aW5nICkKKyAgICAgICAgICAgICAgICBn ZHByaW50ayhYRU5MT0dfSU5GTywgImdudHRhYl90cmFuc2ZlcjogIgorICAg ICAgICAgICAgICAgICAgICAgICAgICJUcmFuc2ZlcmVlIChkJWQpIGlzIGR5 aW5nXG4iLCBlLT5kb21haW5faWQpOworICAgICAgICAgICAgZWxzZQorICAg ICAgICAgICAgICAgIGdkcHJpbnRrKFhFTkxPR19JTkZPLCAiZ250dGFiX3Ry YW5zZmVyOiAiCisgICAgICAgICAgICAgICAgICAgICAgICAgIlRyYW5zZmVy ZWUgKGQlZCkgaGFzIG5vIGhlYWRyb29tICh0b3QgJXUsIG1heCAldSlcbiIs CisgICAgICAgICAgICAgICAgICAgICAgICAgZS0+ZG9tYWluX2lkLCBlLT50 b3RfcGFnZXMsIGUtPm1heF9wYWdlcyk7CisKICAgICAgICAgICAgIHJjdV91 bmxvY2tfZG9tYWluKGUpOwogICAgICAgICAgICAgcHV0X2dmbihkLCBnb3Au bWZuKTsKICAgICAgICAgICAgIHBhZ2UtPmNvdW50X2luZm8gJj0gfihQR0Nf Y291bnRfbWFza3xQR0NfYWxsb2NhdGVkKTsKQEAgLTE2NDYsNiArMTY1MCwz OCBAQCBnbnR0YWJfdHJhbnNmZXIoCiAgICAgICAgIC8qIE9rYXksIGFkZCB0 aGUgcGFnZSB0byAnZScuICovCiAgICAgICAgIGlmICggdW5saWtlbHkoZG9t YWluX2FkanVzdF90b3RfcGFnZXMoZSwgMSkgPT0gMSkgKQogICAgICAgICAg ICAgZ2V0X2tub3duYWxpdmVfZG9tYWluKGUpOworCisgICAgICAgIC8qCisg ICAgICAgICAqIFdlIG11c3QgZHJvcCB0aGUgbG9jayB0byBhdm9pZCBhIHBv c3NpYmxlIGRlYWRsb2NrIGluCisgICAgICAgICAqIGdudHRhYl9wcmVwYXJl X2Zvcl90cmFuc2Zlci4gIFdlIGhhdmUgcmVzZXJ2ZWQgYSBwYWdlIGluIGUg c28gY2FuCisgICAgICAgICAqIHNhZmVseSBkcm9wIHRoZSBsb2NrIGFuZCBy ZS1hcXVpcmUgaXQgbGF0ZXIgdG8gYWRkIHBhZ2UgdG8gdGhlCisgICAgICAg ICAqIHBhZ2VsaXN0LgorICAgICAgICAgKi8KKyAgICAgICAgc3Bpbl91bmxv Y2soJmUtPnBhZ2VfYWxsb2NfbG9jayk7CisgICAgICAgIG9rYXkgPSBnbnR0 YWJfcHJlcGFyZV9mb3JfdHJhbnNmZXIoZSwgZCwgZ29wLnJlZik7CisgICAg ICAgIHNwaW5fbG9jaygmZS0+cGFnZV9hbGxvY19sb2NrKTsKKworICAgICAg ICBpZiAoIHVubGlrZWx5KCFva2F5KSB8fCB1bmxpa2VseShlLT5pc19keWlu ZykgKQorICAgICAgICB7CisgICAgICAgICAgICBib29sX3QgZHJvcF9kb21f cmVmID0gKGRvbWFpbl9hZGp1c3RfdG90X3BhZ2VzKGUsIC0xKSA9PSAwKTsK KworICAgICAgICAgICAgc3Bpbl91bmxvY2soJmUtPnBhZ2VfYWxsb2NfbG9j ayk7CisKKyAgICAgICAgICAgIGlmICggb2theSAvKiBpLmUuIGUtPmlzX2R5 aW5nIGR1ZSB0byB0aGUgc3Vycm91bmRpbmcgaWYoKSAqLyApCisgICAgICAg ICAgICAgICAgZ2RwcmludGsoWEVOTE9HX0lORk8sICJnbnR0YWJfdHJhbnNm ZXI6ICIKKyAgICAgICAgICAgICAgICAgICAgICAgICAiVHJhbnNmZXJlZSAo ZCVkKSBpcyBub3cgZHlpbmdcbiIsIGUtPmRvbWFpbl9pZCk7CisKKyAgICAg ICAgICAgIGlmICggZHJvcF9kb21fcmVmICkKKyAgICAgICAgICAgICAgICBw dXRfZG9tYWluKGUpOworICAgICAgICAgICAgcmN1X3VubG9ja19kb21haW4o ZSk7CisKKyAgICAgICAgICAgIHB1dF9nZm4oZCwgZ29wLm1mbik7CisgICAg ICAgICAgICBwYWdlLT5jb3VudF9pbmZvICY9IH4oUEdDX2NvdW50X21hc2t8 UEdDX2FsbG9jYXRlZCk7CisgICAgICAgICAgICBmcmVlX2RvbWhlYXBfcGFn ZShwYWdlKTsKKyAgICAgICAgICAgIGdvcC5zdGF0dXMgPSBHTlRTVF9nZW5l cmFsX2Vycm9yOworICAgICAgICAgICAgZ290byBjb3B5YmFjazsKKyAgICAg ICAgfQorCiAgICAgICAgIHBhZ2VfbGlzdF9hZGRfdGFpbChwYWdlLCAmZS0+ cGFnZV9saXN0KTsKICAgICAgICAgcGFnZV9zZXRfb3duZXIocGFnZSwgZSk7 CiAKLS0gCjEuNy4xMC40Cgo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Fri Nov 01 15:27:10 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Nov 2013 15:27:10 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VcGbj-0007TR-4J; Fri, 01 Nov 2013 15:25:55 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VcGbh-0007T4-C4; Fri, 01 Nov 2013 15:25:53 +0000 Received: from [85.158.143.35:57466] by server-1.bemta-4.messagelabs.com id AE/E8-17304-008C3725; Fri, 01 Nov 2013 15:25:52 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-16.tower-21.messagelabs.com!1383319550!384711!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.13; banners=-,-,- X-VirusChecked: Checked Received: (qmail 16361 invoked from network); 1 Nov 2013 15:25:51 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-16.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 1 Nov 2013 15:25:51 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VcGbZ-0005Ez-Lg; Fri, 01 Nov 2013 15:25:45 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VcGbZ-0004u7-9o; Fri, 01 Nov 2013 15:25:45 +0000 Date: Fri, 01 Nov 2013 15:25:45 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 73 - Lock order reversal between page allocation and grant table locks X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-73 version 2 Lock order reversal between page allocation and grant table locks UPDATES IN VERSION 2 ==================== Corrected typo in xsa73-4.1.patch. The other patches were already correct. NOTE REGARDING LACK OF EMBARGO ============================== While the response to this issue was being prepared by the security team, the bug was independently discovered by a third party who publicly disclosed it without realising the security impact. ISSUE DESCRIPTION ================= The locks page_alloc_lock and grant_table.lock are not always taken in the same order. This opens the possibility of deadlock. IMPACT ====== A malicious guest administrator can deny service to the entire host. VULNERABLE SYSTEMS ================== Xen versions going back to at least Xen 3.2 are vulnerable. To exploit the vulnerability, the attacker must have control of more than one vcpu, either by controlling a malicious multi-vcpu guest, or by controlling more than one guest. MITIGATION ========== There is no practical mitigation for this issue. CREDITS ======= This issue was discovered by Coverity Scan and diagnosed by Andrew Cooper. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa73-4.3-unstable.patch Xen 4.3.x, xen-unstable xsa73-4.2.patch Xen 4.2.x xsa73-4.1.patch Xen 4.1.x $ sha256sum xsa73*.patch c9284e2c12b1c4f8c63d11b8802b4f408e6623f857f120b04e47840f433e4823 xsa73-4.1.patch 10b809c39582a7f29150f0635b78bc2ce40df0bded963b78f42db3e21775da8c xsa73-4.2.patch 48411cd6b15e4e4fa3c4335298179a4b1094c5e1ae8dc7582bbfb9439d97037b xsa73-4.3-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSc8fSAAoJEIP+FMlX6CvZeRUH/Rn+MT2Xj1zteuIs89cLZOBc 5ieh44Nqulyn/kQU+j7tzmq0urzt5w0VEiL7CWDxXe6KktzKZDnZTkXDSXr13sxU pIM682cpaSsGvDFDSKdc6x03cNQ3P+FSrz/uWEWmCFjOuqRT839RkY3NbkC6mhaH O9JUW+uojphJ3TJDfmvl9xsN4W6A3H8SvJp71c6LNGMTUXfAsOahNnrlJev+s8Pu OruXzqVFzOpU1BbWYAakhSgUg/5+FTCcR+ZUN4AgMHgetnXIbR0qGtvWGEP9kTVt wOK/mgAA7T4yHyTySmmVHc/BN422e0xv045Zr25AI2WrteLnpo4gj5GJBuAilEU= =RHfD -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa73-4.1.patch" Content-Disposition: attachment; filename="xsa73-4.1.patch" Content-Transfer-Encoding: base64 RnJvbSA4MmYyZjdjMzA0MzIxMmNiYjRlMTI4Nzg3ZjU4YWU4YmI1NWEwYmQw IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBUaHUsIDMxIE9j dCAyMDEzIDIwOjQ5OjAwICswMDAwClN1YmplY3Q6IFtQQVRDSF0gZ250dGFi OiBjb3JyZWN0IGxvY2tpbmcgb3JkZXIgcmV2ZXJzYWwKCkNvdmVyaXR5IElE IDEwODcxODkKCkNvcnJlY3QgYSBsb2NrIG9yZGVyIHJldmVyc2FsIGJldHdl ZW4gYSBkb21haW5zIHBhZ2UgYWxsb2NhdGlvbiBhbmQgZ3JhbnQKdGFibGUg bG9ja3MuCgpUaGlzIGlzIFhTQS03My4KClNpZ25lZC1vZmYtYnk6IEFuZHJl dyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+CgpDb25zb2xp ZGF0ZSBlcnJvciBoYW5kbGluZy4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVs aWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEtlaXIgRnJh c2VyIDxrZWlyQHhlbi5vcmc+ClRlc3RlZC1ieTogTWF0dGhldyBEYWxleSA8 bWF0dGpkQGdtYWlsLmNvbT4KCkJhY2twb3J0ZWQgdG8gWGVuLTQuMQpTaWdu ZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRy aXguY29tPgotLS0KIHhlbi9jb21tb24vZ3JhbnRfdGFibGUuYyB8ICAgNTEg KysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKystLS0tLS0t LQogMSBmaWxlIGNoYW5nZWQsIDQzIGluc2VydGlvbnMoKyksIDggZGVsZXRp b25zKC0pCgpkaWZmIC0tZ2l0IGEveGVuL2NvbW1vbi9ncmFudF90YWJsZS5j IGIveGVuL2NvbW1vbi9ncmFudF90YWJsZS5jCmluZGV4IGUwZjkxYWIuLmMx ZTM3ODQgMTAwNjQ0Ci0tLSBhL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwor KysgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMKQEAgLTE0NTksNiArMTQ1 OSw4IEBAIGdudHRhYl90cmFuc2ZlcigKIAogICAgIGZvciAoIGkgPSAwOyBp IDwgY291bnQ7IGkrKyApCiAgICAgeworICAgICAgICBib29sX3Qgb2theTsK KwogICAgICAgICBpZiAoaSAmJiBoeXBlcmNhbGxfcHJlZW1wdF9jaGVjaygp KQogICAgICAgICAgICAgcmV0dXJuIGk7CiAKQEAgLTE1NTUsMTYgKzE1NTcs MTggQEAgZ250dGFiX3RyYW5zZmVyKAogICAgICAgICAgKiBwYWdlcyB3aGVu IGl0IGlzIGR5aW5nLgogICAgICAgICAgKi8KICAgICAgICAgaWYgKCB1bmxp a2VseShlLT5pc19keWluZykgfHwKLSAgICAgICAgICAgICB1bmxpa2VseShl LT50b3RfcGFnZXMgPj0gZS0+bWF4X3BhZ2VzKSB8fAotICAgICAgICAgICAg IHVubGlrZWx5KCFnbnR0YWJfcHJlcGFyZV9mb3JfdHJhbnNmZXIoZSwgZCwg Z29wLnJlZikpICkKKyAgICAgICAgICAgICB1bmxpa2VseShlLT50b3RfcGFn ZXMgPj0gZS0+bWF4X3BhZ2VzKSApCiAgICAgICAgIHsKLSAgICAgICAgICAg IGlmICggIWUtPmlzX2R5aW5nICkKLSAgICAgICAgICAgICAgICBnZHByaW50 ayhYRU5MT0dfSU5GTywgImdudHRhYl90cmFuc2ZlcjogIgotICAgICAgICAg ICAgICAgICAgICAgICAgIlRyYW5zZmVyZWUgaGFzIG5vIHJlc2VydmF0aW9u ICIKLSAgICAgICAgICAgICAgICAgICAgICAgICJoZWFkcm9vbSAoJWQsJWQp IG9yIHByb3ZpZGVkIGEgYmFkIGdyYW50IHJlZiAoJTA4eCkgIgotICAgICAg ICAgICAgICAgICAgICAgICAgIm9yIGlzIGR5aW5nICglZClcbiIsCi0gICAg ICAgICAgICAgICAgICAgICAgICBlLT50b3RfcGFnZXMsIGUtPm1heF9wYWdl cywgZ29wLnJlZiwgZS0+aXNfZHlpbmcpOwogICAgICAgICAgICAgc3Bpbl91 bmxvY2soJmUtPnBhZ2VfYWxsb2NfbG9jayk7CisKKyAgICAgICAgICAgIGlm ICggZS0+aXNfZHlpbmcgKQorICAgICAgICAgICAgICAgIGdkcHJpbnRrKFhF TkxPR19JTkZPLCAiZ250dGFiX3RyYW5zZmVyOiAiCisgICAgICAgICAgICAg ICAgICAgICAgICAgIlRyYW5zZmVyZWUgKGQlZCkgaXMgZHlpbmdcbiIsIGUt PmRvbWFpbl9pZCk7CisgICAgICAgICAgICBlbHNlCisgICAgICAgICAgICAg ICAgZ2RwcmludGsoWEVOTE9HX0lORk8sICJnbnR0YWJfdHJhbnNmZXI6ICIK KyAgICAgICAgICAgICAgICAgICAgICAgICAiVHJhbnNmZXJlZSAoZCVkKSBo YXMgbm8gaGVhZHJvb20gKHRvdCAldSwgbWF4ICV1KVxuIiwKKyAgICAgICAg ICAgICAgICAgICAgICAgICBlLT5kb21haW5faWQsIGUtPnRvdF9wYWdlcywg ZS0+bWF4X3BhZ2VzKTsKKwogICAgICAgICAgICAgcmN1X3VubG9ja19kb21h aW4oZSk7CiAgICAgICAgICAgICBwYWdlLT5jb3VudF9pbmZvICY9IH4oUEdD X2NvdW50X21hc2t8UEdDX2FsbG9jYXRlZCk7CiAgICAgICAgICAgICBmcmVl X2RvbWhlYXBfcGFnZShwYWdlKTsKQEAgLTE1NzUsNyArMTU3OSwzNyBAQCBn bnR0YWJfdHJhbnNmZXIoCiAgICAgICAgIC8qIE9rYXksIGFkZCB0aGUgcGFn ZSB0byAnZScuICovCiAgICAgICAgIGlmICggdW5saWtlbHkoZS0+dG90X3Bh Z2VzKysgPT0gMCkgKQogICAgICAgICAgICAgZ2V0X2tub3duYWxpdmVfZG9t YWluKGUpOworCisgICAgICAgIC8qCisgICAgICAgICAqIFdlIG11c3QgZHJv cCB0aGUgbG9jayB0byBhdm9pZCBhIHBvc3NpYmxlIGRlYWRsb2NrIGluCisg ICAgICAgICAqIGdudHRhYl9wcmVwYXJlX2Zvcl90cmFuc2Zlci4gIFdlIGhh dmUgcmVzZXJ2ZWQgYSBwYWdlIGluIGUgc28gY2FuCisgICAgICAgICAqIHNh ZmVseSBkcm9wIHRoZSBsb2NrIGFuZCByZS1hcXVpcmUgaXQgbGF0ZXIgdG8g YWRkIHBhZ2UgdG8gdGhlCisgICAgICAgICAqIHBhZ2VsaXN0LgorICAgICAg ICAgKi8KKyAgICAgICAgc3Bpbl91bmxvY2soJmUtPnBhZ2VfYWxsb2NfbG9j ayk7CisgICAgICAgIG9rYXkgPSBnbnR0YWJfcHJlcGFyZV9mb3JfdHJhbnNm ZXIoZSwgZCwgZ29wLnJlZik7CisgICAgICAgIHNwaW5fbG9jaygmZS0+cGFn ZV9hbGxvY19sb2NrKTsKKworICAgICAgICBpZiAoIHVubGlrZWx5KCFva2F5 KSB8fCB1bmxpa2VseShlLT5pc19keWluZykgKQorICAgICAgICB7CisgICAg ICAgICAgICBib29sX3QgZHJvcF9kb21fcmVmID0gKGUtPnRvdF9wYWdlcy0t ID09IDEpOworCisgICAgICAgICAgICBzcGluX3VubG9jaygmZS0+cGFnZV9h bGxvY19sb2NrKTsKKworICAgICAgICAgICAgaWYgKCBva2F5IC8qIGkuZS4g ZS0+aXNfZHlpbmcgZHVlIHRvIHRoZSBzdXJyb3VuZGluZyBpZigpICovICkK KyAgICAgICAgICAgICAgICBnZHByaW50ayhYRU5MT0dfSU5GTywgImdudHRh Yl90cmFuc2ZlcjogIgorICAgICAgICAgICAgICAgICAgICAgICAgICJUcmFu c2ZlcmVlIChkJWQpIGlzIG5vdyBkeWluZ1xuIiwgZS0+ZG9tYWluX2lkKTsK KworICAgICAgICAgICAgaWYgKCBkcm9wX2RvbV9yZWYgKQorICAgICAgICAg ICAgICAgIHB1dF9kb21haW4oZSk7CisgICAgICAgICAgICByY3VfdW5sb2Nr X2RvbWFpbihlKTsKKworICAgICAgICAgICAgcGFnZS0+Y291bnRfaW5mbyAm PSB+KFBHQ19jb3VudF9tYXNrfFBHQ19hbGxvY2F0ZWQpOworICAgICAgICAg ICAgZnJlZV9kb21oZWFwX3BhZ2UocGFnZSk7CisgICAgICAgICAgICBnb3Au c3RhdHVzID0gR05UU1RfZ2VuZXJhbF9lcnJvcjsKKyAgICAgICAgICAgIGdv dG8gY29weWJhY2s7CisgICAgICAgIH0KKwogICAgICAgICBwYWdlX2xpc3Rf YWRkX3RhaWwocGFnZSwgJmUtPnBhZ2VfbGlzdCk7CiAgICAgICAgIHBhZ2Vf c2V0X293bmVyKHBhZ2UsIGUpOwogCi0tIAoxLjcuMTAuNAoK --=separator Content-Type: application/octet-stream; name="xsa73-4.2.patch" Content-Disposition: attachment; filename="xsa73-4.2.patch" Content-Transfer-Encoding: base64 RnJvbSA1MmIyYzMxNDhiZGNhYTQ2YmVmY2RjYTY0ZTE0ZDAyMDFkN2NhNjQy IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBUaHUsIDMxIE9j dCAyMDEzIDIwOjQ5OjAwICswMDAwClN1YmplY3Q6IFtQQVRDSF0gZ250dGFi OiBjb3JyZWN0IGxvY2tpbmcgb3JkZXIgcmV2ZXJzYWwKCkNvdmVyaXR5IElE IDEwODcxODkKCkNvcnJlY3QgYSBsb2NrIG9yZGVyIHJldmVyc2FsIGJldHdl ZW4gYSBkb21haW5zIHBhZ2UgYWxsb2NhdGlvbiBhbmQgZ3JhbnQKdGFibGUg bG9ja3MuCgpUaGlzIGlzIFhTQS03My4KClNpZ25lZC1vZmYtYnk6IEFuZHJl dyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+CgpDb25zb2xp ZGF0ZSBlcnJvciBoYW5kbGluZy4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVs aWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEtlaXIgRnJh c2VyIDxrZWlyQHhlbi5vcmc+ClRlc3RlZC1ieTogTWF0dGhldyBEYWxleSA8 bWF0dGpkQGdtYWlsLmNvbT4KCkJhY2twb3J0ZWQgdG8gWGVuLTQuMgpTaWdu ZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRy aXguY29tPgotLS0KIHhlbi9jb21tb24vZ3JhbnRfdGFibGUuYyB8ICAgNTIg KysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrLS0tLS0t LQogMSBmaWxlIGNoYW5nZWQsIDQ0IGluc2VydGlvbnMoKyksIDggZGVsZXRp b25zKC0pCgpkaWZmIC0tZ2l0IGEveGVuL2NvbW1vbi9ncmFudF90YWJsZS5j IGIveGVuL2NvbW1vbi9ncmFudF90YWJsZS5jCmluZGV4IDBlMzQ5Y2MuLjA2 NzJiYWQgMTAwNjQ0Ci0tLSBhL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwor KysgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMKQEAgLTE0OTksNiArMTQ5 OSw4IEBAIGdudHRhYl90cmFuc2ZlcigKIAogICAgIGZvciAoIGkgPSAwOyBp IDwgY291bnQ7IGkrKyApCiAgICAgeworICAgICAgICBib29sX3Qgb2theTsK KwogICAgICAgICBpZiAoaSAmJiBoeXBlcmNhbGxfcHJlZW1wdF9jaGVjaygp KQogICAgICAgICAgICAgcmV0dXJuIGk7CiAKQEAgLTE2MDcsMTYgKzE2MDks MTggQEAgZ250dGFiX3RyYW5zZmVyKAogICAgICAgICAgKiBwYWdlcyB3aGVu IGl0IGlzIGR5aW5nLgogICAgICAgICAgKi8KICAgICAgICAgaWYgKCB1bmxp a2VseShlLT5pc19keWluZykgfHwKLSAgICAgICAgICAgICB1bmxpa2VseShl LT50b3RfcGFnZXMgPj0gZS0+bWF4X3BhZ2VzKSB8fAotICAgICAgICAgICAg IHVubGlrZWx5KCFnbnR0YWJfcHJlcGFyZV9mb3JfdHJhbnNmZXIoZSwgZCwg Z29wLnJlZikpICkKKyAgICAgICAgICAgICB1bmxpa2VseShlLT50b3RfcGFn ZXMgPj0gZS0+bWF4X3BhZ2VzKSApCiAgICAgICAgIHsKLSAgICAgICAgICAg IGlmICggIWUtPmlzX2R5aW5nICkKLSAgICAgICAgICAgICAgICBnZHByaW50 ayhYRU5MT0dfSU5GTywgImdudHRhYl90cmFuc2ZlcjogIgotICAgICAgICAg ICAgICAgICAgICAgICAgIlRyYW5zZmVyZWUgaGFzIG5vIHJlc2VydmF0aW9u ICIKLSAgICAgICAgICAgICAgICAgICAgICAgICJoZWFkcm9vbSAoJWQsJWQp IG9yIHByb3ZpZGVkIGEgYmFkIGdyYW50IHJlZiAoJTA4eCkgIgotICAgICAg ICAgICAgICAgICAgICAgICAgIm9yIGlzIGR5aW5nICglZClcbiIsCi0gICAg ICAgICAgICAgICAgICAgICAgICBlLT50b3RfcGFnZXMsIGUtPm1heF9wYWdl cywgZ29wLnJlZiwgZS0+aXNfZHlpbmcpOwogICAgICAgICAgICAgc3Bpbl91 bmxvY2soJmUtPnBhZ2VfYWxsb2NfbG9jayk7CisKKyAgICAgICAgICAgIGlm ICggZS0+aXNfZHlpbmcgKQorICAgICAgICAgICAgICAgIGdkcHJpbnRrKFhF TkxPR19JTkZPLCAiZ250dGFiX3RyYW5zZmVyOiAiCisgICAgICAgICAgICAg ICAgICAgICAgICAgIlRyYW5zZmVyZWUgKGQlZCkgaXMgZHlpbmdcbiIsIGUt PmRvbWFpbl9pZCk7CisgICAgICAgICAgICBlbHNlCisgICAgICAgICAgICAg ICAgZ2RwcmludGsoWEVOTE9HX0lORk8sICJnbnR0YWJfdHJhbnNmZXI6ICIK KyAgICAgICAgICAgICAgICAgICAgICAgICAiVHJhbnNmZXJlZSAoZCVkKSBo YXMgbm8gaGVhZHJvb20gKHRvdCAldSwgbWF4ICV1KVxuIiwKKyAgICAgICAg ICAgICAgICAgICAgICAgICBlLT5kb21haW5faWQsIGUtPnRvdF9wYWdlcywg ZS0+bWF4X3BhZ2VzKTsKKwogICAgICAgICAgICAgcmN1X3VubG9ja19kb21h aW4oZSk7CiAgICAgICAgICAgICBwdXRfZ2ZuKGQsIGdvcC5tZm4pOwogICAg ICAgICAgICAgcGFnZS0+Y291bnRfaW5mbyAmPSB+KFBHQ19jb3VudF9tYXNr fFBHQ19hbGxvY2F0ZWQpOwpAQCAtMTYyOCw2ICsxNjMyLDM4IEBAIGdudHRh Yl90cmFuc2ZlcigKICAgICAgICAgLyogT2theSwgYWRkIHRoZSBwYWdlIHRv ICdlJy4gKi8KICAgICAgICAgaWYgKCB1bmxpa2VseShlLT50b3RfcGFnZXMr KyA9PSAwKSApCiAgICAgICAgICAgICBnZXRfa25vd25hbGl2ZV9kb21haW4o ZSk7CisKKyAgICAgICAgLyoKKyAgICAgICAgICogV2UgbXVzdCBkcm9wIHRo ZSBsb2NrIHRvIGF2b2lkIGEgcG9zc2libGUgZGVhZGxvY2sgaW4KKyAgICAg ICAgICogZ250dGFiX3ByZXBhcmVfZm9yX3RyYW5zZmVyLiAgV2UgaGF2ZSBy ZXNlcnZlZCBhIHBhZ2UgaW4gZSBzbyBjYW4KKyAgICAgICAgICogc2FmZWx5 IGRyb3AgdGhlIGxvY2sgYW5kIHJlLWFxdWlyZSBpdCBsYXRlciB0byBhZGQg cGFnZSB0byB0aGUKKyAgICAgICAgICogcGFnZWxpc3QuCisgICAgICAgICAq LworICAgICAgICBzcGluX3VubG9jaygmZS0+cGFnZV9hbGxvY19sb2NrKTsK KyAgICAgICAgb2theSA9IGdudHRhYl9wcmVwYXJlX2Zvcl90cmFuc2Zlcihl LCBkLCBnb3AucmVmKTsKKyAgICAgICAgc3Bpbl9sb2NrKCZlLT5wYWdlX2Fs bG9jX2xvY2spOworCisgICAgICAgIGlmICggdW5saWtlbHkoIW9rYXkpIHx8 IHVubGlrZWx5KGUtPmlzX2R5aW5nKSApCisgICAgICAgIHsKKyAgICAgICAg ICAgIGJvb2xfdCBkcm9wX2RvbV9yZWYgPSAoZS0+dG90X3BhZ2VzLS0gPT0g MSk7CisKKyAgICAgICAgICAgIHNwaW5fdW5sb2NrKCZlLT5wYWdlX2FsbG9j X2xvY2spOworCisgICAgICAgICAgICBpZiAoIG9rYXkgLyogaS5lLiBlLT5p c19keWluZyBkdWUgdG8gdGhlIHN1cnJvdW5kaW5nIGlmKCkgKi8gKQorICAg ICAgICAgICAgICAgIGdkcHJpbnRrKFhFTkxPR19JTkZPLCAiZ250dGFiX3Ry YW5zZmVyOiAiCisgICAgICAgICAgICAgICAgICAgICAgICAgIlRyYW5zZmVy ZWUgKGQlZCkgaXMgbm93IGR5aW5nXG4iLCBlLT5kb21haW5faWQpOworCisg ICAgICAgICAgICBpZiAoIGRyb3BfZG9tX3JlZiApCisgICAgICAgICAgICAg ICAgcHV0X2RvbWFpbihlKTsKKyAgICAgICAgICAgIHJjdV91bmxvY2tfZG9t YWluKGUpOworCisgICAgICAgICAgICBwdXRfZ2ZuKGQsIGdvcC5tZm4pOwor ICAgICAgICAgICAgcGFnZS0+Y291bnRfaW5mbyAmPSB+KFBHQ19jb3VudF9t YXNrfFBHQ19hbGxvY2F0ZWQpOworICAgICAgICAgICAgZnJlZV9kb21oZWFw X3BhZ2UocGFnZSk7CisgICAgICAgICAgICBnb3Auc3RhdHVzID0gR05UU1Rf Z2VuZXJhbF9lcnJvcjsKKyAgICAgICAgICAgIGdvdG8gY29weWJhY2s7Cisg ICAgICAgIH0KKwogICAgICAgICBwYWdlX2xpc3RfYWRkX3RhaWwocGFnZSwg JmUtPnBhZ2VfbGlzdCk7CiAgICAgICAgIHBhZ2Vfc2V0X293bmVyKHBhZ2Us IGUpOwogCi0tIAoxLjcuMTAuNAoK --=separator Content-Type: application/octet-stream; name="xsa73-4.3-unstable.patch" Content-Disposition: attachment; filename="xsa73-4.3-unstable.patch" Content-Transfer-Encoding: base64 RnJvbSAwNjhiZmE3NmJiZDUyNDMwZTY1ODUzMzc1ZTFkNWRiOTlkMTkzZTJm IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBUaHUsIDMxIE9j dCAyMDEzIDIwOjQ5OjAwICswMDAwClN1YmplY3Q6IFtQQVRDSF0gZ250dGFi OiBjb3JyZWN0IGxvY2tpbmcgb3JkZXIgcmV2ZXJzYWwKCkNvdmVyaXR5IElE IDEwODcxODkKCkNvcnJlY3QgYSBsb2NrIG9yZGVyIHJldmVyc2FsIGJldHdl ZW4gYSBkb21haW5zIHBhZ2UgYWxsb2NhdGlvbiBhbmQgZ3JhbnQKdGFibGUg bG9ja3MuCgpUaGlzIGlzIFhTQS03My4KClNpZ25lZC1vZmYtYnk6IEFuZHJl dyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+CgpDb25zb2xp ZGF0ZSBlcnJvciBoYW5kbGluZy4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVs aWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEtlaXIgRnJh c2VyIDxrZWlyQHhlbi5vcmc+ClRlc3RlZC1ieTogTWF0dGhldyBEYWxleSA8 bWF0dGpkQGdtYWlsLmNvbT4KLS0tCiB4ZW4vY29tbW9uL2dyYW50X3RhYmxl LmMgfCAgIDUyICsrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysr KysrKy0tLS0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA0NCBpbnNlcnRpb25zKCsp LCA4IGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL3hlbi9jb21tb24vZ3Jh bnRfdGFibGUuYyBiL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwppbmRleCBm NDJiYzdhLi40OGRmOTI4IDEwMDY0NAotLS0gYS94ZW4vY29tbW9uL2dyYW50 X3RhYmxlLmMKKysrIGIveGVuL2NvbW1vbi9ncmFudF90YWJsZS5jCkBAIC0x NTE3LDYgKzE1MTcsOCBAQCBnbnR0YWJfdHJhbnNmZXIoCiAKICAgICBmb3Ig KCBpID0gMDsgaSA8IGNvdW50OyBpKysgKQogICAgIHsKKyAgICAgICAgYm9v bF90IG9rYXk7CisKICAgICAgICAgaWYgKGkgJiYgaHlwZXJjYWxsX3ByZWVt cHRfY2hlY2soKSkKICAgICAgICAgICAgIHJldHVybiBpOwogCkBAIC0xNjI1 LDE2ICsxNjI3LDE4IEBAIGdudHRhYl90cmFuc2ZlcigKICAgICAgICAgICog cGFnZXMgd2hlbiBpdCBpcyBkeWluZy4KICAgICAgICAgICovCiAgICAgICAg IGlmICggdW5saWtlbHkoZS0+aXNfZHlpbmcpIHx8Ci0gICAgICAgICAgICAg dW5saWtlbHkoZS0+dG90X3BhZ2VzID49IGUtPm1heF9wYWdlcykgfHwKLSAg ICAgICAgICAgICB1bmxpa2VseSghZ250dGFiX3ByZXBhcmVfZm9yX3RyYW5z ZmVyKGUsIGQsIGdvcC5yZWYpKSApCisgICAgICAgICAgICAgdW5saWtlbHko ZS0+dG90X3BhZ2VzID49IGUtPm1heF9wYWdlcykgKQogICAgICAgICB7Ci0g ICAgICAgICAgICBpZiAoICFlLT5pc19keWluZyApCi0gICAgICAgICAgICAg ICAgZ2RwcmludGsoWEVOTE9HX0lORk8sICJnbnR0YWJfdHJhbnNmZXI6ICIK LSAgICAgICAgICAgICAgICAgICAgICAgICJUcmFuc2ZlcmVlIGhhcyBubyBy ZXNlcnZhdGlvbiAiCi0gICAgICAgICAgICAgICAgICAgICAgICAiaGVhZHJv b20gKCVkLCVkKSBvciBwcm92aWRlZCBhIGJhZCBncmFudCByZWYgKCUwOHgp ICIKLSAgICAgICAgICAgICAgICAgICAgICAgICJvciBpcyBkeWluZyAoJWQp XG4iLAotICAgICAgICAgICAgICAgICAgICAgICAgZS0+dG90X3BhZ2VzLCBl LT5tYXhfcGFnZXMsIGdvcC5yZWYsIGUtPmlzX2R5aW5nKTsKICAgICAgICAg ICAgIHNwaW5fdW5sb2NrKCZlLT5wYWdlX2FsbG9jX2xvY2spOworCisgICAg ICAgICAgICBpZiAoIGUtPmlzX2R5aW5nICkKKyAgICAgICAgICAgICAgICBn ZHByaW50ayhYRU5MT0dfSU5GTywgImdudHRhYl90cmFuc2ZlcjogIgorICAg ICAgICAgICAgICAgICAgICAgICAgICJUcmFuc2ZlcmVlIChkJWQpIGlzIGR5 aW5nXG4iLCBlLT5kb21haW5faWQpOworICAgICAgICAgICAgZWxzZQorICAg ICAgICAgICAgICAgIGdkcHJpbnRrKFhFTkxPR19JTkZPLCAiZ250dGFiX3Ry YW5zZmVyOiAiCisgICAgICAgICAgICAgICAgICAgICAgICAgIlRyYW5zZmVy ZWUgKGQlZCkgaGFzIG5vIGhlYWRyb29tICh0b3QgJXUsIG1heCAldSlcbiIs CisgICAgICAgICAgICAgICAgICAgICAgICAgZS0+ZG9tYWluX2lkLCBlLT50 b3RfcGFnZXMsIGUtPm1heF9wYWdlcyk7CisKICAgICAgICAgICAgIHJjdV91 bmxvY2tfZG9tYWluKGUpOwogICAgICAgICAgICAgcHV0X2dmbihkLCBnb3Au bWZuKTsKICAgICAgICAgICAgIHBhZ2UtPmNvdW50X2luZm8gJj0gfihQR0Nf Y291bnRfbWFza3xQR0NfYWxsb2NhdGVkKTsKQEAgLTE2NDYsNiArMTY1MCwz OCBAQCBnbnR0YWJfdHJhbnNmZXIoCiAgICAgICAgIC8qIE9rYXksIGFkZCB0 aGUgcGFnZSB0byAnZScuICovCiAgICAgICAgIGlmICggdW5saWtlbHkoZG9t YWluX2FkanVzdF90b3RfcGFnZXMoZSwgMSkgPT0gMSkgKQogICAgICAgICAg ICAgZ2V0X2tub3duYWxpdmVfZG9tYWluKGUpOworCisgICAgICAgIC8qCisg ICAgICAgICAqIFdlIG11c3QgZHJvcCB0aGUgbG9jayB0byBhdm9pZCBhIHBv c3NpYmxlIGRlYWRsb2NrIGluCisgICAgICAgICAqIGdudHRhYl9wcmVwYXJl X2Zvcl90cmFuc2Zlci4gIFdlIGhhdmUgcmVzZXJ2ZWQgYSBwYWdlIGluIGUg c28gY2FuCisgICAgICAgICAqIHNhZmVseSBkcm9wIHRoZSBsb2NrIGFuZCBy ZS1hcXVpcmUgaXQgbGF0ZXIgdG8gYWRkIHBhZ2UgdG8gdGhlCisgICAgICAg ICAqIHBhZ2VsaXN0LgorICAgICAgICAgKi8KKyAgICAgICAgc3Bpbl91bmxv Y2soJmUtPnBhZ2VfYWxsb2NfbG9jayk7CisgICAgICAgIG9rYXkgPSBnbnR0 YWJfcHJlcGFyZV9mb3JfdHJhbnNmZXIoZSwgZCwgZ29wLnJlZik7CisgICAg ICAgIHNwaW5fbG9jaygmZS0+cGFnZV9hbGxvY19sb2NrKTsKKworICAgICAg ICBpZiAoIHVubGlrZWx5KCFva2F5KSB8fCB1bmxpa2VseShlLT5pc19keWlu ZykgKQorICAgICAgICB7CisgICAgICAgICAgICBib29sX3QgZHJvcF9kb21f cmVmID0gKGRvbWFpbl9hZGp1c3RfdG90X3BhZ2VzKGUsIC0xKSA9PSAwKTsK KworICAgICAgICAgICAgc3Bpbl91bmxvY2soJmUtPnBhZ2VfYWxsb2NfbG9j ayk7CisKKyAgICAgICAgICAgIGlmICggb2theSAvKiBpLmUuIGUtPmlzX2R5 aW5nIGR1ZSB0byB0aGUgc3Vycm91bmRpbmcgaWYoKSAqLyApCisgICAgICAg ICAgICAgICAgZ2RwcmludGsoWEVOTE9HX0lORk8sICJnbnR0YWJfdHJhbnNm ZXI6ICIKKyAgICAgICAgICAgICAgICAgICAgICAgICAiVHJhbnNmZXJlZSAo ZCVkKSBpcyBub3cgZHlpbmdcbiIsIGUtPmRvbWFpbl9pZCk7CisKKyAgICAg ICAgICAgIGlmICggZHJvcF9kb21fcmVmICkKKyAgICAgICAgICAgICAgICBw dXRfZG9tYWluKGUpOworICAgICAgICAgICAgcmN1X3VubG9ja19kb21haW4o ZSk7CisKKyAgICAgICAgICAgIHB1dF9nZm4oZCwgZ29wLm1mbik7CisgICAg ICAgICAgICBwYWdlLT5jb3VudF9pbmZvICY9IH4oUEdDX2NvdW50X21hc2t8 UEdDX2FsbG9jYXRlZCk7CisgICAgICAgICAgICBmcmVlX2RvbWhlYXBfcGFn ZShwYWdlKTsKKyAgICAgICAgICAgIGdvcC5zdGF0dXMgPSBHTlRTVF9nZW5l cmFsX2Vycm9yOworICAgICAgICAgICAgZ290byBjb3B5YmFjazsKKyAgICAg ICAgfQorCiAgICAgICAgIHBhZ2VfbGlzdF9hZGRfdGFpbChwYWdlLCAmZS0+ cGFnZV9saXN0KTsKICAgICAgICAgcGFnZV9zZXRfb3duZXIocGFnZSwgZSk7 CiAKLS0gCjEuNy4xMC40Cgo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Nov 04 13:17:49 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 04 Nov 2013 13:17:49 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VdK0a-0005X6-Jc; Mon, 04 Nov 2013 13:15:56 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VdK0Z-0005Wm-7s; Mon, 04 Nov 2013 13:15:55 +0000 Received: from [193.109.254.147:32446] by server-6.bemta-14.messagelabs.com id 56/19-19621-A0E97725; Mon, 04 Nov 2013 13:15:54 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-13.tower-27.messagelabs.com!1383570951!514563!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.13; banners=-,-,- X-VirusChecked: Checked Received: (qmail 7317 invoked from network); 4 Nov 2013 13:15:52 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-13.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 4 Nov 2013 13:15:52 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VdK0P-0001Su-06; Mon, 04 Nov 2013 13:15:45 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VdK0N-0008Mz-P5; Mon, 04 Nov 2013 13:15:44 +0000 Date: Mon, 04 Nov 2013 13:15:44 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 73 (CVE-2013-4494) - Lock order reversal between page allocation and grant table locks X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4494 / XSA-73 version 3 Lock order reversal between page allocation and grant table locks UPDATES IN VERSION 3 ==================== The issue has been assigned CVE-2013-4494. NOTE REGARDING LACK OF EMBARGO ============================== While the response to this issue was being prepared by the security team, the bug was independently discovered by a third party who publicly disclosed it without realising the security impact. ISSUE DESCRIPTION ================= The locks page_alloc_lock and grant_table.lock are not always taken in the same order. This opens the possibility of deadlock. IMPACT ====== A malicious guest administrator can deny service to the entire host. VULNERABLE SYSTEMS ================== Xen versions going back to at least Xen 3.2 are vulnerable. To exploit the vulnerability, the attacker must have control of more than one vcpu, either by controlling a malicious multi-vcpu guest, or by controlling more than one guest. MITIGATION ========== There is no practical mitigation for this issue. CREDITS ======= This issue was discovered by Coverity Scan and diagnosed by Andrew Cooper. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa73-4.3-unstable.patch Xen 4.3.x, xen-unstable xsa73-4.2.patch Xen 4.2.x xsa73-4.1.patch Xen 4.1.x $ sha256sum xsa73*.patch 519eb1d2815c41d73c775324f43d1a7d75615775194bd0f6584147b45d04250b xsa73-4.1.patch 9eab1db170dc13bdd4da76bc2184399f705d124acd14b364428f012ea5c3a281 xsa73-4.2.patch 1c070e66d1bea3c109f22ea4db2e8828f0f4b016d51d6d88667b775eec340514 xsa73-4.3-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSd53SAAoJEIP+FMlX6CvZAMgH/1JgLDhHB5A7w0iVJbHSv4ff 9oxmch/DfMFj1A+Cuhq5YU25I19ocSiqiEU4n7IuADCH4UCetH6UMXqRQ7qj/HPq RZTGxmPkBNkIVkZd9IqRZEoWy4ENDhdDOa8ViNLqXCTCra0swfeTAav+BtTanpFQ jca18Ry0o4qo9A/ZNZniAgMV1OXxZkETRm6jVc7tCNzx0daPyAo4xesUDLNJ/EcW yYv7pIRY1Ct7X5CD3carkRBm0k3PmZ0IClZf5aBWKV8PE95oOk/m8HBIPFGvBp7o cPBHt7Nra2pWDG76Vtzg0QZuV9XPwaRtPk4U4w9s9K4BpRwDza8mXCBgaRLX9aU= =RphO -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa73-4.1.patch" Content-Disposition: attachment; filename="xsa73-4.1.patch" Content-Transfer-Encoding: base64 RnJvbSA4MmYyZjdjMzA0MzIxMmNiYjRlMTI4Nzg3ZjU4YWU4YmI1NWEwYmQw IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBUaHUsIDMxIE9j dCAyMDEzIDIwOjQ5OjAwICswMDAwClN1YmplY3Q6IFtQQVRDSF0gZ250dGFi OiBjb3JyZWN0IGxvY2tpbmcgb3JkZXIgcmV2ZXJzYWwKCkNvdmVyaXR5IElE IDEwODcxODkKCkNvcnJlY3QgYSBsb2NrIG9yZGVyIHJldmVyc2FsIGJldHdl ZW4gYSBkb21haW5zIHBhZ2UgYWxsb2NhdGlvbiBhbmQgZ3JhbnQKdGFibGUg bG9ja3MuCgpUaGlzIGlzIENWRS0yMDEzLTQ0OTQgLyBYU0EtNzMuCgpTaWdu ZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRy aXguY29tPgoKQ29uc29saWRhdGUgZXJyb3IgaGFuZGxpbmcuCgpTaWduZWQt b2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmll d2VkLWJ5OiBLZWlyIEZyYXNlciA8a2VpckB4ZW4ub3JnPgpUZXN0ZWQtYnk6 IE1hdHRoZXcgRGFsZXkgPG1hdHRqZEBnbWFpbC5jb20+CgpCYWNrcG9ydGVk IHRvIFhlbi00LjEKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5k cmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KLS0tCiB4ZW4vY29tbW9uL2dyYW50 X3RhYmxlLmMgfCAgIDUxICsrKysrKysrKysrKysrKysrKysrKysrKysrKysr KysrKysrKysrLS0tLS0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA0MyBpbnNlcnRp b25zKCspLCA4IGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL3hlbi9jb21t b24vZ3JhbnRfdGFibGUuYyBiL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwpp bmRleCBlMGY5MWFiLi5jMWUzNzg0IDEwMDY0NAotLS0gYS94ZW4vY29tbW9u L2dyYW50X3RhYmxlLmMKKysrIGIveGVuL2NvbW1vbi9ncmFudF90YWJsZS5j CkBAIC0xNDU5LDYgKzE0NTksOCBAQCBnbnR0YWJfdHJhbnNmZXIoCiAKICAg ICBmb3IgKCBpID0gMDsgaSA8IGNvdW50OyBpKysgKQogICAgIHsKKyAgICAg ICAgYm9vbF90IG9rYXk7CisKICAgICAgICAgaWYgKGkgJiYgaHlwZXJjYWxs X3ByZWVtcHRfY2hlY2soKSkKICAgICAgICAgICAgIHJldHVybiBpOwogCkBA IC0xNTU1LDE2ICsxNTU3LDE4IEBAIGdudHRhYl90cmFuc2ZlcigKICAgICAg ICAgICogcGFnZXMgd2hlbiBpdCBpcyBkeWluZy4KICAgICAgICAgICovCiAg ICAgICAgIGlmICggdW5saWtlbHkoZS0+aXNfZHlpbmcpIHx8Ci0gICAgICAg ICAgICAgdW5saWtlbHkoZS0+dG90X3BhZ2VzID49IGUtPm1heF9wYWdlcykg fHwKLSAgICAgICAgICAgICB1bmxpa2VseSghZ250dGFiX3ByZXBhcmVfZm9y X3RyYW5zZmVyKGUsIGQsIGdvcC5yZWYpKSApCisgICAgICAgICAgICAgdW5s aWtlbHkoZS0+dG90X3BhZ2VzID49IGUtPm1heF9wYWdlcykgKQogICAgICAg ICB7Ci0gICAgICAgICAgICBpZiAoICFlLT5pc19keWluZyApCi0gICAgICAg ICAgICAgICAgZ2RwcmludGsoWEVOTE9HX0lORk8sICJnbnR0YWJfdHJhbnNm ZXI6ICIKLSAgICAgICAgICAgICAgICAgICAgICAgICJUcmFuc2ZlcmVlIGhh cyBubyByZXNlcnZhdGlvbiAiCi0gICAgICAgICAgICAgICAgICAgICAgICAi aGVhZHJvb20gKCVkLCVkKSBvciBwcm92aWRlZCBhIGJhZCBncmFudCByZWYg KCUwOHgpICIKLSAgICAgICAgICAgICAgICAgICAgICAgICJvciBpcyBkeWlu ZyAoJWQpXG4iLAotICAgICAgICAgICAgICAgICAgICAgICAgZS0+dG90X3Bh Z2VzLCBlLT5tYXhfcGFnZXMsIGdvcC5yZWYsIGUtPmlzX2R5aW5nKTsKICAg ICAgICAgICAgIHNwaW5fdW5sb2NrKCZlLT5wYWdlX2FsbG9jX2xvY2spOwor CisgICAgICAgICAgICBpZiAoIGUtPmlzX2R5aW5nICkKKyAgICAgICAgICAg ICAgICBnZHByaW50ayhYRU5MT0dfSU5GTywgImdudHRhYl90cmFuc2Zlcjog IgorICAgICAgICAgICAgICAgICAgICAgICAgICJUcmFuc2ZlcmVlIChkJWQp IGlzIGR5aW5nXG4iLCBlLT5kb21haW5faWQpOworICAgICAgICAgICAgZWxz ZQorICAgICAgICAgICAgICAgIGdkcHJpbnRrKFhFTkxPR19JTkZPLCAiZ250 dGFiX3RyYW5zZmVyOiAiCisgICAgICAgICAgICAgICAgICAgICAgICAgIlRy YW5zZmVyZWUgKGQlZCkgaGFzIG5vIGhlYWRyb29tICh0b3QgJXUsIG1heCAl dSlcbiIsCisgICAgICAgICAgICAgICAgICAgICAgICAgZS0+ZG9tYWluX2lk LCBlLT50b3RfcGFnZXMsIGUtPm1heF9wYWdlcyk7CisKICAgICAgICAgICAg IHJjdV91bmxvY2tfZG9tYWluKGUpOwogICAgICAgICAgICAgcGFnZS0+Y291 bnRfaW5mbyAmPSB+KFBHQ19jb3VudF9tYXNrfFBHQ19hbGxvY2F0ZWQpOwog ICAgICAgICAgICAgZnJlZV9kb21oZWFwX3BhZ2UocGFnZSk7CkBAIC0xNTc1 LDcgKzE1NzksMzcgQEAgZ250dGFiX3RyYW5zZmVyKAogICAgICAgICAvKiBP a2F5LCBhZGQgdGhlIHBhZ2UgdG8gJ2UnLiAqLwogICAgICAgICBpZiAoIHVu bGlrZWx5KGUtPnRvdF9wYWdlcysrID09IDApICkKICAgICAgICAgICAgIGdl dF9rbm93bmFsaXZlX2RvbWFpbihlKTsKKworICAgICAgICAvKgorICAgICAg ICAgKiBXZSBtdXN0IGRyb3AgdGhlIGxvY2sgdG8gYXZvaWQgYSBwb3NzaWJs ZSBkZWFkbG9jayBpbgorICAgICAgICAgKiBnbnR0YWJfcHJlcGFyZV9mb3Jf dHJhbnNmZXIuICBXZSBoYXZlIHJlc2VydmVkIGEgcGFnZSBpbiBlIHNvIGNh bgorICAgICAgICAgKiBzYWZlbHkgZHJvcCB0aGUgbG9jayBhbmQgcmUtYXF1 aXJlIGl0IGxhdGVyIHRvIGFkZCBwYWdlIHRvIHRoZQorICAgICAgICAgKiBw YWdlbGlzdC4KKyAgICAgICAgICovCisgICAgICAgIHNwaW5fdW5sb2NrKCZl LT5wYWdlX2FsbG9jX2xvY2spOworICAgICAgICBva2F5ID0gZ250dGFiX3By ZXBhcmVfZm9yX3RyYW5zZmVyKGUsIGQsIGdvcC5yZWYpOworICAgICAgICBz cGluX2xvY2soJmUtPnBhZ2VfYWxsb2NfbG9jayk7CisKKyAgICAgICAgaWYg KCB1bmxpa2VseSghb2theSkgfHwgdW5saWtlbHkoZS0+aXNfZHlpbmcpICkK KyAgICAgICAgeworICAgICAgICAgICAgYm9vbF90IGRyb3BfZG9tX3JlZiA9 IChlLT50b3RfcGFnZXMtLSA9PSAxKTsKKworICAgICAgICAgICAgc3Bpbl91 bmxvY2soJmUtPnBhZ2VfYWxsb2NfbG9jayk7CisKKyAgICAgICAgICAgIGlm ICggb2theSAvKiBpLmUuIGUtPmlzX2R5aW5nIGR1ZSB0byB0aGUgc3Vycm91 bmRpbmcgaWYoKSAqLyApCisgICAgICAgICAgICAgICAgZ2RwcmludGsoWEVO TE9HX0lORk8sICJnbnR0YWJfdHJhbnNmZXI6ICIKKyAgICAgICAgICAgICAg ICAgICAgICAgICAiVHJhbnNmZXJlZSAoZCVkKSBpcyBub3cgZHlpbmdcbiIs IGUtPmRvbWFpbl9pZCk7CisKKyAgICAgICAgICAgIGlmICggZHJvcF9kb21f cmVmICkKKyAgICAgICAgICAgICAgICBwdXRfZG9tYWluKGUpOworICAgICAg ICAgICAgcmN1X3VubG9ja19kb21haW4oZSk7CisKKyAgICAgICAgICAgIHBh Z2UtPmNvdW50X2luZm8gJj0gfihQR0NfY291bnRfbWFza3xQR0NfYWxsb2Nh dGVkKTsKKyAgICAgICAgICAgIGZyZWVfZG9taGVhcF9wYWdlKHBhZ2UpOwor ICAgICAgICAgICAgZ29wLnN0YXR1cyA9IEdOVFNUX2dlbmVyYWxfZXJyb3I7 CisgICAgICAgICAgICBnb3RvIGNvcHliYWNrOworICAgICAgICB9CisKICAg ICAgICAgcGFnZV9saXN0X2FkZF90YWlsKHBhZ2UsICZlLT5wYWdlX2xpc3Qp OwogICAgICAgICBwYWdlX3NldF9vd25lcihwYWdlLCBlKTsKIAotLSAKMS43 LjEwLjQKCg== --=separator Content-Type: application/octet-stream; name="xsa73-4.2.patch" Content-Disposition: attachment; filename="xsa73-4.2.patch" Content-Transfer-Encoding: base64 RnJvbSA1MmIyYzMxNDhiZGNhYTQ2YmVmY2RjYTY0ZTE0ZDAyMDFkN2NhNjQy IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBUaHUsIDMxIE9j dCAyMDEzIDIwOjQ5OjAwICswMDAwClN1YmplY3Q6IFtQQVRDSF0gZ250dGFi OiBjb3JyZWN0IGxvY2tpbmcgb3JkZXIgcmV2ZXJzYWwKCkNvdmVyaXR5IElE IDEwODcxODkKCkNvcnJlY3QgYSBsb2NrIG9yZGVyIHJldmVyc2FsIGJldHdl ZW4gYSBkb21haW5zIHBhZ2UgYWxsb2NhdGlvbiBhbmQgZ3JhbnQKdGFibGUg bG9ja3MuCgpUaGlzIGlzIENWRS0yMDEzLTQ0OTQgLyBYU0EtNzMuCgpTaWdu ZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRy aXguY29tPgoKQ29uc29saWRhdGUgZXJyb3IgaGFuZGxpbmcuCgpTaWduZWQt b2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmll d2VkLWJ5OiBLZWlyIEZyYXNlciA8a2VpckB4ZW4ub3JnPgpUZXN0ZWQtYnk6 IE1hdHRoZXcgRGFsZXkgPG1hdHRqZEBnbWFpbC5jb20+CgpCYWNrcG9ydGVk IHRvIFhlbi00LjIKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5k cmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KLS0tCiB4ZW4vY29tbW9uL2dyYW50 X3RhYmxlLmMgfCAgIDUyICsrKysrKysrKysrKysrKysrKysrKysrKysrKysr KysrKysrKysrKy0tLS0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA0NCBpbnNlcnRp b25zKCspLCA4IGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL3hlbi9jb21t b24vZ3JhbnRfdGFibGUuYyBiL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwpp bmRleCAwZTM0OWNjLi4wNjcyYmFkIDEwMDY0NAotLS0gYS94ZW4vY29tbW9u L2dyYW50X3RhYmxlLmMKKysrIGIveGVuL2NvbW1vbi9ncmFudF90YWJsZS5j CkBAIC0xNDk5LDYgKzE0OTksOCBAQCBnbnR0YWJfdHJhbnNmZXIoCiAKICAg ICBmb3IgKCBpID0gMDsgaSA8IGNvdW50OyBpKysgKQogICAgIHsKKyAgICAg ICAgYm9vbF90IG9rYXk7CisKICAgICAgICAgaWYgKGkgJiYgaHlwZXJjYWxs X3ByZWVtcHRfY2hlY2soKSkKICAgICAgICAgICAgIHJldHVybiBpOwogCkBA IC0xNjA3LDE2ICsxNjA5LDE4IEBAIGdudHRhYl90cmFuc2ZlcigKICAgICAg ICAgICogcGFnZXMgd2hlbiBpdCBpcyBkeWluZy4KICAgICAgICAgICovCiAg ICAgICAgIGlmICggdW5saWtlbHkoZS0+aXNfZHlpbmcpIHx8Ci0gICAgICAg ICAgICAgdW5saWtlbHkoZS0+dG90X3BhZ2VzID49IGUtPm1heF9wYWdlcykg fHwKLSAgICAgICAgICAgICB1bmxpa2VseSghZ250dGFiX3ByZXBhcmVfZm9y X3RyYW5zZmVyKGUsIGQsIGdvcC5yZWYpKSApCisgICAgICAgICAgICAgdW5s aWtlbHkoZS0+dG90X3BhZ2VzID49IGUtPm1heF9wYWdlcykgKQogICAgICAg ICB7Ci0gICAgICAgICAgICBpZiAoICFlLT5pc19keWluZyApCi0gICAgICAg ICAgICAgICAgZ2RwcmludGsoWEVOTE9HX0lORk8sICJnbnR0YWJfdHJhbnNm ZXI6ICIKLSAgICAgICAgICAgICAgICAgICAgICAgICJUcmFuc2ZlcmVlIGhh cyBubyByZXNlcnZhdGlvbiAiCi0gICAgICAgICAgICAgICAgICAgICAgICAi aGVhZHJvb20gKCVkLCVkKSBvciBwcm92aWRlZCBhIGJhZCBncmFudCByZWYg KCUwOHgpICIKLSAgICAgICAgICAgICAgICAgICAgICAgICJvciBpcyBkeWlu ZyAoJWQpXG4iLAotICAgICAgICAgICAgICAgICAgICAgICAgZS0+dG90X3Bh Z2VzLCBlLT5tYXhfcGFnZXMsIGdvcC5yZWYsIGUtPmlzX2R5aW5nKTsKICAg ICAgICAgICAgIHNwaW5fdW5sb2NrKCZlLT5wYWdlX2FsbG9jX2xvY2spOwor CisgICAgICAgICAgICBpZiAoIGUtPmlzX2R5aW5nICkKKyAgICAgICAgICAg ICAgICBnZHByaW50ayhYRU5MT0dfSU5GTywgImdudHRhYl90cmFuc2Zlcjog IgorICAgICAgICAgICAgICAgICAgICAgICAgICJUcmFuc2ZlcmVlIChkJWQp IGlzIGR5aW5nXG4iLCBlLT5kb21haW5faWQpOworICAgICAgICAgICAgZWxz ZQorICAgICAgICAgICAgICAgIGdkcHJpbnRrKFhFTkxPR19JTkZPLCAiZ250 dGFiX3RyYW5zZmVyOiAiCisgICAgICAgICAgICAgICAgICAgICAgICAgIlRy YW5zZmVyZWUgKGQlZCkgaGFzIG5vIGhlYWRyb29tICh0b3QgJXUsIG1heCAl dSlcbiIsCisgICAgICAgICAgICAgICAgICAgICAgICAgZS0+ZG9tYWluX2lk LCBlLT50b3RfcGFnZXMsIGUtPm1heF9wYWdlcyk7CisKICAgICAgICAgICAg IHJjdV91bmxvY2tfZG9tYWluKGUpOwogICAgICAgICAgICAgcHV0X2dmbihk LCBnb3AubWZuKTsKICAgICAgICAgICAgIHBhZ2UtPmNvdW50X2luZm8gJj0g fihQR0NfY291bnRfbWFza3xQR0NfYWxsb2NhdGVkKTsKQEAgLTE2MjgsNiAr MTYzMiwzOCBAQCBnbnR0YWJfdHJhbnNmZXIoCiAgICAgICAgIC8qIE9rYXks IGFkZCB0aGUgcGFnZSB0byAnZScuICovCiAgICAgICAgIGlmICggdW5saWtl bHkoZS0+dG90X3BhZ2VzKysgPT0gMCkgKQogICAgICAgICAgICAgZ2V0X2tu b3duYWxpdmVfZG9tYWluKGUpOworCisgICAgICAgIC8qCisgICAgICAgICAq IFdlIG11c3QgZHJvcCB0aGUgbG9jayB0byBhdm9pZCBhIHBvc3NpYmxlIGRl YWRsb2NrIGluCisgICAgICAgICAqIGdudHRhYl9wcmVwYXJlX2Zvcl90cmFu c2Zlci4gIFdlIGhhdmUgcmVzZXJ2ZWQgYSBwYWdlIGluIGUgc28gY2FuCisg ICAgICAgICAqIHNhZmVseSBkcm9wIHRoZSBsb2NrIGFuZCByZS1hcXVpcmUg aXQgbGF0ZXIgdG8gYWRkIHBhZ2UgdG8gdGhlCisgICAgICAgICAqIHBhZ2Vs aXN0LgorICAgICAgICAgKi8KKyAgICAgICAgc3Bpbl91bmxvY2soJmUtPnBh Z2VfYWxsb2NfbG9jayk7CisgICAgICAgIG9rYXkgPSBnbnR0YWJfcHJlcGFy ZV9mb3JfdHJhbnNmZXIoZSwgZCwgZ29wLnJlZik7CisgICAgICAgIHNwaW5f bG9jaygmZS0+cGFnZV9hbGxvY19sb2NrKTsKKworICAgICAgICBpZiAoIHVu bGlrZWx5KCFva2F5KSB8fCB1bmxpa2VseShlLT5pc19keWluZykgKQorICAg ICAgICB7CisgICAgICAgICAgICBib29sX3QgZHJvcF9kb21fcmVmID0gKGUt PnRvdF9wYWdlcy0tID09IDEpOworCisgICAgICAgICAgICBzcGluX3VubG9j aygmZS0+cGFnZV9hbGxvY19sb2NrKTsKKworICAgICAgICAgICAgaWYgKCBv a2F5IC8qIGkuZS4gZS0+aXNfZHlpbmcgZHVlIHRvIHRoZSBzdXJyb3VuZGlu ZyBpZigpICovICkKKyAgICAgICAgICAgICAgICBnZHByaW50ayhYRU5MT0df SU5GTywgImdudHRhYl90cmFuc2ZlcjogIgorICAgICAgICAgICAgICAgICAg ICAgICAgICJUcmFuc2ZlcmVlIChkJWQpIGlzIG5vdyBkeWluZ1xuIiwgZS0+ ZG9tYWluX2lkKTsKKworICAgICAgICAgICAgaWYgKCBkcm9wX2RvbV9yZWYg KQorICAgICAgICAgICAgICAgIHB1dF9kb21haW4oZSk7CisgICAgICAgICAg ICByY3VfdW5sb2NrX2RvbWFpbihlKTsKKworICAgICAgICAgICAgcHV0X2dm bihkLCBnb3AubWZuKTsKKyAgICAgICAgICAgIHBhZ2UtPmNvdW50X2luZm8g Jj0gfihQR0NfY291bnRfbWFza3xQR0NfYWxsb2NhdGVkKTsKKyAgICAgICAg ICAgIGZyZWVfZG9taGVhcF9wYWdlKHBhZ2UpOworICAgICAgICAgICAgZ29w LnN0YXR1cyA9IEdOVFNUX2dlbmVyYWxfZXJyb3I7CisgICAgICAgICAgICBn b3RvIGNvcHliYWNrOworICAgICAgICB9CisKICAgICAgICAgcGFnZV9saXN0 X2FkZF90YWlsKHBhZ2UsICZlLT5wYWdlX2xpc3QpOwogICAgICAgICBwYWdl X3NldF9vd25lcihwYWdlLCBlKTsKIAotLSAKMS43LjEwLjQKCg== --=separator Content-Type: application/octet-stream; name="xsa73-4.3-unstable.patch" Content-Disposition: attachment; filename="xsa73-4.3-unstable.patch" Content-Transfer-Encoding: base64 RnJvbSAwNjhiZmE3NmJiZDUyNDMwZTY1ODUzMzc1ZTFkNWRiOTlkMTkzZTJm IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBUaHUsIDMxIE9j dCAyMDEzIDIwOjQ5OjAwICswMDAwClN1YmplY3Q6IFtQQVRDSF0gZ250dGFi OiBjb3JyZWN0IGxvY2tpbmcgb3JkZXIgcmV2ZXJzYWwKCkNvdmVyaXR5IElE IDEwODcxODkKCkNvcnJlY3QgYSBsb2NrIG9yZGVyIHJldmVyc2FsIGJldHdl ZW4gYSBkb21haW5zIHBhZ2UgYWxsb2NhdGlvbiBhbmQgZ3JhbnQKdGFibGUg bG9ja3MuCgpUaGlzIGlzIENWRS0yMDEzLTQ0OTQgLyBYU0EtNzMuCgpTaWdu ZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRy aXguY29tPgoKQ29uc29saWRhdGUgZXJyb3IgaGFuZGxpbmcuCgpTaWduZWQt b2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmll d2VkLWJ5OiBLZWlyIEZyYXNlciA8a2VpckB4ZW4ub3JnPgpUZXN0ZWQtYnk6 IE1hdHRoZXcgRGFsZXkgPG1hdHRqZEBnbWFpbC5jb20+Ci0tLQogeGVuL2Nv bW1vbi9ncmFudF90YWJsZS5jIHwgICA1MiArKysrKysrKysrKysrKysrKysr KysrKysrKysrKysrKysrKysrKystLS0tLS0tCiAxIGZpbGUgY2hhbmdlZCwg NDQgaW5zZXJ0aW9ucygrKSwgOCBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQg YS94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMgYi94ZW4vY29tbW9uL2dyYW50 X3RhYmxlLmMKaW5kZXggZjQyYmM3YS4uNDhkZjkyOCAxMDA2NDQKLS0tIGEv eGVuL2NvbW1vbi9ncmFudF90YWJsZS5jCisrKyBiL3hlbi9jb21tb24vZ3Jh bnRfdGFibGUuYwpAQCAtMTUxNyw2ICsxNTE3LDggQEAgZ250dGFiX3RyYW5z ZmVyKAogCiAgICAgZm9yICggaSA9IDA7IGkgPCBjb3VudDsgaSsrICkKICAg ICB7CisgICAgICAgIGJvb2xfdCBva2F5OworCiAgICAgICAgIGlmIChpICYm IGh5cGVyY2FsbF9wcmVlbXB0X2NoZWNrKCkpCiAgICAgICAgICAgICByZXR1 cm4gaTsKIApAQCAtMTYyNSwxNiArMTYyNywxOCBAQCBnbnR0YWJfdHJhbnNm ZXIoCiAgICAgICAgICAqIHBhZ2VzIHdoZW4gaXQgaXMgZHlpbmcuCiAgICAg ICAgICAqLwogICAgICAgICBpZiAoIHVubGlrZWx5KGUtPmlzX2R5aW5nKSB8 fAotICAgICAgICAgICAgIHVubGlrZWx5KGUtPnRvdF9wYWdlcyA+PSBlLT5t YXhfcGFnZXMpIHx8Ci0gICAgICAgICAgICAgdW5saWtlbHkoIWdudHRhYl9w cmVwYXJlX2Zvcl90cmFuc2ZlcihlLCBkLCBnb3AucmVmKSkgKQorICAgICAg ICAgICAgIHVubGlrZWx5KGUtPnRvdF9wYWdlcyA+PSBlLT5tYXhfcGFnZXMp ICkKICAgICAgICAgewotICAgICAgICAgICAgaWYgKCAhZS0+aXNfZHlpbmcg KQotICAgICAgICAgICAgICAgIGdkcHJpbnRrKFhFTkxPR19JTkZPLCAiZ250 dGFiX3RyYW5zZmVyOiAiCi0gICAgICAgICAgICAgICAgICAgICAgICAiVHJh bnNmZXJlZSBoYXMgbm8gcmVzZXJ2YXRpb24gIgotICAgICAgICAgICAgICAg ICAgICAgICAgImhlYWRyb29tICglZCwlZCkgb3IgcHJvdmlkZWQgYSBiYWQg Z3JhbnQgcmVmICglMDh4KSAiCi0gICAgICAgICAgICAgICAgICAgICAgICAi b3IgaXMgZHlpbmcgKCVkKVxuIiwKLSAgICAgICAgICAgICAgICAgICAgICAg IGUtPnRvdF9wYWdlcywgZS0+bWF4X3BhZ2VzLCBnb3AucmVmLCBlLT5pc19k eWluZyk7CiAgICAgICAgICAgICBzcGluX3VubG9jaygmZS0+cGFnZV9hbGxv Y19sb2NrKTsKKworICAgICAgICAgICAgaWYgKCBlLT5pc19keWluZyApCisg ICAgICAgICAgICAgICAgZ2RwcmludGsoWEVOTE9HX0lORk8sICJnbnR0YWJf dHJhbnNmZXI6ICIKKyAgICAgICAgICAgICAgICAgICAgICAgICAiVHJhbnNm ZXJlZSAoZCVkKSBpcyBkeWluZ1xuIiwgZS0+ZG9tYWluX2lkKTsKKyAgICAg ICAgICAgIGVsc2UKKyAgICAgICAgICAgICAgICBnZHByaW50ayhYRU5MT0df SU5GTywgImdudHRhYl90cmFuc2ZlcjogIgorICAgICAgICAgICAgICAgICAg ICAgICAgICJUcmFuc2ZlcmVlIChkJWQpIGhhcyBubyBoZWFkcm9vbSAodG90 ICV1LCBtYXggJXUpXG4iLAorICAgICAgICAgICAgICAgICAgICAgICAgIGUt PmRvbWFpbl9pZCwgZS0+dG90X3BhZ2VzLCBlLT5tYXhfcGFnZXMpOworCiAg ICAgICAgICAgICByY3VfdW5sb2NrX2RvbWFpbihlKTsKICAgICAgICAgICAg IHB1dF9nZm4oZCwgZ29wLm1mbik7CiAgICAgICAgICAgICBwYWdlLT5jb3Vu dF9pbmZvICY9IH4oUEdDX2NvdW50X21hc2t8UEdDX2FsbG9jYXRlZCk7CkBA IC0xNjQ2LDYgKzE2NTAsMzggQEAgZ250dGFiX3RyYW5zZmVyKAogICAgICAg ICAvKiBPa2F5LCBhZGQgdGhlIHBhZ2UgdG8gJ2UnLiAqLwogICAgICAgICBp ZiAoIHVubGlrZWx5KGRvbWFpbl9hZGp1c3RfdG90X3BhZ2VzKGUsIDEpID09 IDEpICkKICAgICAgICAgICAgIGdldF9rbm93bmFsaXZlX2RvbWFpbihlKTsK KworICAgICAgICAvKgorICAgICAgICAgKiBXZSBtdXN0IGRyb3AgdGhlIGxv Y2sgdG8gYXZvaWQgYSBwb3NzaWJsZSBkZWFkbG9jayBpbgorICAgICAgICAg KiBnbnR0YWJfcHJlcGFyZV9mb3JfdHJhbnNmZXIuICBXZSBoYXZlIHJlc2Vy dmVkIGEgcGFnZSBpbiBlIHNvIGNhbgorICAgICAgICAgKiBzYWZlbHkgZHJv cCB0aGUgbG9jayBhbmQgcmUtYXF1aXJlIGl0IGxhdGVyIHRvIGFkZCBwYWdl IHRvIHRoZQorICAgICAgICAgKiBwYWdlbGlzdC4KKyAgICAgICAgICovCisg ICAgICAgIHNwaW5fdW5sb2NrKCZlLT5wYWdlX2FsbG9jX2xvY2spOworICAg ICAgICBva2F5ID0gZ250dGFiX3ByZXBhcmVfZm9yX3RyYW5zZmVyKGUsIGQs IGdvcC5yZWYpOworICAgICAgICBzcGluX2xvY2soJmUtPnBhZ2VfYWxsb2Nf bG9jayk7CisKKyAgICAgICAgaWYgKCB1bmxpa2VseSghb2theSkgfHwgdW5s aWtlbHkoZS0+aXNfZHlpbmcpICkKKyAgICAgICAgeworICAgICAgICAgICAg Ym9vbF90IGRyb3BfZG9tX3JlZiA9IChkb21haW5fYWRqdXN0X3RvdF9wYWdl cyhlLCAtMSkgPT0gMCk7CisKKyAgICAgICAgICAgIHNwaW5fdW5sb2NrKCZl LT5wYWdlX2FsbG9jX2xvY2spOworCisgICAgICAgICAgICBpZiAoIG9rYXkg LyogaS5lLiBlLT5pc19keWluZyBkdWUgdG8gdGhlIHN1cnJvdW5kaW5nIGlm KCkgKi8gKQorICAgICAgICAgICAgICAgIGdkcHJpbnRrKFhFTkxPR19JTkZP LCAiZ250dGFiX3RyYW5zZmVyOiAiCisgICAgICAgICAgICAgICAgICAgICAg ICAgIlRyYW5zZmVyZWUgKGQlZCkgaXMgbm93IGR5aW5nXG4iLCBlLT5kb21h aW5faWQpOworCisgICAgICAgICAgICBpZiAoIGRyb3BfZG9tX3JlZiApCisg ICAgICAgICAgICAgICAgcHV0X2RvbWFpbihlKTsKKyAgICAgICAgICAgIHJj dV91bmxvY2tfZG9tYWluKGUpOworCisgICAgICAgICAgICBwdXRfZ2ZuKGQs IGdvcC5tZm4pOworICAgICAgICAgICAgcGFnZS0+Y291bnRfaW5mbyAmPSB+ KFBHQ19jb3VudF9tYXNrfFBHQ19hbGxvY2F0ZWQpOworICAgICAgICAgICAg ZnJlZV9kb21oZWFwX3BhZ2UocGFnZSk7CisgICAgICAgICAgICBnb3Auc3Rh dHVzID0gR05UU1RfZ2VuZXJhbF9lcnJvcjsKKyAgICAgICAgICAgIGdvdG8g Y29weWJhY2s7CisgICAgICAgIH0KKwogICAgICAgICBwYWdlX2xpc3RfYWRk X3RhaWwocGFnZSwgJmUtPnBhZ2VfbGlzdCk7CiAgICAgICAgIHBhZ2Vfc2V0 X293bmVyKHBhZ2UsIGUpOwogCi0tIAoxLjcuMTAuNAoK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Nov 04 13:17:49 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 04 Nov 2013 13:17:49 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VdK0a-0005X6-Jc; Mon, 04 Nov 2013 13:15:56 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VdK0Z-0005Wm-7s; Mon, 04 Nov 2013 13:15:55 +0000 Received: from [193.109.254.147:32446] by server-6.bemta-14.messagelabs.com id 56/19-19621-A0E97725; Mon, 04 Nov 2013 13:15:54 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-13.tower-27.messagelabs.com!1383570951!514563!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.13; banners=-,-,- X-VirusChecked: Checked Received: (qmail 7317 invoked from network); 4 Nov 2013 13:15:52 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-13.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 4 Nov 2013 13:15:52 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VdK0P-0001Su-06; Mon, 04 Nov 2013 13:15:45 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VdK0N-0008Mz-P5; Mon, 04 Nov 2013 13:15:44 +0000 Date: Mon, 04 Nov 2013 13:15:44 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 73 (CVE-2013-4494) - Lock order reversal between page allocation and grant table locks X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4494 / XSA-73 version 3 Lock order reversal between page allocation and grant table locks UPDATES IN VERSION 3 ==================== The issue has been assigned CVE-2013-4494. NOTE REGARDING LACK OF EMBARGO ============================== While the response to this issue was being prepared by the security team, the bug was independently discovered by a third party who publicly disclosed it without realising the security impact. ISSUE DESCRIPTION ================= The locks page_alloc_lock and grant_table.lock are not always taken in the same order. This opens the possibility of deadlock. IMPACT ====== A malicious guest administrator can deny service to the entire host. VULNERABLE SYSTEMS ================== Xen versions going back to at least Xen 3.2 are vulnerable. To exploit the vulnerability, the attacker must have control of more than one vcpu, either by controlling a malicious multi-vcpu guest, or by controlling more than one guest. MITIGATION ========== There is no practical mitigation for this issue. CREDITS ======= This issue was discovered by Coverity Scan and diagnosed by Andrew Cooper. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa73-4.3-unstable.patch Xen 4.3.x, xen-unstable xsa73-4.2.patch Xen 4.2.x xsa73-4.1.patch Xen 4.1.x $ sha256sum xsa73*.patch 519eb1d2815c41d73c775324f43d1a7d75615775194bd0f6584147b45d04250b xsa73-4.1.patch 9eab1db170dc13bdd4da76bc2184399f705d124acd14b364428f012ea5c3a281 xsa73-4.2.patch 1c070e66d1bea3c109f22ea4db2e8828f0f4b016d51d6d88667b775eec340514 xsa73-4.3-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSd53SAAoJEIP+FMlX6CvZAMgH/1JgLDhHB5A7w0iVJbHSv4ff 9oxmch/DfMFj1A+Cuhq5YU25I19ocSiqiEU4n7IuADCH4UCetH6UMXqRQ7qj/HPq RZTGxmPkBNkIVkZd9IqRZEoWy4ENDhdDOa8ViNLqXCTCra0swfeTAav+BtTanpFQ jca18Ry0o4qo9A/ZNZniAgMV1OXxZkETRm6jVc7tCNzx0daPyAo4xesUDLNJ/EcW yYv7pIRY1Ct7X5CD3carkRBm0k3PmZ0IClZf5aBWKV8PE95oOk/m8HBIPFGvBp7o cPBHt7Nra2pWDG76Vtzg0QZuV9XPwaRtPk4U4w9s9K4BpRwDza8mXCBgaRLX9aU= =RphO -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa73-4.1.patch" Content-Disposition: attachment; filename="xsa73-4.1.patch" Content-Transfer-Encoding: base64 RnJvbSA4MmYyZjdjMzA0MzIxMmNiYjRlMTI4Nzg3ZjU4YWU4YmI1NWEwYmQw IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBUaHUsIDMxIE9j dCAyMDEzIDIwOjQ5OjAwICswMDAwClN1YmplY3Q6IFtQQVRDSF0gZ250dGFi OiBjb3JyZWN0IGxvY2tpbmcgb3JkZXIgcmV2ZXJzYWwKCkNvdmVyaXR5IElE IDEwODcxODkKCkNvcnJlY3QgYSBsb2NrIG9yZGVyIHJldmVyc2FsIGJldHdl ZW4gYSBkb21haW5zIHBhZ2UgYWxsb2NhdGlvbiBhbmQgZ3JhbnQKdGFibGUg bG9ja3MuCgpUaGlzIGlzIENWRS0yMDEzLTQ0OTQgLyBYU0EtNzMuCgpTaWdu ZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRy aXguY29tPgoKQ29uc29saWRhdGUgZXJyb3IgaGFuZGxpbmcuCgpTaWduZWQt b2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmll d2VkLWJ5OiBLZWlyIEZyYXNlciA8a2VpckB4ZW4ub3JnPgpUZXN0ZWQtYnk6 IE1hdHRoZXcgRGFsZXkgPG1hdHRqZEBnbWFpbC5jb20+CgpCYWNrcG9ydGVk IHRvIFhlbi00LjEKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5k cmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KLS0tCiB4ZW4vY29tbW9uL2dyYW50 X3RhYmxlLmMgfCAgIDUxICsrKysrKysrKysrKysrKysrKysrKysrKysrKysr KysrKysrKysrLS0tLS0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA0MyBpbnNlcnRp b25zKCspLCA4IGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL3hlbi9jb21t b24vZ3JhbnRfdGFibGUuYyBiL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwpp bmRleCBlMGY5MWFiLi5jMWUzNzg0IDEwMDY0NAotLS0gYS94ZW4vY29tbW9u L2dyYW50X3RhYmxlLmMKKysrIGIveGVuL2NvbW1vbi9ncmFudF90YWJsZS5j CkBAIC0xNDU5LDYgKzE0NTksOCBAQCBnbnR0YWJfdHJhbnNmZXIoCiAKICAg ICBmb3IgKCBpID0gMDsgaSA8IGNvdW50OyBpKysgKQogICAgIHsKKyAgICAg ICAgYm9vbF90IG9rYXk7CisKICAgICAgICAgaWYgKGkgJiYgaHlwZXJjYWxs X3ByZWVtcHRfY2hlY2soKSkKICAgICAgICAgICAgIHJldHVybiBpOwogCkBA IC0xNTU1LDE2ICsxNTU3LDE4IEBAIGdudHRhYl90cmFuc2ZlcigKICAgICAg ICAgICogcGFnZXMgd2hlbiBpdCBpcyBkeWluZy4KICAgICAgICAgICovCiAg ICAgICAgIGlmICggdW5saWtlbHkoZS0+aXNfZHlpbmcpIHx8Ci0gICAgICAg ICAgICAgdW5saWtlbHkoZS0+dG90X3BhZ2VzID49IGUtPm1heF9wYWdlcykg fHwKLSAgICAgICAgICAgICB1bmxpa2VseSghZ250dGFiX3ByZXBhcmVfZm9y X3RyYW5zZmVyKGUsIGQsIGdvcC5yZWYpKSApCisgICAgICAgICAgICAgdW5s aWtlbHkoZS0+dG90X3BhZ2VzID49IGUtPm1heF9wYWdlcykgKQogICAgICAg ICB7Ci0gICAgICAgICAgICBpZiAoICFlLT5pc19keWluZyApCi0gICAgICAg ICAgICAgICAgZ2RwcmludGsoWEVOTE9HX0lORk8sICJnbnR0YWJfdHJhbnNm ZXI6ICIKLSAgICAgICAgICAgICAgICAgICAgICAgICJUcmFuc2ZlcmVlIGhh cyBubyByZXNlcnZhdGlvbiAiCi0gICAgICAgICAgICAgICAgICAgICAgICAi aGVhZHJvb20gKCVkLCVkKSBvciBwcm92aWRlZCBhIGJhZCBncmFudCByZWYg KCUwOHgpICIKLSAgICAgICAgICAgICAgICAgICAgICAgICJvciBpcyBkeWlu ZyAoJWQpXG4iLAotICAgICAgICAgICAgICAgICAgICAgICAgZS0+dG90X3Bh Z2VzLCBlLT5tYXhfcGFnZXMsIGdvcC5yZWYsIGUtPmlzX2R5aW5nKTsKICAg ICAgICAgICAgIHNwaW5fdW5sb2NrKCZlLT5wYWdlX2FsbG9jX2xvY2spOwor CisgICAgICAgICAgICBpZiAoIGUtPmlzX2R5aW5nICkKKyAgICAgICAgICAg ICAgICBnZHByaW50ayhYRU5MT0dfSU5GTywgImdudHRhYl90cmFuc2Zlcjog IgorICAgICAgICAgICAgICAgICAgICAgICAgICJUcmFuc2ZlcmVlIChkJWQp IGlzIGR5aW5nXG4iLCBlLT5kb21haW5faWQpOworICAgICAgICAgICAgZWxz ZQorICAgICAgICAgICAgICAgIGdkcHJpbnRrKFhFTkxPR19JTkZPLCAiZ250 dGFiX3RyYW5zZmVyOiAiCisgICAgICAgICAgICAgICAgICAgICAgICAgIlRy YW5zZmVyZWUgKGQlZCkgaGFzIG5vIGhlYWRyb29tICh0b3QgJXUsIG1heCAl dSlcbiIsCisgICAgICAgICAgICAgICAgICAgICAgICAgZS0+ZG9tYWluX2lk LCBlLT50b3RfcGFnZXMsIGUtPm1heF9wYWdlcyk7CisKICAgICAgICAgICAg IHJjdV91bmxvY2tfZG9tYWluKGUpOwogICAgICAgICAgICAgcGFnZS0+Y291 bnRfaW5mbyAmPSB+KFBHQ19jb3VudF9tYXNrfFBHQ19hbGxvY2F0ZWQpOwog ICAgICAgICAgICAgZnJlZV9kb21oZWFwX3BhZ2UocGFnZSk7CkBAIC0xNTc1 LDcgKzE1NzksMzcgQEAgZ250dGFiX3RyYW5zZmVyKAogICAgICAgICAvKiBP a2F5LCBhZGQgdGhlIHBhZ2UgdG8gJ2UnLiAqLwogICAgICAgICBpZiAoIHVu bGlrZWx5KGUtPnRvdF9wYWdlcysrID09IDApICkKICAgICAgICAgICAgIGdl dF9rbm93bmFsaXZlX2RvbWFpbihlKTsKKworICAgICAgICAvKgorICAgICAg ICAgKiBXZSBtdXN0IGRyb3AgdGhlIGxvY2sgdG8gYXZvaWQgYSBwb3NzaWJs ZSBkZWFkbG9jayBpbgorICAgICAgICAgKiBnbnR0YWJfcHJlcGFyZV9mb3Jf dHJhbnNmZXIuICBXZSBoYXZlIHJlc2VydmVkIGEgcGFnZSBpbiBlIHNvIGNh bgorICAgICAgICAgKiBzYWZlbHkgZHJvcCB0aGUgbG9jayBhbmQgcmUtYXF1 aXJlIGl0IGxhdGVyIHRvIGFkZCBwYWdlIHRvIHRoZQorICAgICAgICAgKiBw YWdlbGlzdC4KKyAgICAgICAgICovCisgICAgICAgIHNwaW5fdW5sb2NrKCZl LT5wYWdlX2FsbG9jX2xvY2spOworICAgICAgICBva2F5ID0gZ250dGFiX3By ZXBhcmVfZm9yX3RyYW5zZmVyKGUsIGQsIGdvcC5yZWYpOworICAgICAgICBz cGluX2xvY2soJmUtPnBhZ2VfYWxsb2NfbG9jayk7CisKKyAgICAgICAgaWYg KCB1bmxpa2VseSghb2theSkgfHwgdW5saWtlbHkoZS0+aXNfZHlpbmcpICkK KyAgICAgICAgeworICAgICAgICAgICAgYm9vbF90IGRyb3BfZG9tX3JlZiA9 IChlLT50b3RfcGFnZXMtLSA9PSAxKTsKKworICAgICAgICAgICAgc3Bpbl91 bmxvY2soJmUtPnBhZ2VfYWxsb2NfbG9jayk7CisKKyAgICAgICAgICAgIGlm ICggb2theSAvKiBpLmUuIGUtPmlzX2R5aW5nIGR1ZSB0byB0aGUgc3Vycm91 bmRpbmcgaWYoKSAqLyApCisgICAgICAgICAgICAgICAgZ2RwcmludGsoWEVO TE9HX0lORk8sICJnbnR0YWJfdHJhbnNmZXI6ICIKKyAgICAgICAgICAgICAg ICAgICAgICAgICAiVHJhbnNmZXJlZSAoZCVkKSBpcyBub3cgZHlpbmdcbiIs IGUtPmRvbWFpbl9pZCk7CisKKyAgICAgICAgICAgIGlmICggZHJvcF9kb21f cmVmICkKKyAgICAgICAgICAgICAgICBwdXRfZG9tYWluKGUpOworICAgICAg ICAgICAgcmN1X3VubG9ja19kb21haW4oZSk7CisKKyAgICAgICAgICAgIHBh Z2UtPmNvdW50X2luZm8gJj0gfihQR0NfY291bnRfbWFza3xQR0NfYWxsb2Nh dGVkKTsKKyAgICAgICAgICAgIGZyZWVfZG9taGVhcF9wYWdlKHBhZ2UpOwor ICAgICAgICAgICAgZ29wLnN0YXR1cyA9IEdOVFNUX2dlbmVyYWxfZXJyb3I7 CisgICAgICAgICAgICBnb3RvIGNvcHliYWNrOworICAgICAgICB9CisKICAg ICAgICAgcGFnZV9saXN0X2FkZF90YWlsKHBhZ2UsICZlLT5wYWdlX2xpc3Qp OwogICAgICAgICBwYWdlX3NldF9vd25lcihwYWdlLCBlKTsKIAotLSAKMS43 LjEwLjQKCg== --=separator Content-Type: application/octet-stream; name="xsa73-4.2.patch" Content-Disposition: attachment; filename="xsa73-4.2.patch" Content-Transfer-Encoding: base64 RnJvbSA1MmIyYzMxNDhiZGNhYTQ2YmVmY2RjYTY0ZTE0ZDAyMDFkN2NhNjQy IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBUaHUsIDMxIE9j dCAyMDEzIDIwOjQ5OjAwICswMDAwClN1YmplY3Q6IFtQQVRDSF0gZ250dGFi OiBjb3JyZWN0IGxvY2tpbmcgb3JkZXIgcmV2ZXJzYWwKCkNvdmVyaXR5IElE IDEwODcxODkKCkNvcnJlY3QgYSBsb2NrIG9yZGVyIHJldmVyc2FsIGJldHdl ZW4gYSBkb21haW5zIHBhZ2UgYWxsb2NhdGlvbiBhbmQgZ3JhbnQKdGFibGUg bG9ja3MuCgpUaGlzIGlzIENWRS0yMDEzLTQ0OTQgLyBYU0EtNzMuCgpTaWdu ZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRy aXguY29tPgoKQ29uc29saWRhdGUgZXJyb3IgaGFuZGxpbmcuCgpTaWduZWQt b2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmll d2VkLWJ5OiBLZWlyIEZyYXNlciA8a2VpckB4ZW4ub3JnPgpUZXN0ZWQtYnk6 IE1hdHRoZXcgRGFsZXkgPG1hdHRqZEBnbWFpbC5jb20+CgpCYWNrcG9ydGVk IHRvIFhlbi00LjIKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5k cmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KLS0tCiB4ZW4vY29tbW9uL2dyYW50 X3RhYmxlLmMgfCAgIDUyICsrKysrKysrKysrKysrKysrKysrKysrKysrKysr KysrKysrKysrKy0tLS0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA0NCBpbnNlcnRp b25zKCspLCA4IGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL3hlbi9jb21t b24vZ3JhbnRfdGFibGUuYyBiL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwpp bmRleCAwZTM0OWNjLi4wNjcyYmFkIDEwMDY0NAotLS0gYS94ZW4vY29tbW9u L2dyYW50X3RhYmxlLmMKKysrIGIveGVuL2NvbW1vbi9ncmFudF90YWJsZS5j CkBAIC0xNDk5LDYgKzE0OTksOCBAQCBnbnR0YWJfdHJhbnNmZXIoCiAKICAg ICBmb3IgKCBpID0gMDsgaSA8IGNvdW50OyBpKysgKQogICAgIHsKKyAgICAg ICAgYm9vbF90IG9rYXk7CisKICAgICAgICAgaWYgKGkgJiYgaHlwZXJjYWxs X3ByZWVtcHRfY2hlY2soKSkKICAgICAgICAgICAgIHJldHVybiBpOwogCkBA IC0xNjA3LDE2ICsxNjA5LDE4IEBAIGdudHRhYl90cmFuc2ZlcigKICAgICAg ICAgICogcGFnZXMgd2hlbiBpdCBpcyBkeWluZy4KICAgICAgICAgICovCiAg ICAgICAgIGlmICggdW5saWtlbHkoZS0+aXNfZHlpbmcpIHx8Ci0gICAgICAg ICAgICAgdW5saWtlbHkoZS0+dG90X3BhZ2VzID49IGUtPm1heF9wYWdlcykg fHwKLSAgICAgICAgICAgICB1bmxpa2VseSghZ250dGFiX3ByZXBhcmVfZm9y X3RyYW5zZmVyKGUsIGQsIGdvcC5yZWYpKSApCisgICAgICAgICAgICAgdW5s aWtlbHkoZS0+dG90X3BhZ2VzID49IGUtPm1heF9wYWdlcykgKQogICAgICAg ICB7Ci0gICAgICAgICAgICBpZiAoICFlLT5pc19keWluZyApCi0gICAgICAg ICAgICAgICAgZ2RwcmludGsoWEVOTE9HX0lORk8sICJnbnR0YWJfdHJhbnNm ZXI6ICIKLSAgICAgICAgICAgICAgICAgICAgICAgICJUcmFuc2ZlcmVlIGhh cyBubyByZXNlcnZhdGlvbiAiCi0gICAgICAgICAgICAgICAgICAgICAgICAi aGVhZHJvb20gKCVkLCVkKSBvciBwcm92aWRlZCBhIGJhZCBncmFudCByZWYg KCUwOHgpICIKLSAgICAgICAgICAgICAgICAgICAgICAgICJvciBpcyBkeWlu ZyAoJWQpXG4iLAotICAgICAgICAgICAgICAgICAgICAgICAgZS0+dG90X3Bh Z2VzLCBlLT5tYXhfcGFnZXMsIGdvcC5yZWYsIGUtPmlzX2R5aW5nKTsKICAg ICAgICAgICAgIHNwaW5fdW5sb2NrKCZlLT5wYWdlX2FsbG9jX2xvY2spOwor CisgICAgICAgICAgICBpZiAoIGUtPmlzX2R5aW5nICkKKyAgICAgICAgICAg ICAgICBnZHByaW50ayhYRU5MT0dfSU5GTywgImdudHRhYl90cmFuc2Zlcjog IgorICAgICAgICAgICAgICAgICAgICAgICAgICJUcmFuc2ZlcmVlIChkJWQp IGlzIGR5aW5nXG4iLCBlLT5kb21haW5faWQpOworICAgICAgICAgICAgZWxz ZQorICAgICAgICAgICAgICAgIGdkcHJpbnRrKFhFTkxPR19JTkZPLCAiZ250 dGFiX3RyYW5zZmVyOiAiCisgICAgICAgICAgICAgICAgICAgICAgICAgIlRy YW5zZmVyZWUgKGQlZCkgaGFzIG5vIGhlYWRyb29tICh0b3QgJXUsIG1heCAl dSlcbiIsCisgICAgICAgICAgICAgICAgICAgICAgICAgZS0+ZG9tYWluX2lk LCBlLT50b3RfcGFnZXMsIGUtPm1heF9wYWdlcyk7CisKICAgICAgICAgICAg IHJjdV91bmxvY2tfZG9tYWluKGUpOwogICAgICAgICAgICAgcHV0X2dmbihk LCBnb3AubWZuKTsKICAgICAgICAgICAgIHBhZ2UtPmNvdW50X2luZm8gJj0g fihQR0NfY291bnRfbWFza3xQR0NfYWxsb2NhdGVkKTsKQEAgLTE2MjgsNiAr MTYzMiwzOCBAQCBnbnR0YWJfdHJhbnNmZXIoCiAgICAgICAgIC8qIE9rYXks IGFkZCB0aGUgcGFnZSB0byAnZScuICovCiAgICAgICAgIGlmICggdW5saWtl bHkoZS0+dG90X3BhZ2VzKysgPT0gMCkgKQogICAgICAgICAgICAgZ2V0X2tu b3duYWxpdmVfZG9tYWluKGUpOworCisgICAgICAgIC8qCisgICAgICAgICAq IFdlIG11c3QgZHJvcCB0aGUgbG9jayB0byBhdm9pZCBhIHBvc3NpYmxlIGRl YWRsb2NrIGluCisgICAgICAgICAqIGdudHRhYl9wcmVwYXJlX2Zvcl90cmFu c2Zlci4gIFdlIGhhdmUgcmVzZXJ2ZWQgYSBwYWdlIGluIGUgc28gY2FuCisg ICAgICAgICAqIHNhZmVseSBkcm9wIHRoZSBsb2NrIGFuZCByZS1hcXVpcmUg aXQgbGF0ZXIgdG8gYWRkIHBhZ2UgdG8gdGhlCisgICAgICAgICAqIHBhZ2Vs aXN0LgorICAgICAgICAgKi8KKyAgICAgICAgc3Bpbl91bmxvY2soJmUtPnBh Z2VfYWxsb2NfbG9jayk7CisgICAgICAgIG9rYXkgPSBnbnR0YWJfcHJlcGFy ZV9mb3JfdHJhbnNmZXIoZSwgZCwgZ29wLnJlZik7CisgICAgICAgIHNwaW5f bG9jaygmZS0+cGFnZV9hbGxvY19sb2NrKTsKKworICAgICAgICBpZiAoIHVu bGlrZWx5KCFva2F5KSB8fCB1bmxpa2VseShlLT5pc19keWluZykgKQorICAg ICAgICB7CisgICAgICAgICAgICBib29sX3QgZHJvcF9kb21fcmVmID0gKGUt PnRvdF9wYWdlcy0tID09IDEpOworCisgICAgICAgICAgICBzcGluX3VubG9j aygmZS0+cGFnZV9hbGxvY19sb2NrKTsKKworICAgICAgICAgICAgaWYgKCBv a2F5IC8qIGkuZS4gZS0+aXNfZHlpbmcgZHVlIHRvIHRoZSBzdXJyb3VuZGlu ZyBpZigpICovICkKKyAgICAgICAgICAgICAgICBnZHByaW50ayhYRU5MT0df SU5GTywgImdudHRhYl90cmFuc2ZlcjogIgorICAgICAgICAgICAgICAgICAg ICAgICAgICJUcmFuc2ZlcmVlIChkJWQpIGlzIG5vdyBkeWluZ1xuIiwgZS0+ ZG9tYWluX2lkKTsKKworICAgICAgICAgICAgaWYgKCBkcm9wX2RvbV9yZWYg KQorICAgICAgICAgICAgICAgIHB1dF9kb21haW4oZSk7CisgICAgICAgICAg ICByY3VfdW5sb2NrX2RvbWFpbihlKTsKKworICAgICAgICAgICAgcHV0X2dm bihkLCBnb3AubWZuKTsKKyAgICAgICAgICAgIHBhZ2UtPmNvdW50X2luZm8g Jj0gfihQR0NfY291bnRfbWFza3xQR0NfYWxsb2NhdGVkKTsKKyAgICAgICAg ICAgIGZyZWVfZG9taGVhcF9wYWdlKHBhZ2UpOworICAgICAgICAgICAgZ29w LnN0YXR1cyA9IEdOVFNUX2dlbmVyYWxfZXJyb3I7CisgICAgICAgICAgICBn b3RvIGNvcHliYWNrOworICAgICAgICB9CisKICAgICAgICAgcGFnZV9saXN0 X2FkZF90YWlsKHBhZ2UsICZlLT5wYWdlX2xpc3QpOwogICAgICAgICBwYWdl X3NldF9vd25lcihwYWdlLCBlKTsKIAotLSAKMS43LjEwLjQKCg== --=separator Content-Type: application/octet-stream; name="xsa73-4.3-unstable.patch" Content-Disposition: attachment; filename="xsa73-4.3-unstable.patch" Content-Transfer-Encoding: base64 RnJvbSAwNjhiZmE3NmJiZDUyNDMwZTY1ODUzMzc1ZTFkNWRiOTlkMTkzZTJm IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBUaHUsIDMxIE9j dCAyMDEzIDIwOjQ5OjAwICswMDAwClN1YmplY3Q6IFtQQVRDSF0gZ250dGFi OiBjb3JyZWN0IGxvY2tpbmcgb3JkZXIgcmV2ZXJzYWwKCkNvdmVyaXR5IElE IDEwODcxODkKCkNvcnJlY3QgYSBsb2NrIG9yZGVyIHJldmVyc2FsIGJldHdl ZW4gYSBkb21haW5zIHBhZ2UgYWxsb2NhdGlvbiBhbmQgZ3JhbnQKdGFibGUg bG9ja3MuCgpUaGlzIGlzIENWRS0yMDEzLTQ0OTQgLyBYU0EtNzMuCgpTaWdu ZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRy aXguY29tPgoKQ29uc29saWRhdGUgZXJyb3IgaGFuZGxpbmcuCgpTaWduZWQt b2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmll d2VkLWJ5OiBLZWlyIEZyYXNlciA8a2VpckB4ZW4ub3JnPgpUZXN0ZWQtYnk6 IE1hdHRoZXcgRGFsZXkgPG1hdHRqZEBnbWFpbC5jb20+Ci0tLQogeGVuL2Nv bW1vbi9ncmFudF90YWJsZS5jIHwgICA1MiArKysrKysrKysrKysrKysrKysr KysrKysrKysrKysrKysrKysrKystLS0tLS0tCiAxIGZpbGUgY2hhbmdlZCwg NDQgaW5zZXJ0aW9ucygrKSwgOCBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQg YS94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMgYi94ZW4vY29tbW9uL2dyYW50 X3RhYmxlLmMKaW5kZXggZjQyYmM3YS4uNDhkZjkyOCAxMDA2NDQKLS0tIGEv eGVuL2NvbW1vbi9ncmFudF90YWJsZS5jCisrKyBiL3hlbi9jb21tb24vZ3Jh bnRfdGFibGUuYwpAQCAtMTUxNyw2ICsxNTE3LDggQEAgZ250dGFiX3RyYW5z ZmVyKAogCiAgICAgZm9yICggaSA9IDA7IGkgPCBjb3VudDsgaSsrICkKICAg ICB7CisgICAgICAgIGJvb2xfdCBva2F5OworCiAgICAgICAgIGlmIChpICYm IGh5cGVyY2FsbF9wcmVlbXB0X2NoZWNrKCkpCiAgICAgICAgICAgICByZXR1 cm4gaTsKIApAQCAtMTYyNSwxNiArMTYyNywxOCBAQCBnbnR0YWJfdHJhbnNm ZXIoCiAgICAgICAgICAqIHBhZ2VzIHdoZW4gaXQgaXMgZHlpbmcuCiAgICAg ICAgICAqLwogICAgICAgICBpZiAoIHVubGlrZWx5KGUtPmlzX2R5aW5nKSB8 fAotICAgICAgICAgICAgIHVubGlrZWx5KGUtPnRvdF9wYWdlcyA+PSBlLT5t YXhfcGFnZXMpIHx8Ci0gICAgICAgICAgICAgdW5saWtlbHkoIWdudHRhYl9w cmVwYXJlX2Zvcl90cmFuc2ZlcihlLCBkLCBnb3AucmVmKSkgKQorICAgICAg ICAgICAgIHVubGlrZWx5KGUtPnRvdF9wYWdlcyA+PSBlLT5tYXhfcGFnZXMp ICkKICAgICAgICAgewotICAgICAgICAgICAgaWYgKCAhZS0+aXNfZHlpbmcg KQotICAgICAgICAgICAgICAgIGdkcHJpbnRrKFhFTkxPR19JTkZPLCAiZ250 dGFiX3RyYW5zZmVyOiAiCi0gICAgICAgICAgICAgICAgICAgICAgICAiVHJh bnNmZXJlZSBoYXMgbm8gcmVzZXJ2YXRpb24gIgotICAgICAgICAgICAgICAg ICAgICAgICAgImhlYWRyb29tICglZCwlZCkgb3IgcHJvdmlkZWQgYSBiYWQg Z3JhbnQgcmVmICglMDh4KSAiCi0gICAgICAgICAgICAgICAgICAgICAgICAi b3IgaXMgZHlpbmcgKCVkKVxuIiwKLSAgICAgICAgICAgICAgICAgICAgICAg IGUtPnRvdF9wYWdlcywgZS0+bWF4X3BhZ2VzLCBnb3AucmVmLCBlLT5pc19k eWluZyk7CiAgICAgICAgICAgICBzcGluX3VubG9jaygmZS0+cGFnZV9hbGxv Y19sb2NrKTsKKworICAgICAgICAgICAgaWYgKCBlLT5pc19keWluZyApCisg ICAgICAgICAgICAgICAgZ2RwcmludGsoWEVOTE9HX0lORk8sICJnbnR0YWJf dHJhbnNmZXI6ICIKKyAgICAgICAgICAgICAgICAgICAgICAgICAiVHJhbnNm ZXJlZSAoZCVkKSBpcyBkeWluZ1xuIiwgZS0+ZG9tYWluX2lkKTsKKyAgICAg ICAgICAgIGVsc2UKKyAgICAgICAgICAgICAgICBnZHByaW50ayhYRU5MT0df SU5GTywgImdudHRhYl90cmFuc2ZlcjogIgorICAgICAgICAgICAgICAgICAg ICAgICAgICJUcmFuc2ZlcmVlIChkJWQpIGhhcyBubyBoZWFkcm9vbSAodG90 ICV1LCBtYXggJXUpXG4iLAorICAgICAgICAgICAgICAgICAgICAgICAgIGUt PmRvbWFpbl9pZCwgZS0+dG90X3BhZ2VzLCBlLT5tYXhfcGFnZXMpOworCiAg ICAgICAgICAgICByY3VfdW5sb2NrX2RvbWFpbihlKTsKICAgICAgICAgICAg IHB1dF9nZm4oZCwgZ29wLm1mbik7CiAgICAgICAgICAgICBwYWdlLT5jb3Vu dF9pbmZvICY9IH4oUEdDX2NvdW50X21hc2t8UEdDX2FsbG9jYXRlZCk7CkBA IC0xNjQ2LDYgKzE2NTAsMzggQEAgZ250dGFiX3RyYW5zZmVyKAogICAgICAg ICAvKiBPa2F5LCBhZGQgdGhlIHBhZ2UgdG8gJ2UnLiAqLwogICAgICAgICBp ZiAoIHVubGlrZWx5KGRvbWFpbl9hZGp1c3RfdG90X3BhZ2VzKGUsIDEpID09 IDEpICkKICAgICAgICAgICAgIGdldF9rbm93bmFsaXZlX2RvbWFpbihlKTsK KworICAgICAgICAvKgorICAgICAgICAgKiBXZSBtdXN0IGRyb3AgdGhlIGxv Y2sgdG8gYXZvaWQgYSBwb3NzaWJsZSBkZWFkbG9jayBpbgorICAgICAgICAg KiBnbnR0YWJfcHJlcGFyZV9mb3JfdHJhbnNmZXIuICBXZSBoYXZlIHJlc2Vy dmVkIGEgcGFnZSBpbiBlIHNvIGNhbgorICAgICAgICAgKiBzYWZlbHkgZHJv cCB0aGUgbG9jayBhbmQgcmUtYXF1aXJlIGl0IGxhdGVyIHRvIGFkZCBwYWdl IHRvIHRoZQorICAgICAgICAgKiBwYWdlbGlzdC4KKyAgICAgICAgICovCisg ICAgICAgIHNwaW5fdW5sb2NrKCZlLT5wYWdlX2FsbG9jX2xvY2spOworICAg ICAgICBva2F5ID0gZ250dGFiX3ByZXBhcmVfZm9yX3RyYW5zZmVyKGUsIGQs IGdvcC5yZWYpOworICAgICAgICBzcGluX2xvY2soJmUtPnBhZ2VfYWxsb2Nf bG9jayk7CisKKyAgICAgICAgaWYgKCB1bmxpa2VseSghb2theSkgfHwgdW5s aWtlbHkoZS0+aXNfZHlpbmcpICkKKyAgICAgICAgeworICAgICAgICAgICAg Ym9vbF90IGRyb3BfZG9tX3JlZiA9IChkb21haW5fYWRqdXN0X3RvdF9wYWdl cyhlLCAtMSkgPT0gMCk7CisKKyAgICAgICAgICAgIHNwaW5fdW5sb2NrKCZl LT5wYWdlX2FsbG9jX2xvY2spOworCisgICAgICAgICAgICBpZiAoIG9rYXkg LyogaS5lLiBlLT5pc19keWluZyBkdWUgdG8gdGhlIHN1cnJvdW5kaW5nIGlm KCkgKi8gKQorICAgICAgICAgICAgICAgIGdkcHJpbnRrKFhFTkxPR19JTkZP LCAiZ250dGFiX3RyYW5zZmVyOiAiCisgICAgICAgICAgICAgICAgICAgICAg ICAgIlRyYW5zZmVyZWUgKGQlZCkgaXMgbm93IGR5aW5nXG4iLCBlLT5kb21h aW5faWQpOworCisgICAgICAgICAgICBpZiAoIGRyb3BfZG9tX3JlZiApCisg ICAgICAgICAgICAgICAgcHV0X2RvbWFpbihlKTsKKyAgICAgICAgICAgIHJj dV91bmxvY2tfZG9tYWluKGUpOworCisgICAgICAgICAgICBwdXRfZ2ZuKGQs IGdvcC5tZm4pOworICAgICAgICAgICAgcGFnZS0+Y291bnRfaW5mbyAmPSB+ KFBHQ19jb3VudF9tYXNrfFBHQ19hbGxvY2F0ZWQpOworICAgICAgICAgICAg ZnJlZV9kb21oZWFwX3BhZ2UocGFnZSk7CisgICAgICAgICAgICBnb3Auc3Rh dHVzID0gR05UU1RfZ2VuZXJhbF9lcnJvcjsKKyAgICAgICAgICAgIGdvdG8g Y29weWJhY2s7CisgICAgICAgIH0KKwogICAgICAgICBwYWdlX2xpc3RfYWRk X3RhaWwocGFnZSwgJmUtPnBhZ2VfbGlzdCk7CiAgICAgICAgIHBhZ2Vfc2V0 X293bmVyKHBhZ2UsIGUpOwogCi0tIAoxLjcuMTAuNAoK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Fri Nov 08 16:22:36 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 08 Nov 2013 16:22:36 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VeooG-0005e2-FA; Fri, 08 Nov 2013 16:21:24 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VeooE-0005dh-AN; Fri, 08 Nov 2013 16:21:22 +0000 Received: from [85.158.143.35:24008] by server-2.bemta-4.messagelabs.com id 09/6E-06473-18F0D725; Fri, 08 Nov 2013 16:21:21 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-3.tower-21.messagelabs.com!1383927679!1937477!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.13; banners=-,-,- X-VirusChecked: Checked Received: (qmail 920 invoked from network); 8 Nov 2013 16:21:20 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-3.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 8 Nov 2013 16:21:20 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Veoo6-0001xg-4f; Fri, 08 Nov 2013 16:21:14 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1Veoo5-0001qU-6H; Fri, 08 Nov 2013 16:21:13 +0000 Date: Fri, 08 Nov 2013 16:21:13 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 75 - Host crash due to guest VMX instruction execution X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-75 Host crash due to guest VMX instruction execution ISSUE DESCRIPTION ================= Permission checks on the emulation paths (intended for guests using nested virtualization) for VMLAUNCH and VMRESUME were deferred too much. The hypervisor would try to use internal state which is not set up unless nested virtualization is actually enabled for a guest. IMPACT ====== A malicious or misbehaved HVM guest, including malicious or misbehaved user mode code run in the guest, might be able to crash the host. VULNERABLE SYSTEMS ================== Xen 4.2.x and later are vulnerable. Xen 4.1.x and earlier are not vulnerable. Only HVM guests run on VMX capable (e.g. Intel) hardware can take advantage of this vulnerability. MITIGATION ========== Running only PV guests, or running HVM guests on SVM capable (e.g. AMD) hardware will avoid this issue. Enabling nested virtualization for a HVM guest running on VMX capable hardware would also allow avoiding the issue. However this functionality is still considered experimental, and is not covered by security support from the Xen Project security team. This approach is therefore not recommended for use in production. CREDITS ======= This issue was discovered by Jeff Zimmerman. NOTE REGARDING LACK OF EMBARGO ============================== This issue was disclosed publicly on the xen-devel mailing list. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa75-4.3-unstable.patch Xen 4.3.x, xen-unstable xsa75-4.2.patch Xen 4.2.x $ sha256sum xsa75*.patch 0b2da4ede6507713c75e313ba468b1fd7110e5696974ab72e2135f41ee393a8b xsa75-4.2.patch 91936421279fd2fa5321d9ed5a2b71fe76bc0e1348e67126e8b9cde0cb1d32b2 xsa75-4.3-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSfQ8xAAoJEIP+FMlX6CvZ8JQIAMc9IH79JeoZPAe/Fvz8TrdF FM7FkB/+sob4ybEFXnaSsK/7v7+A1e2qti/UVZfgcKEa8LG7aAIXFqsMXqErvME2 7D+r0Kt7QfvK5BvOygACCMsNV5muUTndVO8NUtHm8wDJk6yuSMWVnA/c3p+OSkH0 h63cfkrf9iYSYrPdCt4iO+/JKDVZl3bQAmHOFHvGTqsN7FMgOGexn+9RlNwWNmlU jvMxPLmwaerwd85fqLwEjajWT1TJlqro5xx4darKp8pokY+DVEtV4MGHXgllHVym t7g56Ph7YXPqTIJV4+PmrNQNwFPvsgBeFVyno3oa95IT4F55Fja0LiJUxREDHhU= =AbJ0 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa75-4.2.patch" Content-Disposition: attachment; filename="xsa75-4.2.patch" Content-Transfer-Encoding: base64 bmVzdGVkIFZNWDogVk1MQU5VQ0gvVk1SRVNVTUUgZW11bGF0aW9uIG11c3Qg Y2hlY2sgcGVybWlzc2lvbiBmaXJzdCB0aGluZwoKT3RoZXJ3aXNlIHVuaW5p dGlhbGl6ZWQgZGF0YSBtYXkgYmUgdXNlZCwgbGVhZGluZyB0byBjcmFzaGVz LgoKVGhpcyBpcyBYU0EtNzUuCgpSZXBvcnRlZC1hbmQtdGVzdGVkLWJ5OiBK ZWZmIFppbW1lcm1hbiA8SmVmZl9aaW1tZXJtYW5ATWNBZmVlLmNvbT4KU2ln bmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpS ZXZpZXdlZC1hbmQtdGVzdGVkLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcu Y29vcGVyM0BjaXRyaXguY29tPgoKLS0tIGEveGVuL2FyY2gveDg2L2h2bS92 bXgvdnZteC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9odm0vdm14L3Z2bXguYwpA QCAtMTA3NSwxNSArMTA3NSwxMCBAQCBpbnQgbnZteF9oYW5kbGVfdm14b2Zm KHN0cnVjdCBjcHVfdXNlcl9yCiAgICAgcmV0dXJuIFg4NkVNVUxfT0tBWTsK IH0KIAotaW50IG52bXhfdm1yZXN1bWUoc3RydWN0IHZjcHUgKnYsIHN0cnVj dCBjcHVfdXNlcl9yZWdzICpyZWdzKQorc3RhdGljIGludCBudm14X3ZtcmVz dW1lKHN0cnVjdCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVn cykKIHsKICAgICBzdHJ1Y3QgbmVzdGVkdm14ICpudm14ID0gJnZjcHVfMl9u dm14KHYpOwogICAgIHN0cnVjdCBuZXN0ZWR2Y3B1ICpudmNwdSA9ICZ2Y3B1 X25lc3RlZGh2bSh2KTsKLSAgICBpbnQgcmM7Ci0KLSAgICByYyA9IHZteF9p bnN0X2NoZWNrX3ByaXZpbGVnZShyZWdzLCAwKTsKLSAgICBpZiAoIHJjICE9 IFg4NkVNVUxfT0tBWSApCi0gICAgICAgIHJldHVybiByYzsKIAogICAgIC8q IGNoZWNrIFZNQ1MgaXMgdmFsaWQgYW5kIElPIEJJVE1BUCBpcyBzZXQgKi8K ICAgICBpZiAoIChudmNwdS0+bnZfdnZtY3hhZGRyICE9IFZNQ1hfRUFERFIp ICYmCkBAIC0xMTAwLDYgKzEwOTUsMTAgQEAgaW50IG52bXhfaGFuZGxlX3Zt cmVzdW1lKHN0cnVjdCBjcHVfdXNlcgogewogICAgIGludCBsYXVuY2hlZDsK ICAgICBzdHJ1Y3QgdmNwdSAqdiA9IGN1cnJlbnQ7CisgICAgaW50IHJjID0g dm14X2luc3RfY2hlY2tfcHJpdmlsZWdlKHJlZ3MsIDApOworCisgICAgaWYg KCByYyAhPSBYODZFTVVMX09LQVkgKQorICAgICAgICByZXR1cm4gcmM7CiAK ICAgICBpZiAoIHZjcHVfbmVzdGVkaHZtKHYpLm52X3Z2bWN4YWRkciA9PSBW TUNYX0VBRERSICkKICAgICB7CkBAIC0xMTE5LDggKzExMTgsMTEgQEAgaW50 IG52bXhfaGFuZGxlX3ZtcmVzdW1lKHN0cnVjdCBjcHVfdXNlcgogaW50IG52 bXhfaGFuZGxlX3ZtbGF1bmNoKHN0cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdz KQogewogICAgIGludCBsYXVuY2hlZDsKLSAgICBpbnQgcmM7CiAgICAgc3Ry dWN0IHZjcHUgKnYgPSBjdXJyZW50OworICAgIGludCByYyA9IHZteF9pbnN0 X2NoZWNrX3ByaXZpbGVnZShyZWdzLCAwKTsKKworICAgIGlmICggcmMgIT0g WDg2RU1VTF9PS0FZICkKKyAgICAgICAgcmV0dXJuIHJjOwogCiAgICAgaWYg KCB2Y3B1X25lc3RlZGh2bSh2KS5udl92dm1jeGFkZHIgPT0gVk1DWF9FQURE UiApCiAgICAgewo= --=separator Content-Type: application/octet-stream; name="xsa75-4.3-unstable.patch" Content-Disposition: attachment; filename="xsa75-4.3-unstable.patch" Content-Transfer-Encoding: base64 bmVzdGVkIFZNWDogVk1MQU5VQ0gvVk1SRVNVTUUgZW11bGF0aW9uIG11c3Qg Y2hlY2sgcGVybWlzc2lvbiBmaXJzdCB0aGluZwoKT3RoZXJ3aXNlIHVuaW5p dGlhbGl6ZWQgZGF0YSBtYXkgYmUgdXNlZCwgbGVhZGluZyB0byBjcmFzaGVz LgoKVGhpcyBpcyBYU0EtNzUuCgpSZXBvcnRlZC1hbmQtdGVzdGVkLWJ5OiBK ZWZmIFppbW1lcm1hbiA8SmVmZl9aaW1tZXJtYW5ATWNBZmVlLmNvbT4KU2ln bmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpS ZXZpZXdlZC1hbmQtdGVzdGVkLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcu Y29vcGVyM0BjaXRyaXguY29tPgoKLS0tIGEveGVuL2FyY2gveDg2L2h2bS92 bXgvdnZteC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9odm0vdm14L3Z2bXguYwpA QCAtMTUwOSwxNSArMTUwOSwxMCBAQCBzdGF0aWMgdm9pZCBjbGVhcl92dm1j c19sYXVuY2hlZChzdHJ1Y3QgCiAgICAgfQogfQogCi1pbnQgbnZteF92bXJl c3VtZShzdHJ1Y3QgdmNwdSAqdiwgc3RydWN0IGNwdV91c2VyX3JlZ3MgKnJl Z3MpCitzdGF0aWMgaW50IG52bXhfdm1yZXN1bWUoc3RydWN0IHZjcHUgKnYs IHN0cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdzKQogewogICAgIHN0cnVjdCBu ZXN0ZWR2bXggKm52bXggPSAmdmNwdV8yX252bXgodik7CiAgICAgc3RydWN0 IG5lc3RlZHZjcHUgKm52Y3B1ID0gJnZjcHVfbmVzdGVkaHZtKHYpOwotICAg IGludCByYzsKLQotICAgIHJjID0gdm14X2luc3RfY2hlY2tfcHJpdmlsZWdl KHJlZ3MsIDApOwotICAgIGlmICggcmMgIT0gWDg2RU1VTF9PS0FZICkKLSAg ICAgICAgcmV0dXJuIHJjOwogCiAgICAgLyogY2hlY2sgVk1DUyBpcyB2YWxp ZCBhbmQgSU8gQklUTUFQIGlzIHNldCAqLwogICAgIGlmICggKG52Y3B1LT5u dl92dm1jeGFkZHIgIT0gVk1DWF9FQUREUikgJiYKQEAgLTE1MzYsNiArMTUz MSwxMCBAQCBpbnQgbnZteF9oYW5kbGVfdm1yZXN1bWUoc3RydWN0IGNwdV91 c2VyCiAgICAgc3RydWN0IHZjcHUgKnYgPSBjdXJyZW50OwogICAgIHN0cnVj dCBuZXN0ZWR2Y3B1ICpudmNwdSA9ICZ2Y3B1X25lc3RlZGh2bSh2KTsKICAg ICBzdHJ1Y3QgbmVzdGVkdm14ICpudm14ID0gJnZjcHVfMl9udm14KHYpOwor ICAgIGludCByYyA9IHZteF9pbnN0X2NoZWNrX3ByaXZpbGVnZShyZWdzLCAw KTsKKworICAgIGlmICggcmMgIT0gWDg2RU1VTF9PS0FZICkKKyAgICAgICAg cmV0dXJuIHJjOwogCiAgICAgaWYgKCB2Y3B1X25lc3RlZGh2bSh2KS5udl92 dm1jeGFkZHIgPT0gVk1DWF9FQUREUiApCiAgICAgewpAQCAtMTU1NSwxMCAr MTU1NCwxMyBAQCBpbnQgbnZteF9oYW5kbGVfdm1yZXN1bWUoc3RydWN0IGNw dV91c2VyCiBpbnQgbnZteF9oYW5kbGVfdm1sYXVuY2goc3RydWN0IGNwdV91 c2VyX3JlZ3MgKnJlZ3MpCiB7CiAgICAgYm9vbF90IGxhdW5jaGVkOwotICAg IGludCByYzsKICAgICBzdHJ1Y3QgdmNwdSAqdiA9IGN1cnJlbnQ7CiAgICAg c3RydWN0IG5lc3RlZHZjcHUgKm52Y3B1ID0gJnZjcHVfbmVzdGVkaHZtKHYp OwogICAgIHN0cnVjdCBuZXN0ZWR2bXggKm52bXggPSAmdmNwdV8yX252bXgo dik7CisgICAgaW50IHJjID0gdm14X2luc3RfY2hlY2tfcHJpdmlsZWdlKHJl Z3MsIDApOworCisgICAgaWYgKCByYyAhPSBYODZFTVVMX09LQVkgKQorICAg ICAgICByZXR1cm4gcmM7CiAKICAgICBpZiAoIHZjcHVfbmVzdGVkaHZtKHYp Lm52X3Z2bWN4YWRkciA9PSBWTUNYX0VBRERSICkKICAgICB7Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Fri Nov 08 16:22:36 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 08 Nov 2013 16:22:36 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VeooG-0005e2-FA; Fri, 08 Nov 2013 16:21:24 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VeooE-0005dh-AN; Fri, 08 Nov 2013 16:21:22 +0000 Received: from [85.158.143.35:24008] by server-2.bemta-4.messagelabs.com id 09/6E-06473-18F0D725; Fri, 08 Nov 2013 16:21:21 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-3.tower-21.messagelabs.com!1383927679!1937477!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.13; banners=-,-,- X-VirusChecked: Checked Received: (qmail 920 invoked from network); 8 Nov 2013 16:21:20 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-3.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 8 Nov 2013 16:21:20 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Veoo6-0001xg-4f; Fri, 08 Nov 2013 16:21:14 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1Veoo5-0001qU-6H; Fri, 08 Nov 2013 16:21:13 +0000 Date: Fri, 08 Nov 2013 16:21:13 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 75 - Host crash due to guest VMX instruction execution X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-75 Host crash due to guest VMX instruction execution ISSUE DESCRIPTION ================= Permission checks on the emulation paths (intended for guests using nested virtualization) for VMLAUNCH and VMRESUME were deferred too much. The hypervisor would try to use internal state which is not set up unless nested virtualization is actually enabled for a guest. IMPACT ====== A malicious or misbehaved HVM guest, including malicious or misbehaved user mode code run in the guest, might be able to crash the host. VULNERABLE SYSTEMS ================== Xen 4.2.x and later are vulnerable. Xen 4.1.x and earlier are not vulnerable. Only HVM guests run on VMX capable (e.g. Intel) hardware can take advantage of this vulnerability. MITIGATION ========== Running only PV guests, or running HVM guests on SVM capable (e.g. AMD) hardware will avoid this issue. Enabling nested virtualization for a HVM guest running on VMX capable hardware would also allow avoiding the issue. However this functionality is still considered experimental, and is not covered by security support from the Xen Project security team. This approach is therefore not recommended for use in production. CREDITS ======= This issue was discovered by Jeff Zimmerman. NOTE REGARDING LACK OF EMBARGO ============================== This issue was disclosed publicly on the xen-devel mailing list. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa75-4.3-unstable.patch Xen 4.3.x, xen-unstable xsa75-4.2.patch Xen 4.2.x $ sha256sum xsa75*.patch 0b2da4ede6507713c75e313ba468b1fd7110e5696974ab72e2135f41ee393a8b xsa75-4.2.patch 91936421279fd2fa5321d9ed5a2b71fe76bc0e1348e67126e8b9cde0cb1d32b2 xsa75-4.3-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSfQ8xAAoJEIP+FMlX6CvZ8JQIAMc9IH79JeoZPAe/Fvz8TrdF FM7FkB/+sob4ybEFXnaSsK/7v7+A1e2qti/UVZfgcKEa8LG7aAIXFqsMXqErvME2 7D+r0Kt7QfvK5BvOygACCMsNV5muUTndVO8NUtHm8wDJk6yuSMWVnA/c3p+OSkH0 h63cfkrf9iYSYrPdCt4iO+/JKDVZl3bQAmHOFHvGTqsN7FMgOGexn+9RlNwWNmlU jvMxPLmwaerwd85fqLwEjajWT1TJlqro5xx4darKp8pokY+DVEtV4MGHXgllHVym t7g56Ph7YXPqTIJV4+PmrNQNwFPvsgBeFVyno3oa95IT4F55Fja0LiJUxREDHhU= =AbJ0 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa75-4.2.patch" Content-Disposition: attachment; filename="xsa75-4.2.patch" Content-Transfer-Encoding: base64 bmVzdGVkIFZNWDogVk1MQU5VQ0gvVk1SRVNVTUUgZW11bGF0aW9uIG11c3Qg Y2hlY2sgcGVybWlzc2lvbiBmaXJzdCB0aGluZwoKT3RoZXJ3aXNlIHVuaW5p dGlhbGl6ZWQgZGF0YSBtYXkgYmUgdXNlZCwgbGVhZGluZyB0byBjcmFzaGVz LgoKVGhpcyBpcyBYU0EtNzUuCgpSZXBvcnRlZC1hbmQtdGVzdGVkLWJ5OiBK ZWZmIFppbW1lcm1hbiA8SmVmZl9aaW1tZXJtYW5ATWNBZmVlLmNvbT4KU2ln bmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpS ZXZpZXdlZC1hbmQtdGVzdGVkLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcu Y29vcGVyM0BjaXRyaXguY29tPgoKLS0tIGEveGVuL2FyY2gveDg2L2h2bS92 bXgvdnZteC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9odm0vdm14L3Z2bXguYwpA QCAtMTA3NSwxNSArMTA3NSwxMCBAQCBpbnQgbnZteF9oYW5kbGVfdm14b2Zm KHN0cnVjdCBjcHVfdXNlcl9yCiAgICAgcmV0dXJuIFg4NkVNVUxfT0tBWTsK IH0KIAotaW50IG52bXhfdm1yZXN1bWUoc3RydWN0IHZjcHUgKnYsIHN0cnVj dCBjcHVfdXNlcl9yZWdzICpyZWdzKQorc3RhdGljIGludCBudm14X3ZtcmVz dW1lKHN0cnVjdCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVn cykKIHsKICAgICBzdHJ1Y3QgbmVzdGVkdm14ICpudm14ID0gJnZjcHVfMl9u dm14KHYpOwogICAgIHN0cnVjdCBuZXN0ZWR2Y3B1ICpudmNwdSA9ICZ2Y3B1 X25lc3RlZGh2bSh2KTsKLSAgICBpbnQgcmM7Ci0KLSAgICByYyA9IHZteF9p bnN0X2NoZWNrX3ByaXZpbGVnZShyZWdzLCAwKTsKLSAgICBpZiAoIHJjICE9 IFg4NkVNVUxfT0tBWSApCi0gICAgICAgIHJldHVybiByYzsKIAogICAgIC8q IGNoZWNrIFZNQ1MgaXMgdmFsaWQgYW5kIElPIEJJVE1BUCBpcyBzZXQgKi8K ICAgICBpZiAoIChudmNwdS0+bnZfdnZtY3hhZGRyICE9IFZNQ1hfRUFERFIp ICYmCkBAIC0xMTAwLDYgKzEwOTUsMTAgQEAgaW50IG52bXhfaGFuZGxlX3Zt cmVzdW1lKHN0cnVjdCBjcHVfdXNlcgogewogICAgIGludCBsYXVuY2hlZDsK ICAgICBzdHJ1Y3QgdmNwdSAqdiA9IGN1cnJlbnQ7CisgICAgaW50IHJjID0g dm14X2luc3RfY2hlY2tfcHJpdmlsZWdlKHJlZ3MsIDApOworCisgICAgaWYg KCByYyAhPSBYODZFTVVMX09LQVkgKQorICAgICAgICByZXR1cm4gcmM7CiAK ICAgICBpZiAoIHZjcHVfbmVzdGVkaHZtKHYpLm52X3Z2bWN4YWRkciA9PSBW TUNYX0VBRERSICkKICAgICB7CkBAIC0xMTE5LDggKzExMTgsMTEgQEAgaW50 IG52bXhfaGFuZGxlX3ZtcmVzdW1lKHN0cnVjdCBjcHVfdXNlcgogaW50IG52 bXhfaGFuZGxlX3ZtbGF1bmNoKHN0cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdz KQogewogICAgIGludCBsYXVuY2hlZDsKLSAgICBpbnQgcmM7CiAgICAgc3Ry dWN0IHZjcHUgKnYgPSBjdXJyZW50OworICAgIGludCByYyA9IHZteF9pbnN0 X2NoZWNrX3ByaXZpbGVnZShyZWdzLCAwKTsKKworICAgIGlmICggcmMgIT0g WDg2RU1VTF9PS0FZICkKKyAgICAgICAgcmV0dXJuIHJjOwogCiAgICAgaWYg KCB2Y3B1X25lc3RlZGh2bSh2KS5udl92dm1jeGFkZHIgPT0gVk1DWF9FQURE UiApCiAgICAgewo= --=separator Content-Type: application/octet-stream; name="xsa75-4.3-unstable.patch" Content-Disposition: attachment; filename="xsa75-4.3-unstable.patch" Content-Transfer-Encoding: base64 bmVzdGVkIFZNWDogVk1MQU5VQ0gvVk1SRVNVTUUgZW11bGF0aW9uIG11c3Qg Y2hlY2sgcGVybWlzc2lvbiBmaXJzdCB0aGluZwoKT3RoZXJ3aXNlIHVuaW5p dGlhbGl6ZWQgZGF0YSBtYXkgYmUgdXNlZCwgbGVhZGluZyB0byBjcmFzaGVz LgoKVGhpcyBpcyBYU0EtNzUuCgpSZXBvcnRlZC1hbmQtdGVzdGVkLWJ5OiBK ZWZmIFppbW1lcm1hbiA8SmVmZl9aaW1tZXJtYW5ATWNBZmVlLmNvbT4KU2ln bmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpS ZXZpZXdlZC1hbmQtdGVzdGVkLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcu Y29vcGVyM0BjaXRyaXguY29tPgoKLS0tIGEveGVuL2FyY2gveDg2L2h2bS92 bXgvdnZteC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9odm0vdm14L3Z2bXguYwpA QCAtMTUwOSwxNSArMTUwOSwxMCBAQCBzdGF0aWMgdm9pZCBjbGVhcl92dm1j c19sYXVuY2hlZChzdHJ1Y3QgCiAgICAgfQogfQogCi1pbnQgbnZteF92bXJl c3VtZShzdHJ1Y3QgdmNwdSAqdiwgc3RydWN0IGNwdV91c2VyX3JlZ3MgKnJl Z3MpCitzdGF0aWMgaW50IG52bXhfdm1yZXN1bWUoc3RydWN0IHZjcHUgKnYs IHN0cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdzKQogewogICAgIHN0cnVjdCBu ZXN0ZWR2bXggKm52bXggPSAmdmNwdV8yX252bXgodik7CiAgICAgc3RydWN0 IG5lc3RlZHZjcHUgKm52Y3B1ID0gJnZjcHVfbmVzdGVkaHZtKHYpOwotICAg IGludCByYzsKLQotICAgIHJjID0gdm14X2luc3RfY2hlY2tfcHJpdmlsZWdl KHJlZ3MsIDApOwotICAgIGlmICggcmMgIT0gWDg2RU1VTF9PS0FZICkKLSAg ICAgICAgcmV0dXJuIHJjOwogCiAgICAgLyogY2hlY2sgVk1DUyBpcyB2YWxp ZCBhbmQgSU8gQklUTUFQIGlzIHNldCAqLwogICAgIGlmICggKG52Y3B1LT5u dl92dm1jeGFkZHIgIT0gVk1DWF9FQUREUikgJiYKQEAgLTE1MzYsNiArMTUz MSwxMCBAQCBpbnQgbnZteF9oYW5kbGVfdm1yZXN1bWUoc3RydWN0IGNwdV91 c2VyCiAgICAgc3RydWN0IHZjcHUgKnYgPSBjdXJyZW50OwogICAgIHN0cnVj dCBuZXN0ZWR2Y3B1ICpudmNwdSA9ICZ2Y3B1X25lc3RlZGh2bSh2KTsKICAg ICBzdHJ1Y3QgbmVzdGVkdm14ICpudm14ID0gJnZjcHVfMl9udm14KHYpOwor ICAgIGludCByYyA9IHZteF9pbnN0X2NoZWNrX3ByaXZpbGVnZShyZWdzLCAw KTsKKworICAgIGlmICggcmMgIT0gWDg2RU1VTF9PS0FZICkKKyAgICAgICAg cmV0dXJuIHJjOwogCiAgICAgaWYgKCB2Y3B1X25lc3RlZGh2bSh2KS5udl92 dm1jeGFkZHIgPT0gVk1DWF9FQUREUiApCiAgICAgewpAQCAtMTU1NSwxMCAr MTU1NCwxMyBAQCBpbnQgbnZteF9oYW5kbGVfdm1yZXN1bWUoc3RydWN0IGNw dV91c2VyCiBpbnQgbnZteF9oYW5kbGVfdm1sYXVuY2goc3RydWN0IGNwdV91 c2VyX3JlZ3MgKnJlZ3MpCiB7CiAgICAgYm9vbF90IGxhdW5jaGVkOwotICAg IGludCByYzsKICAgICBzdHJ1Y3QgdmNwdSAqdiA9IGN1cnJlbnQ7CiAgICAg c3RydWN0IG5lc3RlZHZjcHUgKm52Y3B1ID0gJnZjcHVfbmVzdGVkaHZtKHYp OwogICAgIHN0cnVjdCBuZXN0ZWR2bXggKm52bXggPSAmdmNwdV8yX252bXgo dik7CisgICAgaW50IHJjID0gdm14X2luc3RfY2hlY2tfcHJpdmlsZWdlKHJl Z3MsIDApOworCisgICAgaWYgKCByYyAhPSBYODZFTVVMX09LQVkgKQorICAg ICAgICByZXR1cm4gcmM7CiAKICAgICBpZiAoIHZjcHVfbmVzdGVkaHZtKHYp Lm52X3Z2bWN4YWRkciA9PSBWTUNYX0VBRERSICkKICAgICB7Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Nov 11 11:43:57 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 11 Nov 2013 11:43:57 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VfptF-0007Wg-Fi; Mon, 11 Nov 2013 11:42:45 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VfptE-0007WO-KB; Mon, 11 Nov 2013 11:42:44 +0000 Received: from [85.158.137.68:14303] by server-13.bemta-3.messagelabs.com id DB/78-02689-3B2C0825; Mon, 11 Nov 2013 11:42:43 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-7.tower-31.messagelabs.com!1384170161!743283!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.13; banners=-,-,- X-VirusChecked: Checked Received: (qmail 27731 invoked from network); 11 Nov 2013 11:42:42 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-7.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 11 Nov 2013 11:42:42 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Vfpt7-0001uV-O0; Mon, 11 Nov 2013 11:42:37 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1Vfpt7-0000ZE-H4; Mon, 11 Nov 2013 11:42:37 +0000 Date: Mon, 11 Nov 2013 11:42:37 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 75 (CVE-2013-4551) - Host crash due to guest VMX instruction execution X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4551 / XSA-75 version 2 Host crash due to guest VMX instruction execution UPDATES IN VERSION 2 ==================== This issue has been assigned CVE-2013-4551. ISSUE DESCRIPTION ================= Permission checks on the emulation paths (intended for guests using nested virtualization) for VMLAUNCH and VMRESUME were deferred too much. The hypervisor would try to use internal state which is not set up unless nested virtualization is actually enabled for a guest. IMPACT ====== A malicious or misbehaved HVM guest, including malicious or misbehaved user mode code run in the guest, might be able to crash the host. VULNERABLE SYSTEMS ================== Xen 4.2.x and later are vulnerable. Xen 4.1.x and earlier are not vulnerable. Only HVM guests run on VMX capable (e.g. Intel) hardware can take advantage of this vulnerability. MITIGATION ========== Running only PV guests, or running HVM guests on SVM capable (e.g. AMD) hardware will avoid this issue. Enabling nested virtualization for a HVM guest running on VMX capable hardware would also allow avoiding the issue. However this functionality is still considered experimental, and is not covered by security support from the Xen Project security team. This approach is therefore not recommended for use in production. CREDITS ======= This issue was discovered by Jeff Zimmerman. NOTE REGARDING LACK OF EMBARGO ============================== This issue was disclosed publicly on the xen-devel mailing list. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa75-4.3-unstable.patch Xen 4.3.x, xen-unstable xsa75-4.2.patch Xen 4.2.x $ sha256sum xsa75*.patch 5d7bd39e4077dcdf97abf8cf3ceb662403bedf8642ce7d15840b329bc9e56727 xsa75-4.2.patch 7e61b457c9ad8d7c598d88163d2760041033ddb1631cfe989f853b7c2b5cd0bf xsa75-4.3-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSgMKZAAoJEIP+FMlX6CvZNC0H/0DZ1mBOiGpfSsn+HjCQuVup U81kWQp+SjVKVWvJbG+/vdL/418gIJ/jS9PzL7Qhordb63l7fq1d+Gi9vsQApnku 25/rKpFQzbJCud/67P3DyO3RAw33z5rQ+S/7nLLx7K6oDKNS3knQpcQwjeNIH040 NekPA2qBEuIi/0G72fYzU1wzc5XWve3lftzgYVyW+CFE1CUDq9OdWxHm5FTI41TH v1/WURQelw4a6BTVvV6NxK8J4ibQvWpL0Id4kXs1DnrSl39Al6gBUf2dO/JQwjCo fxMMjFAqWtpOrJjbWntUSJSzsFp/UfIh23a2AEmgdo4H/5yRG5RnomgSw2jOjw8= =gTUt -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa75-4.2.patch" Content-Disposition: attachment; filename="xsa75-4.2.patch" Content-Transfer-Encoding: base64 bmVzdGVkIFZNWDogVk1MQU5VQ0gvVk1SRVNVTUUgZW11bGF0aW9uIG11c3Qg Y2hlY2sgcGVybWlzc2lvbiBmaXJzdCB0aGluZwoKT3RoZXJ3aXNlIHVuaW5p dGlhbGl6ZWQgZGF0YSBtYXkgYmUgdXNlZCwgbGVhZGluZyB0byBjcmFzaGVz LgoKVGhpcyBpcyBDVkUtMjAxMy00NTUxIC8gWFNBLTc1LgoKUmVwb3J0ZWQt YW5kLXRlc3RlZC1ieTogSmVmZiBaaW1tZXJtYW4gPEplZmZfWmltbWVybWFu QE1jQWZlZS5jb20+ClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1 bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYW5kLXRlc3RlZC1ieTogQW5kcmV3 IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KCi0tLSBhL3hl bi9hcmNoL3g4Ni9odm0vdm14L3Z2bXguYworKysgYi94ZW4vYXJjaC94ODYv aHZtL3ZteC92dm14LmMKQEAgLTEwNzUsMTUgKzEwNzUsMTAgQEAgaW50IG52 bXhfaGFuZGxlX3ZteG9mZihzdHJ1Y3QgY3B1X3VzZXJfcgogICAgIHJldHVy biBYODZFTVVMX09LQVk7CiB9CiAKLWludCBudm14X3ZtcmVzdW1lKHN0cnVj dCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVncykKK3N0YXRp YyBpbnQgbnZteF92bXJlc3VtZShzdHJ1Y3QgdmNwdSAqdiwgc3RydWN0IGNw dV91c2VyX3JlZ3MgKnJlZ3MpCiB7CiAgICAgc3RydWN0IG5lc3RlZHZteCAq bnZteCA9ICZ2Y3B1XzJfbnZteCh2KTsKICAgICBzdHJ1Y3QgbmVzdGVkdmNw dSAqbnZjcHUgPSAmdmNwdV9uZXN0ZWRodm0odik7Ci0gICAgaW50IHJjOwot Ci0gICAgcmMgPSB2bXhfaW5zdF9jaGVja19wcml2aWxlZ2UocmVncywgMCk7 Ci0gICAgaWYgKCByYyAhPSBYODZFTVVMX09LQVkgKQotICAgICAgICByZXR1 cm4gcmM7CiAKICAgICAvKiBjaGVjayBWTUNTIGlzIHZhbGlkIGFuZCBJTyBC SVRNQVAgaXMgc2V0ICovCiAgICAgaWYgKCAobnZjcHUtPm52X3Z2bWN4YWRk ciAhPSBWTUNYX0VBRERSKSAmJgpAQCAtMTEwMCw2ICsxMDk1LDEwIEBAIGlu dCBudm14X2hhbmRsZV92bXJlc3VtZShzdHJ1Y3QgY3B1X3VzZXIKIHsKICAg ICBpbnQgbGF1bmNoZWQ7CiAgICAgc3RydWN0IHZjcHUgKnYgPSBjdXJyZW50 OworICAgIGludCByYyA9IHZteF9pbnN0X2NoZWNrX3ByaXZpbGVnZShyZWdz LCAwKTsKKworICAgIGlmICggcmMgIT0gWDg2RU1VTF9PS0FZICkKKyAgICAg ICAgcmV0dXJuIHJjOwogCiAgICAgaWYgKCB2Y3B1X25lc3RlZGh2bSh2KS5u dl92dm1jeGFkZHIgPT0gVk1DWF9FQUREUiApCiAgICAgewpAQCAtMTExOSw4 ICsxMTE4LDExIEBAIGludCBudm14X2hhbmRsZV92bXJlc3VtZShzdHJ1Y3Qg Y3B1X3VzZXIKIGludCBudm14X2hhbmRsZV92bWxhdW5jaChzdHJ1Y3QgY3B1 X3VzZXJfcmVncyAqcmVncykKIHsKICAgICBpbnQgbGF1bmNoZWQ7Ci0gICAg aW50IHJjOwogICAgIHN0cnVjdCB2Y3B1ICp2ID0gY3VycmVudDsKKyAgICBp bnQgcmMgPSB2bXhfaW5zdF9jaGVja19wcml2aWxlZ2UocmVncywgMCk7CisK KyAgICBpZiAoIHJjICE9IFg4NkVNVUxfT0tBWSApCisgICAgICAgIHJldHVy biByYzsKIAogICAgIGlmICggdmNwdV9uZXN0ZWRodm0odikubnZfdnZtY3hh ZGRyID09IFZNQ1hfRUFERFIgKQogICAgIHsK --=separator Content-Type: application/octet-stream; name="xsa75-4.3-unstable.patch" Content-Disposition: attachment; filename="xsa75-4.3-unstable.patch" Content-Transfer-Encoding: base64 bmVzdGVkIFZNWDogVk1MQU5VQ0gvVk1SRVNVTUUgZW11bGF0aW9uIG11c3Qg Y2hlY2sgcGVybWlzc2lvbiBmaXJzdCB0aGluZwoKT3RoZXJ3aXNlIHVuaW5p dGlhbGl6ZWQgZGF0YSBtYXkgYmUgdXNlZCwgbGVhZGluZyB0byBjcmFzaGVz LgoKVGhpcyBpcyBDVkUtMjAxMy00NTUxIC8gWFNBLTc1LgoKUmVwb3J0ZWQt YW5kLXRlc3RlZC1ieTogSmVmZiBaaW1tZXJtYW4gPEplZmZfWmltbWVybWFu QE1jQWZlZS5jb20+ClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1 bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYW5kLXRlc3RlZC1ieTogQW5kcmV3 IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KCi0tLSBhL3hl bi9hcmNoL3g4Ni9odm0vdm14L3Z2bXguYworKysgYi94ZW4vYXJjaC94ODYv aHZtL3ZteC92dm14LmMKQEAgLTE1MDksMTUgKzE1MDksMTAgQEAgc3RhdGlj IHZvaWQgY2xlYXJfdnZtY3NfbGF1bmNoZWQoc3RydWN0IAogICAgIH0KIH0K IAotaW50IG52bXhfdm1yZXN1bWUoc3RydWN0IHZjcHUgKnYsIHN0cnVjdCBj cHVfdXNlcl9yZWdzICpyZWdzKQorc3RhdGljIGludCBudm14X3ZtcmVzdW1l KHN0cnVjdCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVncykK IHsKICAgICBzdHJ1Y3QgbmVzdGVkdm14ICpudm14ID0gJnZjcHVfMl9udm14 KHYpOwogICAgIHN0cnVjdCBuZXN0ZWR2Y3B1ICpudmNwdSA9ICZ2Y3B1X25l c3RlZGh2bSh2KTsKLSAgICBpbnQgcmM7Ci0KLSAgICByYyA9IHZteF9pbnN0 X2NoZWNrX3ByaXZpbGVnZShyZWdzLCAwKTsKLSAgICBpZiAoIHJjICE9IFg4 NkVNVUxfT0tBWSApCi0gICAgICAgIHJldHVybiByYzsKIAogICAgIC8qIGNo ZWNrIFZNQ1MgaXMgdmFsaWQgYW5kIElPIEJJVE1BUCBpcyBzZXQgKi8KICAg ICBpZiAoIChudmNwdS0+bnZfdnZtY3hhZGRyICE9IFZNQ1hfRUFERFIpICYm CkBAIC0xNTM2LDYgKzE1MzEsMTAgQEAgaW50IG52bXhfaGFuZGxlX3ZtcmVz dW1lKHN0cnVjdCBjcHVfdXNlcgogICAgIHN0cnVjdCB2Y3B1ICp2ID0gY3Vy cmVudDsKICAgICBzdHJ1Y3QgbmVzdGVkdmNwdSAqbnZjcHUgPSAmdmNwdV9u ZXN0ZWRodm0odik7CiAgICAgc3RydWN0IG5lc3RlZHZteCAqbnZteCA9ICZ2 Y3B1XzJfbnZteCh2KTsKKyAgICBpbnQgcmMgPSB2bXhfaW5zdF9jaGVja19w cml2aWxlZ2UocmVncywgMCk7CisKKyAgICBpZiAoIHJjICE9IFg4NkVNVUxf T0tBWSApCisgICAgICAgIHJldHVybiByYzsKIAogICAgIGlmICggdmNwdV9u ZXN0ZWRodm0odikubnZfdnZtY3hhZGRyID09IFZNQ1hfRUFERFIgKQogICAg IHsKQEAgLTE1NTUsMTAgKzE1NTQsMTMgQEAgaW50IG52bXhfaGFuZGxlX3Zt cmVzdW1lKHN0cnVjdCBjcHVfdXNlcgogaW50IG52bXhfaGFuZGxlX3ZtbGF1 bmNoKHN0cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdzKQogewogICAgIGJvb2xf dCBsYXVuY2hlZDsKLSAgICBpbnQgcmM7CiAgICAgc3RydWN0IHZjcHUgKnYg PSBjdXJyZW50OwogICAgIHN0cnVjdCBuZXN0ZWR2Y3B1ICpudmNwdSA9ICZ2 Y3B1X25lc3RlZGh2bSh2KTsKICAgICBzdHJ1Y3QgbmVzdGVkdm14ICpudm14 ID0gJnZjcHVfMl9udm14KHYpOworICAgIGludCByYyA9IHZteF9pbnN0X2No ZWNrX3ByaXZpbGVnZShyZWdzLCAwKTsKKworICAgIGlmICggcmMgIT0gWDg2 RU1VTF9PS0FZICkKKyAgICAgICAgcmV0dXJuIHJjOwogCiAgICAgaWYgKCB2 Y3B1X25lc3RlZGh2bSh2KS5udl92dm1jeGFkZHIgPT0gVk1DWF9FQUREUiAp CiAgICAgewo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Nov 11 11:43:57 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 11 Nov 2013 11:43:57 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VfptF-0007Wg-Fi; Mon, 11 Nov 2013 11:42:45 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VfptE-0007WO-KB; Mon, 11 Nov 2013 11:42:44 +0000 Received: from [85.158.137.68:14303] by server-13.bemta-3.messagelabs.com id DB/78-02689-3B2C0825; Mon, 11 Nov 2013 11:42:43 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-7.tower-31.messagelabs.com!1384170161!743283!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.13; banners=-,-,- X-VirusChecked: Checked Received: (qmail 27731 invoked from network); 11 Nov 2013 11:42:42 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-7.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 11 Nov 2013 11:42:42 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Vfpt7-0001uV-O0; Mon, 11 Nov 2013 11:42:37 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1Vfpt7-0000ZE-H4; Mon, 11 Nov 2013 11:42:37 +0000 Date: Mon, 11 Nov 2013 11:42:37 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 75 (CVE-2013-4551) - Host crash due to guest VMX instruction execution X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4551 / XSA-75 version 2 Host crash due to guest VMX instruction execution UPDATES IN VERSION 2 ==================== This issue has been assigned CVE-2013-4551. ISSUE DESCRIPTION ================= Permission checks on the emulation paths (intended for guests using nested virtualization) for VMLAUNCH and VMRESUME were deferred too much. The hypervisor would try to use internal state which is not set up unless nested virtualization is actually enabled for a guest. IMPACT ====== A malicious or misbehaved HVM guest, including malicious or misbehaved user mode code run in the guest, might be able to crash the host. VULNERABLE SYSTEMS ================== Xen 4.2.x and later are vulnerable. Xen 4.1.x and earlier are not vulnerable. Only HVM guests run on VMX capable (e.g. Intel) hardware can take advantage of this vulnerability. MITIGATION ========== Running only PV guests, or running HVM guests on SVM capable (e.g. AMD) hardware will avoid this issue. Enabling nested virtualization for a HVM guest running on VMX capable hardware would also allow avoiding the issue. However this functionality is still considered experimental, and is not covered by security support from the Xen Project security team. This approach is therefore not recommended for use in production. CREDITS ======= This issue was discovered by Jeff Zimmerman. NOTE REGARDING LACK OF EMBARGO ============================== This issue was disclosed publicly on the xen-devel mailing list. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa75-4.3-unstable.patch Xen 4.3.x, xen-unstable xsa75-4.2.patch Xen 4.2.x $ sha256sum xsa75*.patch 5d7bd39e4077dcdf97abf8cf3ceb662403bedf8642ce7d15840b329bc9e56727 xsa75-4.2.patch 7e61b457c9ad8d7c598d88163d2760041033ddb1631cfe989f853b7c2b5cd0bf xsa75-4.3-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSgMKZAAoJEIP+FMlX6CvZNC0H/0DZ1mBOiGpfSsn+HjCQuVup U81kWQp+SjVKVWvJbG+/vdL/418gIJ/jS9PzL7Qhordb63l7fq1d+Gi9vsQApnku 25/rKpFQzbJCud/67P3DyO3RAw33z5rQ+S/7nLLx7K6oDKNS3knQpcQwjeNIH040 NekPA2qBEuIi/0G72fYzU1wzc5XWve3lftzgYVyW+CFE1CUDq9OdWxHm5FTI41TH v1/WURQelw4a6BTVvV6NxK8J4ibQvWpL0Id4kXs1DnrSl39Al6gBUf2dO/JQwjCo fxMMjFAqWtpOrJjbWntUSJSzsFp/UfIh23a2AEmgdo4H/5yRG5RnomgSw2jOjw8= =gTUt -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa75-4.2.patch" Content-Disposition: attachment; filename="xsa75-4.2.patch" Content-Transfer-Encoding: base64 bmVzdGVkIFZNWDogVk1MQU5VQ0gvVk1SRVNVTUUgZW11bGF0aW9uIG11c3Qg Y2hlY2sgcGVybWlzc2lvbiBmaXJzdCB0aGluZwoKT3RoZXJ3aXNlIHVuaW5p dGlhbGl6ZWQgZGF0YSBtYXkgYmUgdXNlZCwgbGVhZGluZyB0byBjcmFzaGVz LgoKVGhpcyBpcyBDVkUtMjAxMy00NTUxIC8gWFNBLTc1LgoKUmVwb3J0ZWQt YW5kLXRlc3RlZC1ieTogSmVmZiBaaW1tZXJtYW4gPEplZmZfWmltbWVybWFu QE1jQWZlZS5jb20+ClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1 bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYW5kLXRlc3RlZC1ieTogQW5kcmV3 IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KCi0tLSBhL3hl bi9hcmNoL3g4Ni9odm0vdm14L3Z2bXguYworKysgYi94ZW4vYXJjaC94ODYv aHZtL3ZteC92dm14LmMKQEAgLTEwNzUsMTUgKzEwNzUsMTAgQEAgaW50IG52 bXhfaGFuZGxlX3ZteG9mZihzdHJ1Y3QgY3B1X3VzZXJfcgogICAgIHJldHVy biBYODZFTVVMX09LQVk7CiB9CiAKLWludCBudm14X3ZtcmVzdW1lKHN0cnVj dCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVncykKK3N0YXRp YyBpbnQgbnZteF92bXJlc3VtZShzdHJ1Y3QgdmNwdSAqdiwgc3RydWN0IGNw dV91c2VyX3JlZ3MgKnJlZ3MpCiB7CiAgICAgc3RydWN0IG5lc3RlZHZteCAq bnZteCA9ICZ2Y3B1XzJfbnZteCh2KTsKICAgICBzdHJ1Y3QgbmVzdGVkdmNw dSAqbnZjcHUgPSAmdmNwdV9uZXN0ZWRodm0odik7Ci0gICAgaW50IHJjOwot Ci0gICAgcmMgPSB2bXhfaW5zdF9jaGVja19wcml2aWxlZ2UocmVncywgMCk7 Ci0gICAgaWYgKCByYyAhPSBYODZFTVVMX09LQVkgKQotICAgICAgICByZXR1 cm4gcmM7CiAKICAgICAvKiBjaGVjayBWTUNTIGlzIHZhbGlkIGFuZCBJTyBC SVRNQVAgaXMgc2V0ICovCiAgICAgaWYgKCAobnZjcHUtPm52X3Z2bWN4YWRk ciAhPSBWTUNYX0VBRERSKSAmJgpAQCAtMTEwMCw2ICsxMDk1LDEwIEBAIGlu dCBudm14X2hhbmRsZV92bXJlc3VtZShzdHJ1Y3QgY3B1X3VzZXIKIHsKICAg ICBpbnQgbGF1bmNoZWQ7CiAgICAgc3RydWN0IHZjcHUgKnYgPSBjdXJyZW50 OworICAgIGludCByYyA9IHZteF9pbnN0X2NoZWNrX3ByaXZpbGVnZShyZWdz LCAwKTsKKworICAgIGlmICggcmMgIT0gWDg2RU1VTF9PS0FZICkKKyAgICAg ICAgcmV0dXJuIHJjOwogCiAgICAgaWYgKCB2Y3B1X25lc3RlZGh2bSh2KS5u dl92dm1jeGFkZHIgPT0gVk1DWF9FQUREUiApCiAgICAgewpAQCAtMTExOSw4 ICsxMTE4LDExIEBAIGludCBudm14X2hhbmRsZV92bXJlc3VtZShzdHJ1Y3Qg Y3B1X3VzZXIKIGludCBudm14X2hhbmRsZV92bWxhdW5jaChzdHJ1Y3QgY3B1 X3VzZXJfcmVncyAqcmVncykKIHsKICAgICBpbnQgbGF1bmNoZWQ7Ci0gICAg aW50IHJjOwogICAgIHN0cnVjdCB2Y3B1ICp2ID0gY3VycmVudDsKKyAgICBp bnQgcmMgPSB2bXhfaW5zdF9jaGVja19wcml2aWxlZ2UocmVncywgMCk7CisK KyAgICBpZiAoIHJjICE9IFg4NkVNVUxfT0tBWSApCisgICAgICAgIHJldHVy biByYzsKIAogICAgIGlmICggdmNwdV9uZXN0ZWRodm0odikubnZfdnZtY3hh ZGRyID09IFZNQ1hfRUFERFIgKQogICAgIHsK --=separator Content-Type: application/octet-stream; name="xsa75-4.3-unstable.patch" Content-Disposition: attachment; filename="xsa75-4.3-unstable.patch" Content-Transfer-Encoding: base64 bmVzdGVkIFZNWDogVk1MQU5VQ0gvVk1SRVNVTUUgZW11bGF0aW9uIG11c3Qg Y2hlY2sgcGVybWlzc2lvbiBmaXJzdCB0aGluZwoKT3RoZXJ3aXNlIHVuaW5p dGlhbGl6ZWQgZGF0YSBtYXkgYmUgdXNlZCwgbGVhZGluZyB0byBjcmFzaGVz LgoKVGhpcyBpcyBDVkUtMjAxMy00NTUxIC8gWFNBLTc1LgoKUmVwb3J0ZWQt YW5kLXRlc3RlZC1ieTogSmVmZiBaaW1tZXJtYW4gPEplZmZfWmltbWVybWFu QE1jQWZlZS5jb20+ClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1 bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYW5kLXRlc3RlZC1ieTogQW5kcmV3 IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KCi0tLSBhL3hl bi9hcmNoL3g4Ni9odm0vdm14L3Z2bXguYworKysgYi94ZW4vYXJjaC94ODYv aHZtL3ZteC92dm14LmMKQEAgLTE1MDksMTUgKzE1MDksMTAgQEAgc3RhdGlj IHZvaWQgY2xlYXJfdnZtY3NfbGF1bmNoZWQoc3RydWN0IAogICAgIH0KIH0K IAotaW50IG52bXhfdm1yZXN1bWUoc3RydWN0IHZjcHUgKnYsIHN0cnVjdCBj cHVfdXNlcl9yZWdzICpyZWdzKQorc3RhdGljIGludCBudm14X3ZtcmVzdW1l KHN0cnVjdCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVncykK IHsKICAgICBzdHJ1Y3QgbmVzdGVkdm14ICpudm14ID0gJnZjcHVfMl9udm14 KHYpOwogICAgIHN0cnVjdCBuZXN0ZWR2Y3B1ICpudmNwdSA9ICZ2Y3B1X25l c3RlZGh2bSh2KTsKLSAgICBpbnQgcmM7Ci0KLSAgICByYyA9IHZteF9pbnN0 X2NoZWNrX3ByaXZpbGVnZShyZWdzLCAwKTsKLSAgICBpZiAoIHJjICE9IFg4 NkVNVUxfT0tBWSApCi0gICAgICAgIHJldHVybiByYzsKIAogICAgIC8qIGNo ZWNrIFZNQ1MgaXMgdmFsaWQgYW5kIElPIEJJVE1BUCBpcyBzZXQgKi8KICAg ICBpZiAoIChudmNwdS0+bnZfdnZtY3hhZGRyICE9IFZNQ1hfRUFERFIpICYm CkBAIC0xNTM2LDYgKzE1MzEsMTAgQEAgaW50IG52bXhfaGFuZGxlX3ZtcmVz dW1lKHN0cnVjdCBjcHVfdXNlcgogICAgIHN0cnVjdCB2Y3B1ICp2ID0gY3Vy cmVudDsKICAgICBzdHJ1Y3QgbmVzdGVkdmNwdSAqbnZjcHUgPSAmdmNwdV9u ZXN0ZWRodm0odik7CiAgICAgc3RydWN0IG5lc3RlZHZteCAqbnZteCA9ICZ2 Y3B1XzJfbnZteCh2KTsKKyAgICBpbnQgcmMgPSB2bXhfaW5zdF9jaGVja19w cml2aWxlZ2UocmVncywgMCk7CisKKyAgICBpZiAoIHJjICE9IFg4NkVNVUxf T0tBWSApCisgICAgICAgIHJldHVybiByYzsKIAogICAgIGlmICggdmNwdV9u ZXN0ZWRodm0odikubnZfdnZtY3hhZGRyID09IFZNQ1hfRUFERFIgKQogICAg IHsKQEAgLTE1NTUsMTAgKzE1NTQsMTMgQEAgaW50IG52bXhfaGFuZGxlX3Zt cmVzdW1lKHN0cnVjdCBjcHVfdXNlcgogaW50IG52bXhfaGFuZGxlX3ZtbGF1 bmNoKHN0cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdzKQogewogICAgIGJvb2xf dCBsYXVuY2hlZDsKLSAgICBpbnQgcmM7CiAgICAgc3RydWN0IHZjcHUgKnYg PSBjdXJyZW50OwogICAgIHN0cnVjdCBuZXN0ZWR2Y3B1ICpudmNwdSA9ICZ2 Y3B1X25lc3RlZGh2bSh2KTsKICAgICBzdHJ1Y3QgbmVzdGVkdm14ICpudm14 ID0gJnZjcHVfMl9udm14KHYpOworICAgIGludCByYyA9IHZteF9pbnN0X2No ZWNrX3ByaXZpbGVnZShyZWdzLCAwKTsKKworICAgIGlmICggcmMgIT0gWDg2 RU1VTF9PS0FZICkKKyAgICAgICAgcmV0dXJuIHJjOwogCiAgICAgaWYgKCB2 Y3B1X25lc3RlZGh2bSh2KS5udl92dm1jeGFkZHIgPT0gVk1DWF9FQUREUiAp CiAgICAgewo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Nov 20 17:10:06 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Nov 2013 17:10:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VjBGk-0001rn-Be; Wed, 20 Nov 2013 17:08:50 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VjBGi-0001rS-Ki; Wed, 20 Nov 2013 17:08:48 +0000 Received: from [85.158.143.35:64877] by server-2.bemta-4.messagelabs.com id 9A/E5-11386-F9CEC825; Wed, 20 Nov 2013 17:08:47 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-6.tower-21.messagelabs.com!1384967326!4544414!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.9.13; banners=-,-,- X-VirusChecked: Checked Received: (qmail 14167 invoked from network); 20 Nov 2013 17:08:46 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-6.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 20 Nov 2013 17:08:46 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VjBGb-000412-Bd; Wed, 20 Nov 2013 17:08:41 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VjBGa-0005yn-QD; Wed, 20 Nov 2013 17:08:41 +0000 Date: Wed, 20 Nov 2013 17:08:40 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 78 - Insufficient TLB flushing in VT-d (iommu) code X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-78 Insufficient TLB flushing in VT-d (iommu) code ISSUE DESCRIPTION ================= An inverted boolean parameter resulted in TLB flushes not happening upon clearing of a present translation table entry. Retaining stale TLB entries could allow guests access to memory that ought to have been revoked, or grant greater access than intended. IMPACT ====== Malicious guest administrators might be able to cause host-wide denial of service, or escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== Xen 4.2.x and later are vulnerable. Xen 4.1.x and earlier are not vulnerable. Only systems using Intel VT-d for PCI passthrough are vulnerable. MITIGATION ========== This issue can be avoided by not assigning PCI devices to untrusted guests on systems supporting Intel VT-d. NOTE REGARDING LACK OF EMBARGO ============================== This issue was disclosed publicly on the xen-devel mailing list. RESOLUTION ========== Applying the attached patch resolves this issue. xsa78.patch Xen 4.2.x, Xen 4.3.x, xen-unstable $ sha256sum xsa78*.patch 2b858188495542b393532dfeb108ae95cbb507a008b5ebf430b96c95272f9e0e xsa78.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSjOx1AAoJEIP+FMlX6CvZiRgIAL1iKDQGOT+uULBy+pi8El/H ptqI1qsEX1CKkrl0tTTueXlIWqvpDP5iHJR3tqj10OeNn/tSyV/PCCuJonFaPDUJ aNucKbiiXvaHlfw4CNMOuWa2xaWUdoiTN8RM8OCWQgM9Ybk6weZtCNcp/dQk5gwL NzMHl+aD2Av0NiLZM3K857nk3wikcJAr+Lhd/wOx3W0oqmvRq+tszj3p4qOgNJ7/ CpTQd1TifkBaE7y3BxX3jofkSPM451oxyIz5WcsripnbL+psQK1T9ASkqr5iI8O7 cWJheDS64MlRRF7SujcJz1MekVvubg6njw8Gg3HPxIqagQJMn4GEkQT+98Kelf0= =wrTD -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa78.patch" Content-Disposition: attachment; filename="xsa78.patch" Content-Transfer-Encoding: base64 VlQtZDogZml4IFRMQiBmbHVzaGluZyBpbiBkbWFfcHRlX2NsZWFyX29uZSgp CgpUaGUgdGhpcmQgcGFyYW1ldGVyIG9mIF9faW50ZWxfaW9tbXVfaW90bGJf Zmx1c2goKSBpcyB0byBpbmRpY2F0ZQp3aGV0aGVyIHRoZSB0byBiZSBmbHVz aGVkIGVudHJ5IHdhcyBhIHByZXNlbnQgb25lLiBBIGZldyBsaW5lcyBiZWZv cmUsCndlIGJhaWxlZCBpZiAhZG1hX3B0ZV9wcmVzZW50KCpwdGUpLCBzbyB0 aGVyZSdzIG5vIG5lZWQgdG8gY2hlY2sgdGhlCmZsYWcgaGVyZSBhZ2FpbiAt IHdlIGNhbiBzaW1wbHkgYWx3YXlzIHBhc3MgVFJVRSBoZXJlLgoKVGhpcyBp cyBYU0EtNzguCgpTdWdnZXN0ZWQtYnk6IENoZW5nIFl1ZXFpYW5nIDx5cWNo ZW5nLjIwMDhAcGhkaXMuc211LmVkdS5zZz4KU2lnbmVkLW9mZi1ieTogSmFu IEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgoKLS0tIGEveGVuL2RyaXZl cnMvcGFzc3Rocm91Z2gvdnRkL2lvbW11LmMKKysrIGIveGVuL2RyaXZlcnMv cGFzc3Rocm91Z2gvdnRkL2lvbW11LmMKQEAgLTY0Niw3ICs2NDYsNyBAQCBz dGF0aWMgdm9pZCBkbWFfcHRlX2NsZWFyX29uZShzdHJ1Y3QgZG9tCiAgICAg aW9tbXVfZmx1c2hfY2FjaGVfZW50cnkocHRlLCBzaXplb2Yoc3RydWN0IGRt YV9wdGUpKTsKIAogICAgIGlmICggIXRoaXNfY3B1KGlvbW11X2RvbnRfZmx1 c2hfaW90bGIpICkKLSAgICAgICAgX19pbnRlbF9pb21tdV9pb3RsYl9mbHVz aChkb21haW4sIGFkZHIgPj4gUEFHRV9TSElGVF80SyAsIDAsIDEpOworICAg ICAgICBfX2ludGVsX2lvbW11X2lvdGxiX2ZsdXNoKGRvbWFpbiwgYWRkciA+ PiBQQUdFX1NISUZUXzRLLCAxLCAxKTsKIAogICAgIHVubWFwX3Z0ZF9kb21h aW5fcGFnZShwYWdlKTsKIAo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Nov 20 17:10:06 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Nov 2013 17:10:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VjBGk-0001rn-Be; Wed, 20 Nov 2013 17:08:50 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VjBGi-0001rS-Ki; Wed, 20 Nov 2013 17:08:48 +0000 Received: from [85.158.143.35:64877] by server-2.bemta-4.messagelabs.com id 9A/E5-11386-F9CEC825; Wed, 20 Nov 2013 17:08:47 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-6.tower-21.messagelabs.com!1384967326!4544414!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.9.13; banners=-,-,- X-VirusChecked: Checked Received: (qmail 14167 invoked from network); 20 Nov 2013 17:08:46 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-6.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 20 Nov 2013 17:08:46 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VjBGb-000412-Bd; Wed, 20 Nov 2013 17:08:41 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VjBGa-0005yn-QD; Wed, 20 Nov 2013 17:08:41 +0000 Date: Wed, 20 Nov 2013 17:08:40 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 78 - Insufficient TLB flushing in VT-d (iommu) code X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-78 Insufficient TLB flushing in VT-d (iommu) code ISSUE DESCRIPTION ================= An inverted boolean parameter resulted in TLB flushes not happening upon clearing of a present translation table entry. Retaining stale TLB entries could allow guests access to memory that ought to have been revoked, or grant greater access than intended. IMPACT ====== Malicious guest administrators might be able to cause host-wide denial of service, or escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== Xen 4.2.x and later are vulnerable. Xen 4.1.x and earlier are not vulnerable. Only systems using Intel VT-d for PCI passthrough are vulnerable. MITIGATION ========== This issue can be avoided by not assigning PCI devices to untrusted guests on systems supporting Intel VT-d. NOTE REGARDING LACK OF EMBARGO ============================== This issue was disclosed publicly on the xen-devel mailing list. RESOLUTION ========== Applying the attached patch resolves this issue. xsa78.patch Xen 4.2.x, Xen 4.3.x, xen-unstable $ sha256sum xsa78*.patch 2b858188495542b393532dfeb108ae95cbb507a008b5ebf430b96c95272f9e0e xsa78.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSjOx1AAoJEIP+FMlX6CvZiRgIAL1iKDQGOT+uULBy+pi8El/H ptqI1qsEX1CKkrl0tTTueXlIWqvpDP5iHJR3tqj10OeNn/tSyV/PCCuJonFaPDUJ aNucKbiiXvaHlfw4CNMOuWa2xaWUdoiTN8RM8OCWQgM9Ybk6weZtCNcp/dQk5gwL NzMHl+aD2Av0NiLZM3K857nk3wikcJAr+Lhd/wOx3W0oqmvRq+tszj3p4qOgNJ7/ CpTQd1TifkBaE7y3BxX3jofkSPM451oxyIz5WcsripnbL+psQK1T9ASkqr5iI8O7 cWJheDS64MlRRF7SujcJz1MekVvubg6njw8Gg3HPxIqagQJMn4GEkQT+98Kelf0= =wrTD -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa78.patch" Content-Disposition: attachment; filename="xsa78.patch" Content-Transfer-Encoding: base64 VlQtZDogZml4IFRMQiBmbHVzaGluZyBpbiBkbWFfcHRlX2NsZWFyX29uZSgp CgpUaGUgdGhpcmQgcGFyYW1ldGVyIG9mIF9faW50ZWxfaW9tbXVfaW90bGJf Zmx1c2goKSBpcyB0byBpbmRpY2F0ZQp3aGV0aGVyIHRoZSB0byBiZSBmbHVz aGVkIGVudHJ5IHdhcyBhIHByZXNlbnQgb25lLiBBIGZldyBsaW5lcyBiZWZv cmUsCndlIGJhaWxlZCBpZiAhZG1hX3B0ZV9wcmVzZW50KCpwdGUpLCBzbyB0 aGVyZSdzIG5vIG5lZWQgdG8gY2hlY2sgdGhlCmZsYWcgaGVyZSBhZ2FpbiAt IHdlIGNhbiBzaW1wbHkgYWx3YXlzIHBhc3MgVFJVRSBoZXJlLgoKVGhpcyBp cyBYU0EtNzguCgpTdWdnZXN0ZWQtYnk6IENoZW5nIFl1ZXFpYW5nIDx5cWNo ZW5nLjIwMDhAcGhkaXMuc211LmVkdS5zZz4KU2lnbmVkLW9mZi1ieTogSmFu IEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgoKLS0tIGEveGVuL2RyaXZl cnMvcGFzc3Rocm91Z2gvdnRkL2lvbW11LmMKKysrIGIveGVuL2RyaXZlcnMv cGFzc3Rocm91Z2gvdnRkL2lvbW11LmMKQEAgLTY0Niw3ICs2NDYsNyBAQCBz dGF0aWMgdm9pZCBkbWFfcHRlX2NsZWFyX29uZShzdHJ1Y3QgZG9tCiAgICAg aW9tbXVfZmx1c2hfY2FjaGVfZW50cnkocHRlLCBzaXplb2Yoc3RydWN0IGRt YV9wdGUpKTsKIAogICAgIGlmICggIXRoaXNfY3B1KGlvbW11X2RvbnRfZmx1 c2hfaW90bGIpICkKLSAgICAgICAgX19pbnRlbF9pb21tdV9pb3RsYl9mbHVz aChkb21haW4sIGFkZHIgPj4gUEFHRV9TSElGVF80SyAsIDAsIDEpOworICAg ICAgICBfX2ludGVsX2lvbW11X2lvdGxiX2ZsdXNoKGRvbWFpbiwgYWRkciA+ PiBQQUdFX1NISUZUXzRLLCAxLCAxKTsKIAogICAgIHVubWFwX3Z0ZF9kb21h aW5fcGFnZShwYWdlKTsKIAo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Nov 21 11:34:20 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 21 Nov 2013 11:34:20 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VjSVR-0001gu-Ru; Thu, 21 Nov 2013 11:33:09 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VjSVQ-0001ge-As; Thu, 21 Nov 2013 11:33:08 +0000 Received: from [193.109.254.147:25451] by server-12.bemta-14.messagelabs.com id B1/2C-25062-37FED825; Thu, 21 Nov 2013 11:33:07 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-13.tower-27.messagelabs.com!1385033585!4207301!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.9.13; banners=-,-,- X-VirusChecked: Checked Received: (qmail 13069 invoked from network); 21 Nov 2013 11:33:06 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-13.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 21 Nov 2013 11:33:06 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VjSVE-0006rs-JS; Thu, 21 Nov 2013 11:32:56 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VjSVD-0003Q6-SO; Thu, 21 Nov 2013 11:32:56 +0000 Date: Thu, 21 Nov 2013 11:32:56 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 78 (CVE-2013-6375) - Insufficient TLB flushing in VT-d (iommu) code X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-6375 / XSA-78 version 2 Insufficient TLB flushing in VT-d (iommu) code UPDATES IN VERSION 2 ==================== This issue has been assigned CVE-2013-6375. ISSUE DESCRIPTION ================= An inverted boolean parameter resulted in TLB flushes not happening upon clearing of a present translation table entry. Retaining stale TLB entries could allow guests access to memory that ought to have been revoked, or grant greater access than intended. IMPACT ====== Malicious guest administrators might be able to cause host-wide denial of service, or escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== Xen 4.2.x and later are vulnerable. Xen 4.1.x and earlier are not vulnerable. Only systems using Intel VT-d for PCI passthrough are vulnerable. MITIGATION ========== This issue can be avoided by not assigning PCI devices to untrusted guests on systems supporting Intel VT-d. NOTE REGARDING LACK OF EMBARGO ============================== This issue was disclosed publicly on the xen-devel mailing list. RESOLUTION ========== Applying the attached patch resolves this issue. xsa78.patch Xen 4.2.x, Xen 4.3.x, xen-unstable $ sha256sum xsa78*.patch bb13b280bb456c1d7c8f468e23e336e6b2d06eb364c6823f1b426fcfe09f6ed3 xsa78.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSje8rAAoJEIP+FMlX6CvZ1kkIALhafGTk2hNupn2YyvqaUchF P7lnff8PohFj9WRM3I5axrJGkZeOozjeRSbgaVwlg5UY1A6vNqtT9GSQtSWRWbk/ /0ysGvwbBTdRQeGhvENhpFOJRF/4TjGn1xmCBgQbmrhZuS9iAQvJL8yUY/HdCVyf gk9Vw/yuBZff15h97FH9M+zrdz+DbBTlR0t5HlVkLMvXyFkYIRafwaZVKWaH/C9y S1Wz6M9q1U9KrE8wBsNNHMgywdTiriCkzhfxEQbsPKnn/NFCOS0ehqct0JeZx100 Eritdmkr805EUCcFUdS5R1EDP6xiRUCUAdbL/tvTJExzmPEG0sg7kKWIArRujLU= =ZgNn -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa78.patch" Content-Disposition: attachment; filename="xsa78.patch" Content-Transfer-Encoding: base64 VlQtZDogZml4IFRMQiBmbHVzaGluZyBpbiBkbWFfcHRlX2NsZWFyX29uZSgp CgpUaGUgdGhpcmQgcGFyYW1ldGVyIG9mIF9faW50ZWxfaW9tbXVfaW90bGJf Zmx1c2goKSBpcyB0byBpbmRpY2F0ZQp3aGV0aGVyIHRoZSB0byBiZSBmbHVz aGVkIGVudHJ5IHdhcyBhIHByZXNlbnQgb25lLiBBIGZldyBsaW5lcyBiZWZv cmUsCndlIGJhaWxlZCBpZiAhZG1hX3B0ZV9wcmVzZW50KCpwdGUpLCBzbyB0 aGVyZSdzIG5vIG5lZWQgdG8gY2hlY2sgdGhlCmZsYWcgaGVyZSBhZ2FpbiAt IHdlIGNhbiBzaW1wbHkgYWx3YXlzIHBhc3MgVFJVRSBoZXJlLgoKVGhpcyBp cyBDVkUtMjAxMy02Mzc1IC8gWFNBLTc4LgoKU3VnZ2VzdGVkLWJ5OiBDaGVu ZyBZdWVxaWFuZyA8eXFjaGVuZy4yMDA4QHBoZGlzLnNtdS5lZHUuc2c+ClNp Z25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4K Ci0tLSBhL3hlbi9kcml2ZXJzL3Bhc3N0aHJvdWdoL3Z0ZC9pb21tdS5jCisr KyBiL3hlbi9kcml2ZXJzL3Bhc3N0aHJvdWdoL3Z0ZC9pb21tdS5jCkBAIC02 NDYsNyArNjQ2LDcgQEAgc3RhdGljIHZvaWQgZG1hX3B0ZV9jbGVhcl9vbmUo c3RydWN0IGRvbQogICAgIGlvbW11X2ZsdXNoX2NhY2hlX2VudHJ5KHB0ZSwg c2l6ZW9mKHN0cnVjdCBkbWFfcHRlKSk7CiAKICAgICBpZiAoICF0aGlzX2Nw dShpb21tdV9kb250X2ZsdXNoX2lvdGxiKSApCi0gICAgICAgIF9faW50ZWxf aW9tbXVfaW90bGJfZmx1c2goZG9tYWluLCBhZGRyID4+IFBBR0VfU0hJRlRf NEsgLCAwLCAxKTsKKyAgICAgICAgX19pbnRlbF9pb21tdV9pb3RsYl9mbHVz aChkb21haW4sIGFkZHIgPj4gUEFHRV9TSElGVF80SywgMSwgMSk7CiAKICAg ICB1bm1hcF92dGRfZG9tYWluX3BhZ2UocGFnZSk7CiAK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Nov 21 11:34:20 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 21 Nov 2013 11:34:20 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VjSVR-0001gu-Ru; Thu, 21 Nov 2013 11:33:09 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VjSVQ-0001ge-As; Thu, 21 Nov 2013 11:33:08 +0000 Received: from [193.109.254.147:25451] by server-12.bemta-14.messagelabs.com id B1/2C-25062-37FED825; Thu, 21 Nov 2013 11:33:07 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-13.tower-27.messagelabs.com!1385033585!4207301!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.9.13; banners=-,-,- X-VirusChecked: Checked Received: (qmail 13069 invoked from network); 21 Nov 2013 11:33:06 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-13.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 21 Nov 2013 11:33:06 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VjSVE-0006rs-JS; Thu, 21 Nov 2013 11:32:56 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VjSVD-0003Q6-SO; Thu, 21 Nov 2013 11:32:56 +0000 Date: Thu, 21 Nov 2013 11:32:56 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 78 (CVE-2013-6375) - Insufficient TLB flushing in VT-d (iommu) code X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-6375 / XSA-78 version 2 Insufficient TLB flushing in VT-d (iommu) code UPDATES IN VERSION 2 ==================== This issue has been assigned CVE-2013-6375. ISSUE DESCRIPTION ================= An inverted boolean parameter resulted in TLB flushes not happening upon clearing of a present translation table entry. Retaining stale TLB entries could allow guests access to memory that ought to have been revoked, or grant greater access than intended. IMPACT ====== Malicious guest administrators might be able to cause host-wide denial of service, or escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== Xen 4.2.x and later are vulnerable. Xen 4.1.x and earlier are not vulnerable. Only systems using Intel VT-d for PCI passthrough are vulnerable. MITIGATION ========== This issue can be avoided by not assigning PCI devices to untrusted guests on systems supporting Intel VT-d. NOTE REGARDING LACK OF EMBARGO ============================== This issue was disclosed publicly on the xen-devel mailing list. RESOLUTION ========== Applying the attached patch resolves this issue. xsa78.patch Xen 4.2.x, Xen 4.3.x, xen-unstable $ sha256sum xsa78*.patch bb13b280bb456c1d7c8f468e23e336e6b2d06eb364c6823f1b426fcfe09f6ed3 xsa78.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSje8rAAoJEIP+FMlX6CvZ1kkIALhafGTk2hNupn2YyvqaUchF P7lnff8PohFj9WRM3I5axrJGkZeOozjeRSbgaVwlg5UY1A6vNqtT9GSQtSWRWbk/ /0ysGvwbBTdRQeGhvENhpFOJRF/4TjGn1xmCBgQbmrhZuS9iAQvJL8yUY/HdCVyf gk9Vw/yuBZff15h97FH9M+zrdz+DbBTlR0t5HlVkLMvXyFkYIRafwaZVKWaH/C9y S1Wz6M9q1U9KrE8wBsNNHMgywdTiriCkzhfxEQbsPKnn/NFCOS0ehqct0JeZx100 Eritdmkr805EUCcFUdS5R1EDP6xiRUCUAdbL/tvTJExzmPEG0sg7kKWIArRujLU= =ZgNn -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa78.patch" Content-Disposition: attachment; filename="xsa78.patch" Content-Transfer-Encoding: base64 VlQtZDogZml4IFRMQiBmbHVzaGluZyBpbiBkbWFfcHRlX2NsZWFyX29uZSgp CgpUaGUgdGhpcmQgcGFyYW1ldGVyIG9mIF9faW50ZWxfaW9tbXVfaW90bGJf Zmx1c2goKSBpcyB0byBpbmRpY2F0ZQp3aGV0aGVyIHRoZSB0byBiZSBmbHVz aGVkIGVudHJ5IHdhcyBhIHByZXNlbnQgb25lLiBBIGZldyBsaW5lcyBiZWZv cmUsCndlIGJhaWxlZCBpZiAhZG1hX3B0ZV9wcmVzZW50KCpwdGUpLCBzbyB0 aGVyZSdzIG5vIG5lZWQgdG8gY2hlY2sgdGhlCmZsYWcgaGVyZSBhZ2FpbiAt IHdlIGNhbiBzaW1wbHkgYWx3YXlzIHBhc3MgVFJVRSBoZXJlLgoKVGhpcyBp cyBDVkUtMjAxMy02Mzc1IC8gWFNBLTc4LgoKU3VnZ2VzdGVkLWJ5OiBDaGVu ZyBZdWVxaWFuZyA8eXFjaGVuZy4yMDA4QHBoZGlzLnNtdS5lZHUuc2c+ClNp Z25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4K Ci0tLSBhL3hlbi9kcml2ZXJzL3Bhc3N0aHJvdWdoL3Z0ZC9pb21tdS5jCisr KyBiL3hlbi9kcml2ZXJzL3Bhc3N0aHJvdWdoL3Z0ZC9pb21tdS5jCkBAIC02 NDYsNyArNjQ2LDcgQEAgc3RhdGljIHZvaWQgZG1hX3B0ZV9jbGVhcl9vbmUo c3RydWN0IGRvbQogICAgIGlvbW11X2ZsdXNoX2NhY2hlX2VudHJ5KHB0ZSwg c2l6ZW9mKHN0cnVjdCBkbWFfcHRlKSk7CiAKICAgICBpZiAoICF0aGlzX2Nw dShpb21tdV9kb250X2ZsdXNoX2lvdGxiKSApCi0gICAgICAgIF9faW50ZWxf aW9tbXVfaW90bGJfZmx1c2goZG9tYWluLCBhZGRyID4+IFBBR0VfU0hJRlRf NEsgLCAwLCAxKTsKKyAgICAgICAgX19pbnRlbF9pb21tdV9pb3RsYl9mbHVz aChkb21haW4sIGFkZHIgPj4gUEFHRV9TSElGVF80SywgMSwgMSk7CiAKICAg ICB1bm1hcF92dGRfZG9tYWluX3BhZ2UocGFnZSk7CiAK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Nov 26 17:04:44 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 26 Nov 2013 17:04:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VlM2y-0001MB-Hs; Tue, 26 Nov 2013 17:03:36 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VlM2w-0001Lk-8G; Tue, 26 Nov 2013 17:03:34 +0000 Received: from [85.158.143.35:40849] by server-1.bemta-4.messagelabs.com id 8C/10-02132-464D4925; Tue, 26 Nov 2013 17:03:32 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-16.tower-21.messagelabs.com!1385485411!1244749!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 5163 invoked from network); 26 Nov 2013 17:03:32 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-16.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 26 Nov 2013 17:03:32 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VlM2o-0003Ur-Tn; Tue, 26 Nov 2013 17:03:26 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VlM2o-0002ZM-PL; Tue, 26 Nov 2013 17:03:26 +0000 Date: Tue, 26 Nov 2013 17:03:26 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 76 (CVE-2013-4554) - Hypercalls exposed to privilege rings 1 and 2 of HVM guests X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4554 / XSA-76 version 3 Hypercalls exposed to privilege rings 1 and 2 of HVM guests UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The privilege check applied to hypercall attempts by a HVM guest only refused access from ring 3; rings 1 and 2 were allowed through. IMPACT ====== Code running in the intermediate privilege rings of HVM guest OSes may be able to elevate its privileges inside the guest by careful hypercall use. VULNERABLE SYSTEMS ================== Xen 3.0.3 and later are vulnerable. Xen 3.0.2 and earlier are not vulnerable. MITIGATION ========== Running only PV guests, or running HVM guests known to not make use of protection rings 1 and 2 will avoid this issue. As far as we are aware no mainstream OS (Linux, Windows, BSD) make use of these rings. CREDITS ======= This issue was discovered by Jan Beulich. RESOLUTION ========== Applying the attached patch resolves this issue. xsa76.patch xen-unstable, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x $ sha256sum xsa76*.patch 8c4d460c71e8e8dffa32ce24f57ce872ccd8623ab72fd38be432f0a2b097e7c1 xsa76.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSlNMiAAoJEIP+FMlX6CvZn4kH/38vSCRckKM2JuQJfIJb8WtT hz7XFDLhDBgeei7J3G3HiZIdaVGVYvThKDl6Dk0Kfc7V7vqIOEYN6OGAOqsJY5GL Yqqxqol4ncyM0okLn3mvgeX1FlpLi1rlkwWkR7on7KMahxITjeGpWs00z9o9fpxy 21hIEw3vtXxg+C22QK2GS2fHKrkU23Fi7OPC09aU179nWjQWom+7qNsRvJlw+dRq NZs5EvvGofqXN7KaLAirJkNUmxDOS0+XxNcF/1zLpXa/bIXjKCju6LoLb86UZOsM JkSSfFYiz3UxAqjZtr4x4cbUl/0LeGUETVygIOOtx/56TKMxzgbaXHDevCiu3bw= =oChf -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa76.patch" Content-Disposition: attachment; filename="xsa76.patch" Content-Transfer-Encoding: base64 eDg2L0hWTTogb25seSBhbGxvdyByaW5nIDAgZ3Vlc3QgY29kZSB0byBtYWtl IGh5cGVyY2FsbHMKCkFueXRoaW5nIGVsc2Ugd291bGQgYWxsb3cgZm9yIHBy aXZpbGVnZSBlc2NhbGF0aW9uLgoKVGhpcyBpcyBDVkUtMjAxMy00NTU0IC8g WFNBLTc2LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNo QHN1c2UuY29tPgoKLS0tIGEveGVuL2FyY2gveDg2L2h2bS9odm0uYworKysg Yi94ZW4vYXJjaC94ODYvaHZtL2h2bS5jCkBAIC0zMzU5LDcgKzMzNTksNyBA QCBpbnQgaHZtX2RvX2h5cGVyY2FsbChzdHJ1Y3QgY3B1X3VzZXJfcmVnCiAg ICAgY2FzZSA0OgogICAgIGNhc2UgMjoKICAgICAgICAgaHZtX2dldF9zZWdt ZW50X3JlZ2lzdGVyKGN1cnIsIHg4Nl9zZWdfc3MsICZzcmVnKTsKLSAgICAg ICAgaWYgKCB1bmxpa2VseShzcmVnLmF0dHIuZmllbGRzLmRwbCA9PSAzKSAp CisgICAgICAgIGlmICggdW5saWtlbHkoc3JlZy5hdHRyLmZpZWxkcy5kcGwp ICkKICAgICAgICAgewogICAgIGRlZmF1bHQ6CiAgICAgICAgICAgICByZWdz LT5lYXggPSAtRVBFUk07Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Nov 26 17:04:44 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 26 Nov 2013 17:04:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VlM2y-0001MB-Hs; Tue, 26 Nov 2013 17:03:36 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VlM2w-0001Lk-8G; Tue, 26 Nov 2013 17:03:34 +0000 Received: from [85.158.143.35:40849] by server-1.bemta-4.messagelabs.com id 8C/10-02132-464D4925; Tue, 26 Nov 2013 17:03:32 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-16.tower-21.messagelabs.com!1385485411!1244749!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 5163 invoked from network); 26 Nov 2013 17:03:32 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-16.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 26 Nov 2013 17:03:32 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VlM2o-0003Ur-Tn; Tue, 26 Nov 2013 17:03:26 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VlM2o-0002ZM-PL; Tue, 26 Nov 2013 17:03:26 +0000 Date: Tue, 26 Nov 2013 17:03:26 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 76 (CVE-2013-4554) - Hypercalls exposed to privilege rings 1 and 2 of HVM guests X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4554 / XSA-76 version 3 Hypercalls exposed to privilege rings 1 and 2 of HVM guests UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The privilege check applied to hypercall attempts by a HVM guest only refused access from ring 3; rings 1 and 2 were allowed through. IMPACT ====== Code running in the intermediate privilege rings of HVM guest OSes may be able to elevate its privileges inside the guest by careful hypercall use. VULNERABLE SYSTEMS ================== Xen 3.0.3 and later are vulnerable. Xen 3.0.2 and earlier are not vulnerable. MITIGATION ========== Running only PV guests, or running HVM guests known to not make use of protection rings 1 and 2 will avoid this issue. As far as we are aware no mainstream OS (Linux, Windows, BSD) make use of these rings. CREDITS ======= This issue was discovered by Jan Beulich. RESOLUTION ========== Applying the attached patch resolves this issue. xsa76.patch xen-unstable, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x $ sha256sum xsa76*.patch 8c4d460c71e8e8dffa32ce24f57ce872ccd8623ab72fd38be432f0a2b097e7c1 xsa76.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSlNMiAAoJEIP+FMlX6CvZn4kH/38vSCRckKM2JuQJfIJb8WtT hz7XFDLhDBgeei7J3G3HiZIdaVGVYvThKDl6Dk0Kfc7V7vqIOEYN6OGAOqsJY5GL Yqqxqol4ncyM0okLn3mvgeX1FlpLi1rlkwWkR7on7KMahxITjeGpWs00z9o9fpxy 21hIEw3vtXxg+C22QK2GS2fHKrkU23Fi7OPC09aU179nWjQWom+7qNsRvJlw+dRq NZs5EvvGofqXN7KaLAirJkNUmxDOS0+XxNcF/1zLpXa/bIXjKCju6LoLb86UZOsM JkSSfFYiz3UxAqjZtr4x4cbUl/0LeGUETVygIOOtx/56TKMxzgbaXHDevCiu3bw= =oChf -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa76.patch" Content-Disposition: attachment; filename="xsa76.patch" Content-Transfer-Encoding: base64 eDg2L0hWTTogb25seSBhbGxvdyByaW5nIDAgZ3Vlc3QgY29kZSB0byBtYWtl IGh5cGVyY2FsbHMKCkFueXRoaW5nIGVsc2Ugd291bGQgYWxsb3cgZm9yIHBy aXZpbGVnZSBlc2NhbGF0aW9uLgoKVGhpcyBpcyBDVkUtMjAxMy00NTU0IC8g WFNBLTc2LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNo QHN1c2UuY29tPgoKLS0tIGEveGVuL2FyY2gveDg2L2h2bS9odm0uYworKysg Yi94ZW4vYXJjaC94ODYvaHZtL2h2bS5jCkBAIC0zMzU5LDcgKzMzNTksNyBA QCBpbnQgaHZtX2RvX2h5cGVyY2FsbChzdHJ1Y3QgY3B1X3VzZXJfcmVnCiAg ICAgY2FzZSA0OgogICAgIGNhc2UgMjoKICAgICAgICAgaHZtX2dldF9zZWdt ZW50X3JlZ2lzdGVyKGN1cnIsIHg4Nl9zZWdfc3MsICZzcmVnKTsKLSAgICAg ICAgaWYgKCB1bmxpa2VseShzcmVnLmF0dHIuZmllbGRzLmRwbCA9PSAzKSAp CisgICAgICAgIGlmICggdW5saWtlbHkoc3JlZy5hdHRyLmZpZWxkcy5kcGwp ICkKICAgICAgICAgewogICAgIGRlZmF1bHQ6CiAgICAgICAgICAgICByZWdz LT5lYXggPSAtRVBFUk07Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Nov 26 17:04:44 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 26 Nov 2013 17:04:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VlM3H-0001P8-3E; Tue, 26 Nov 2013 17:03:55 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VlM3E-0001OZ-Rg; Tue, 26 Nov 2013 17:03:53 +0000 Received: from [85.158.137.68:52524] by server-1.bemta-3.messagelabs.com id A3/B4-29598-774D4925; Tue, 26 Nov 2013 17:03:51 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-8.tower-31.messagelabs.com!1385485429!3944302!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.13; banners=-,-,- X-VirusChecked: Checked Received: (qmail 22848 invoked from network); 26 Nov 2013 17:03:50 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-8.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 26 Nov 2013 17:03:50 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VlM2l-0003Uf-9H; Tue, 26 Nov 2013 17:03:23 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VlM2l-0002YF-0k; Tue, 26 Nov 2013 17:03:23 +0000 Date: Tue, 26 Nov 2013 17:03:23 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 74 (CVE-2013-4553) - Lock order reversal between page_alloc_lock and mm_rwlock X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4553 / XSA-74 version 3 Lock order reversal between page_alloc_lock and mm_rwlock UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The locks page_alloc_lock and mm_rwlock are not always taken in the same order. This raises the possibility of deadlock. The incorrect order occurs only in the implementation of the deprecated domctl hypercall XEN_DOMCTL_getmemlist. IMPACT ====== A malicious guest administrator may be able to deny service to the entire host. VULNERABLE SYSTEMS ================== Xen 3.4.x and later are vulnerable. Xen 3.3.x and earlier are not vulnerable. Only systems where a privileged domain frequently or predictably uses XEN_DOMCTL_getmemlist are vulnerable. (Its use by manually invoked debugging and stress testing tools is not a security problem.) We are not aware of any toolstack software which has relevant (and hence vulnerable) uses of this hypercall. xend, libxl, xapi and libvirt are known not to do so. We are therefore not aware of any deployed Xen-based systems which are vulnerable. We are issuing this advisory primarily for the benefit of any Xen-derived systems using unusual toolstack software. MITIGATION ========== If you are using a toolstack (or other software) which uses XEN_DOMCTL_getmemlist, disabling the relevant feature or functions may be possible, and would avoid the vulnerability. CREDITS ======= This issue was discovered by Coverity Scan and diagnosed by Andrew Cooper. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa74-4.3-unstable.patch Xen 4.3.x, xen-unstable xsa74-4.1-4.2.patch Xen 4.1.x, Xen 4.2.x $ sha256sum xsa74*.patch 0f7d0bbfbd7f3f1b6f6005321fa45081524dad438587f691e6892cc393327f89 xsa74-4.1-4.2.patch b505cdba662b1b1cd91d5611fac998c6b4e89e366780c6b9864b6965075afb38 xsa74-4.3-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEbBAEBAgAGBQJSlNQrAAoJEIP+FMlX6CvZ0mQH91vaeR1HM9utM5SJqnVMVp9T lUsZRRsrI95Dh7dDaNl9IJC0vCWlIbdA4zMaSblYQtTkS8d6zx6psi9udjgkHGPj ZzKuJHN+qccXzphGe/pyIoA/Lpxk4at/JmNXzbXBonf1IOs6S9rVRkofyNswSWZC 2y8rKSrhXDMqrRKw42VEVWnmhiY8oV9Bez/+N0fEL1rhH8TxJYiQVGTlryquR6ye 1kvBsVYRQtYzjAWqj51wjFdeJnK9/l1W1jYDgPEZbe4fWUlhF1IlRLJVm+e9VpJd CdWGG4oBpVcXGig0mYFJ3Bmw5gmOi9zseXEDXbo7b0Xfw1tOIGujaHKN6eFj7A== =B5QR -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa74-4.1-4.2.patch" Content-Disposition: attachment; filename="xsa74-4.1-4.2.patch" Content-Transfer-Encoding: base64 eDg2OiByZXN0cmljdCBYRU5fRE9NQ1RMX2dldG1lbWxpc3QKCkNvdmVyaXR5 IElEIDEwNTU2NTIKCihTZWUgdGhlIGNvZGUgY29tbWVudC4pCgpUaGlzIGlz IENWRS0yMDEzLTQ1NTMgLyBYU0EtNzQuCgpTaWduZWQtb2ZmLWJ5OiBKYW4g QmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBBbmRy ZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpSZXZpZXdl ZC1ieTogVGltIERlZWdhbiA8dGltQHhlbi5vcmc+CgotLS0gYS94ZW4vYXJj aC94ODYvZG9tY3RsLmMKKysrIGIveGVuL2FyY2gveDg2L2RvbWN0bC5jCkBA IC0zODUsNiArMzg1LDI2IEBAIGxvbmcgYXJjaF9kb19kb21jdGwoCiAgICAg ICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICB9CiAKKyAgICAgICAg ICAgIC8qCisgICAgICAgICAgICAgKiBYU0EtNzQ6IFRoaXMgc3ViLWh5cGVy Y2FsbCBpcyBicm9rZW4gaW4gc2V2ZXJhbCB3YXlzOgorICAgICAgICAgICAg ICogLSBsb2NrIG9yZGVyIGludmVyc2lvbiAocDJtIGxvY2tzIGluc2lkZSBw YWdlX2FsbG9jX2xvY2spCisgICAgICAgICAgICAgKiAtIG5vIHByZWVtcHRp b24gb24gaHVnZSBtYXhfcGZucyBpbnB1dAorICAgICAgICAgICAgICogLSBu b3QgKHJlLSljaGVja2luZyBkLT5pc19keWluZyB3aXRoIHBhZ2VfYWxsb2Nf bG9jayBoZWxkCisgICAgICAgICAgICAgKiAtIG5vdCBob25vcmluZyBzdGFy dF9wZm4gaW5wdXQgKHdoaWNoIGxpYnhjIGFsc28gZG9lc24ndCBzZXQpCisg ICAgICAgICAgICAgKiBBZGRpdGlvbmFsbHkgaXQgaXMgcmF0aGVyIHVzZWxl c3MsIGFzIHRoZSByZXN1bHQgaXMgc3RhbGUgYnkKKyAgICAgICAgICAgICAq IHRoZSB0aW1lIHRoZSBjYWxsZXIgZ2V0cyB0byBsb29rIGF0IGl0LgorICAg ICAgICAgICAgICogQXMgaXQgb25seSBoYXMgYSBzaW5nbGUsIG5vbi1wcm9k dWN0aW9uIGNvbnN1bWVyICh4ZW4tbWNlaW5qKSwKKyAgICAgICAgICAgICAq IHJhdGhlciB0aGFuIHRyeWluZyB0byBmaXggaXQgd2UgcmVzdHJpY3QgaXQg Zm9yIHRoZSB0aW1lIGJlaW5nLgorICAgICAgICAgICAgICovCisgICAgICAg ICAgICBpZiAoIC8qIE5vIG5lc3RlZCBsb2NrcyBpbnNpZGUgY29weV90b19n dWVzdF9vZmZzZXQoKS4gKi8KKyAgICAgICAgICAgICAgICAgcGFnaW5nX21v ZGVfZXh0ZXJuYWwoY3VycmVudC0+ZG9tYWluKSB8fAorICAgICAgICAgICAg ICAgICAvKiBBcmJpdHJhcnkgbGltaXQgY2FwcGluZyBwcm9jZXNzaW5nIHRp bWUuICovCisgICAgICAgICAgICAgICAgIG1heF9wZm5zID4gR0IoNCkgLyBQ QUdFX1NJWkUgKQorICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIHJl dCA9IC1FT1BOT1RTVVBQOworICAgICAgICAgICAgICAgIGJyZWFrOworICAg ICAgICAgICAgfQorCiAgICAgICAgICAgICBzcGluX2xvY2soJmQtPnBhZ2Vf YWxsb2NfbG9jayk7CiAKICAgICAgICAgICAgIGlmICggdW5saWtlbHkoZC0+ aXNfZHlpbmcpICkgewo= --=separator Content-Type: application/octet-stream; name="xsa74-4.3-unstable.patch" Content-Disposition: attachment; filename="xsa74-4.3-unstable.patch" Content-Transfer-Encoding: base64 eDg2OiByZXN0cmljdCBYRU5fRE9NQ1RMX2dldG1lbWxpc3QKCkNvdmVyaXR5 IElEIDEwNTU2NTIKCihTZWUgdGhlIGNvZGUgY29tbWVudC4pCgpUaGlzIGlz IENWRS0yMDEzLTQ1NTMgLyBYU0EtNzQuCgpTaWduZWQtb2ZmLWJ5OiBKYW4g QmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBBbmRy ZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpSZXZpZXdl ZC1ieTogVGltIERlZWdhbiA8dGltQHhlbi5vcmc+CgotLS0gYS94ZW4vYXJj aC94ODYvZG9tY3RsLmMKKysrIGIveGVuL2FyY2gveDg2L2RvbWN0bC5jCkBA IC0zMjksNiArMzI5LDI2IEBAIGxvbmcgYXJjaF9kb19kb21jdGwoCiAgICAg ICAgICAgICBicmVhazsKICAgICAgICAgfQogCisgICAgICAgIC8qCisgICAg ICAgICAqIFhTQS03NDogVGhpcyBzdWItaHlwZXJjYWxsIGlzIGJyb2tlbiBp biBzZXZlcmFsIHdheXM6CisgICAgICAgICAqIC0gbG9jayBvcmRlciBpbnZl cnNpb24gKHAybSBsb2NrcyBpbnNpZGUgcGFnZV9hbGxvY19sb2NrKQorICAg ICAgICAgKiAtIG5vIHByZWVtcHRpb24gb24gaHVnZSBtYXhfcGZucyBpbnB1 dAorICAgICAgICAgKiAtIG5vdCAocmUtKWNoZWNraW5nIGQtPmlzX2R5aW5n IHdpdGggcGFnZV9hbGxvY19sb2NrIGhlbGQKKyAgICAgICAgICogLSBub3Qg aG9ub3Jpbmcgc3RhcnRfcGZuIGlucHV0ICh3aGljaCBsaWJ4YyBhbHNvIGRv ZXNuJ3Qgc2V0KQorICAgICAgICAgKiBBZGRpdGlvbmFsbHkgaXQgaXMgcmF0 aGVyIHVzZWxlc3MsIGFzIHRoZSByZXN1bHQgaXMgc3RhbGUgYnkgdGhlCisg ICAgICAgICAqIHRpbWUgdGhlIGNhbGxlciBnZXRzIHRvIGxvb2sgYXQgaXQu CisgICAgICAgICAqIEFzIGl0IG9ubHkgaGFzIGEgc2luZ2xlLCBub24tcHJv ZHVjdGlvbiBjb25zdW1lciAoeGVuLW1jZWluaiksCisgICAgICAgICAqIHJh dGhlciB0aGFuIHRyeWluZyB0byBmaXggaXQgd2UgcmVzdHJpY3QgaXQgZm9y IHRoZSB0aW1lIGJlaW5nLgorICAgICAgICAgKi8KKyAgICAgICAgaWYgKCAv KiBObyBuZXN0ZWQgbG9ja3MgaW5zaWRlIGNvcHlfdG9fZ3Vlc3Rfb2Zmc2V0 KCkuICovCisgICAgICAgICAgICAgcGFnaW5nX21vZGVfZXh0ZXJuYWwoY3Vy cmVudC0+ZG9tYWluKSB8fAorICAgICAgICAgICAgIC8qIEFyYml0cmFyeSBs aW1pdCBjYXBwaW5nIHByb2Nlc3NpbmcgdGltZS4gKi8KKyAgICAgICAgICAg ICBtYXhfcGZucyA+IEdCKDQpIC8gUEFHRV9TSVpFICkKKyAgICAgICAgewor ICAgICAgICAgICAgcmV0ID0gLUVPUE5PVFNVUFA7CisgICAgICAgICAgICBi cmVhazsKKyAgICAgICAgfQorCiAgICAgICAgIHNwaW5fbG9jaygmZC0+cGFn ZV9hbGxvY19sb2NrKTsKIAogICAgICAgICByZXQgPSBpID0gMDsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Nov 26 17:04:44 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 26 Nov 2013 17:04:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VlM3H-0001P8-3E; Tue, 26 Nov 2013 17:03:55 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VlM3E-0001OZ-Rg; Tue, 26 Nov 2013 17:03:53 +0000 Received: from [85.158.137.68:52524] by server-1.bemta-3.messagelabs.com id A3/B4-29598-774D4925; Tue, 26 Nov 2013 17:03:51 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-8.tower-31.messagelabs.com!1385485429!3944302!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.13; banners=-,-,- X-VirusChecked: Checked Received: (qmail 22848 invoked from network); 26 Nov 2013 17:03:50 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-8.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 26 Nov 2013 17:03:50 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VlM2l-0003Uf-9H; Tue, 26 Nov 2013 17:03:23 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1VlM2l-0002YF-0k; Tue, 26 Nov 2013 17:03:23 +0000 Date: Tue, 26 Nov 2013 17:03:23 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 74 (CVE-2013-4553) - Lock order reversal between page_alloc_lock and mm_rwlock X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4553 / XSA-74 version 3 Lock order reversal between page_alloc_lock and mm_rwlock UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The locks page_alloc_lock and mm_rwlock are not always taken in the same order. This raises the possibility of deadlock. The incorrect order occurs only in the implementation of the deprecated domctl hypercall XEN_DOMCTL_getmemlist. IMPACT ====== A malicious guest administrator may be able to deny service to the entire host. VULNERABLE SYSTEMS ================== Xen 3.4.x and later are vulnerable. Xen 3.3.x and earlier are not vulnerable. Only systems where a privileged domain frequently or predictably uses XEN_DOMCTL_getmemlist are vulnerable. (Its use by manually invoked debugging and stress testing tools is not a security problem.) We are not aware of any toolstack software which has relevant (and hence vulnerable) uses of this hypercall. xend, libxl, xapi and libvirt are known not to do so. We are therefore not aware of any deployed Xen-based systems which are vulnerable. We are issuing this advisory primarily for the benefit of any Xen-derived systems using unusual toolstack software. MITIGATION ========== If you are using a toolstack (or other software) which uses XEN_DOMCTL_getmemlist, disabling the relevant feature or functions may be possible, and would avoid the vulnerability. CREDITS ======= This issue was discovered by Coverity Scan and diagnosed by Andrew Cooper. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa74-4.3-unstable.patch Xen 4.3.x, xen-unstable xsa74-4.1-4.2.patch Xen 4.1.x, Xen 4.2.x $ sha256sum xsa74*.patch 0f7d0bbfbd7f3f1b6f6005321fa45081524dad438587f691e6892cc393327f89 xsa74-4.1-4.2.patch b505cdba662b1b1cd91d5611fac998c6b4e89e366780c6b9864b6965075afb38 xsa74-4.3-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEbBAEBAgAGBQJSlNQrAAoJEIP+FMlX6CvZ0mQH91vaeR1HM9utM5SJqnVMVp9T lUsZRRsrI95Dh7dDaNl9IJC0vCWlIbdA4zMaSblYQtTkS8d6zx6psi9udjgkHGPj ZzKuJHN+qccXzphGe/pyIoA/Lpxk4at/JmNXzbXBonf1IOs6S9rVRkofyNswSWZC 2y8rKSrhXDMqrRKw42VEVWnmhiY8oV9Bez/+N0fEL1rhH8TxJYiQVGTlryquR6ye 1kvBsVYRQtYzjAWqj51wjFdeJnK9/l1W1jYDgPEZbe4fWUlhF1IlRLJVm+e9VpJd CdWGG4oBpVcXGig0mYFJ3Bmw5gmOi9zseXEDXbo7b0Xfw1tOIGujaHKN6eFj7A== =B5QR -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa74-4.1-4.2.patch" Content-Disposition: attachment; filename="xsa74-4.1-4.2.patch" Content-Transfer-Encoding: base64 eDg2OiByZXN0cmljdCBYRU5fRE9NQ1RMX2dldG1lbWxpc3QKCkNvdmVyaXR5 IElEIDEwNTU2NTIKCihTZWUgdGhlIGNvZGUgY29tbWVudC4pCgpUaGlzIGlz IENWRS0yMDEzLTQ1NTMgLyBYU0EtNzQuCgpTaWduZWQtb2ZmLWJ5OiBKYW4g QmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBBbmRy ZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpSZXZpZXdl ZC1ieTogVGltIERlZWdhbiA8dGltQHhlbi5vcmc+CgotLS0gYS94ZW4vYXJj aC94ODYvZG9tY3RsLmMKKysrIGIveGVuL2FyY2gveDg2L2RvbWN0bC5jCkBA IC0zODUsNiArMzg1LDI2IEBAIGxvbmcgYXJjaF9kb19kb21jdGwoCiAgICAg ICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICB9CiAKKyAgICAgICAg ICAgIC8qCisgICAgICAgICAgICAgKiBYU0EtNzQ6IFRoaXMgc3ViLWh5cGVy Y2FsbCBpcyBicm9rZW4gaW4gc2V2ZXJhbCB3YXlzOgorICAgICAgICAgICAg ICogLSBsb2NrIG9yZGVyIGludmVyc2lvbiAocDJtIGxvY2tzIGluc2lkZSBw YWdlX2FsbG9jX2xvY2spCisgICAgICAgICAgICAgKiAtIG5vIHByZWVtcHRp b24gb24gaHVnZSBtYXhfcGZucyBpbnB1dAorICAgICAgICAgICAgICogLSBu b3QgKHJlLSljaGVja2luZyBkLT5pc19keWluZyB3aXRoIHBhZ2VfYWxsb2Nf bG9jayBoZWxkCisgICAgICAgICAgICAgKiAtIG5vdCBob25vcmluZyBzdGFy dF9wZm4gaW5wdXQgKHdoaWNoIGxpYnhjIGFsc28gZG9lc24ndCBzZXQpCisg ICAgICAgICAgICAgKiBBZGRpdGlvbmFsbHkgaXQgaXMgcmF0aGVyIHVzZWxl c3MsIGFzIHRoZSByZXN1bHQgaXMgc3RhbGUgYnkKKyAgICAgICAgICAgICAq IHRoZSB0aW1lIHRoZSBjYWxsZXIgZ2V0cyB0byBsb29rIGF0IGl0LgorICAg ICAgICAgICAgICogQXMgaXQgb25seSBoYXMgYSBzaW5nbGUsIG5vbi1wcm9k dWN0aW9uIGNvbnN1bWVyICh4ZW4tbWNlaW5qKSwKKyAgICAgICAgICAgICAq IHJhdGhlciB0aGFuIHRyeWluZyB0byBmaXggaXQgd2UgcmVzdHJpY3QgaXQg Zm9yIHRoZSB0aW1lIGJlaW5nLgorICAgICAgICAgICAgICovCisgICAgICAg ICAgICBpZiAoIC8qIE5vIG5lc3RlZCBsb2NrcyBpbnNpZGUgY29weV90b19n dWVzdF9vZmZzZXQoKS4gKi8KKyAgICAgICAgICAgICAgICAgcGFnaW5nX21v ZGVfZXh0ZXJuYWwoY3VycmVudC0+ZG9tYWluKSB8fAorICAgICAgICAgICAg ICAgICAvKiBBcmJpdHJhcnkgbGltaXQgY2FwcGluZyBwcm9jZXNzaW5nIHRp bWUuICovCisgICAgICAgICAgICAgICAgIG1heF9wZm5zID4gR0IoNCkgLyBQ QUdFX1NJWkUgKQorICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIHJl dCA9IC1FT1BOT1RTVVBQOworICAgICAgICAgICAgICAgIGJyZWFrOworICAg ICAgICAgICAgfQorCiAgICAgICAgICAgICBzcGluX2xvY2soJmQtPnBhZ2Vf YWxsb2NfbG9jayk7CiAKICAgICAgICAgICAgIGlmICggdW5saWtlbHkoZC0+ aXNfZHlpbmcpICkgewo= --=separator Content-Type: application/octet-stream; name="xsa74-4.3-unstable.patch" Content-Disposition: attachment; filename="xsa74-4.3-unstable.patch" Content-Transfer-Encoding: base64 eDg2OiByZXN0cmljdCBYRU5fRE9NQ1RMX2dldG1lbWxpc3QKCkNvdmVyaXR5 IElEIDEwNTU2NTIKCihTZWUgdGhlIGNvZGUgY29tbWVudC4pCgpUaGlzIGlz IENWRS0yMDEzLTQ1NTMgLyBYU0EtNzQuCgpTaWduZWQtb2ZmLWJ5OiBKYW4g QmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBBbmRy ZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpSZXZpZXdl ZC1ieTogVGltIERlZWdhbiA8dGltQHhlbi5vcmc+CgotLS0gYS94ZW4vYXJj aC94ODYvZG9tY3RsLmMKKysrIGIveGVuL2FyY2gveDg2L2RvbWN0bC5jCkBA IC0zMjksNiArMzI5LDI2IEBAIGxvbmcgYXJjaF9kb19kb21jdGwoCiAgICAg ICAgICAgICBicmVhazsKICAgICAgICAgfQogCisgICAgICAgIC8qCisgICAg ICAgICAqIFhTQS03NDogVGhpcyBzdWItaHlwZXJjYWxsIGlzIGJyb2tlbiBp biBzZXZlcmFsIHdheXM6CisgICAgICAgICAqIC0gbG9jayBvcmRlciBpbnZl cnNpb24gKHAybSBsb2NrcyBpbnNpZGUgcGFnZV9hbGxvY19sb2NrKQorICAg ICAgICAgKiAtIG5vIHByZWVtcHRpb24gb24gaHVnZSBtYXhfcGZucyBpbnB1 dAorICAgICAgICAgKiAtIG5vdCAocmUtKWNoZWNraW5nIGQtPmlzX2R5aW5n IHdpdGggcGFnZV9hbGxvY19sb2NrIGhlbGQKKyAgICAgICAgICogLSBub3Qg aG9ub3Jpbmcgc3RhcnRfcGZuIGlucHV0ICh3aGljaCBsaWJ4YyBhbHNvIGRv ZXNuJ3Qgc2V0KQorICAgICAgICAgKiBBZGRpdGlvbmFsbHkgaXQgaXMgcmF0 aGVyIHVzZWxlc3MsIGFzIHRoZSByZXN1bHQgaXMgc3RhbGUgYnkgdGhlCisg ICAgICAgICAqIHRpbWUgdGhlIGNhbGxlciBnZXRzIHRvIGxvb2sgYXQgaXQu CisgICAgICAgICAqIEFzIGl0IG9ubHkgaGFzIGEgc2luZ2xlLCBub24tcHJv ZHVjdGlvbiBjb25zdW1lciAoeGVuLW1jZWluaiksCisgICAgICAgICAqIHJh dGhlciB0aGFuIHRyeWluZyB0byBmaXggaXQgd2UgcmVzdHJpY3QgaXQgZm9y IHRoZSB0aW1lIGJlaW5nLgorICAgICAgICAgKi8KKyAgICAgICAgaWYgKCAv KiBObyBuZXN0ZWQgbG9ja3MgaW5zaWRlIGNvcHlfdG9fZ3Vlc3Rfb2Zmc2V0 KCkuICovCisgICAgICAgICAgICAgcGFnaW5nX21vZGVfZXh0ZXJuYWwoY3Vy cmVudC0+ZG9tYWluKSB8fAorICAgICAgICAgICAgIC8qIEFyYml0cmFyeSBs aW1pdCBjYXBwaW5nIHByb2Nlc3NpbmcgdGltZS4gKi8KKyAgICAgICAgICAg ICBtYXhfcGZucyA+IEdCKDQpIC8gUEFHRV9TSVpFICkKKyAgICAgICAgewor ICAgICAgICAgICAgcmV0ID0gLUVPUE5PVFNVUFA7CisgICAgICAgICAgICBi cmVhazsKKyAgICAgICAgfQorCiAgICAgICAgIHNwaW5fbG9jaygmZC0+cGFn ZV9hbGxvY19sb2NrKTsKIAogICAgICAgICByZXQgPSBpID0gMDsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator--