From xen-announce-bounces@lists.xen.org Thu Jan 23 12:50:35 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 23 Jan 2014 12:50:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1W6Jih-0004tn-TL; Thu, 23 Jan 2014 12:49:19 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1W6Jig-0004tU-49; Thu, 23 Jan 2014 12:49:18 +0000 Received: from [85.158.137.68:57423] by server-5.bemta-3.messagelabs.com id 50/6D-25188-CCF01E25; Thu, 23 Jan 2014 12:49:16 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-4.tower-31.messagelabs.com!1390481355!10910256!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 21130 invoked from network); 23 Jan 2014 12:49:16 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-4.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 23 Jan 2014 12:49:16 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1W6JiY-0004l0-CR; Thu, 23 Jan 2014 12:49:10 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1W6JiW-0005PJ-M7; Thu, 23 Jan 2014 12:49:10 +0000 Date: Thu, 23 Jan 2014 12:49:08 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 83 - Out-of-memory condition yielding memory corruption during IRQ setup X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-83 version 2 Out-of-memory condition yielding memory corruption during IRQ setup UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= When setting up the IRQ for a passed through physical device, a flaw in the error handling could result in a memory allocation being used after it is freed, and then freed a second time. This would typically result in memory corruption. IMPACT ====== Malicious guest administrators can trigger a use-after-free error, resulting in hypervisor memory corruption. The effects of memory corruption could be anything, including a host-wide denial of service, or privilege escalation. VULNERABLE SYSTEMS ================== Xen 4.2.x and later are vulnerable. Xen 4.1.x and earlier are not vulnerable. Only systems making use of device passthrough are vulnerable. Only systems with a 64-bit hypervisor configured to support more than 128 CPUs or with a 32-bit hypervisor configured to support more than 64 CPUs are vulnerable. MITIGATION ========== This issue can be avoided by not assigning PCI devices to untrusted guests on systems supporting Intel VT-d or AMD Vi. CREDITS ======= This issue was discovered by Coverity Scan, prompted by modelling improvements contributed by Andrew Coooper. The issue was diagnosed by Matthew Daley and Andrew Coooper. The patch was prepared by Andrew Cooper. RESOLUTION ========== Applying the attached patch resolves this issue. xsa83.patch Xen 4.2.x, Xen 4.3.x, xen-unstable $ sha256sum xsa83*.patch 71ba62c024ed867f99f335ed63d7e04a7981d348cc29a3718e5c48f15a1e0fb1 xsa83.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS4Q+yAAoJEIP+FMlX6CvZjQQIALVrMD9bMEfBbQJ6ZvZZBP2f g8y7FvzGMC2fiP1gPyOxwHYI2lAsT6euiFgEunamlWAtTpgFhTeXLrx/pbdKpMv9 AwWA94umPrSSNVoUGtX9JqPcg9lzWCxgTjkKcmGyH6Yo/Z78juYeQMTss3/DQ0ms asIYS011i/6lyKDo1XKJiabzOYI0F/R1JQEDnaVZBTk57+1Ux+9acnt5KK1dt9t3 KpcOQCiJKqVDFMaQ0NmTUQS7pC/5N/QZRe5AdMG1LhJI7Yw5tbHnTxdSYxnprQEn KUJfYQYycp4XJU7U6GMFE0Ybqf3FMlNqS+KHcetgN7XA6C8xjyDoMIUsGzA9/3E= =P/H4 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa83.patch" Content-Disposition: attachment; filename="xsa83.patch" Content-Transfer-Encoding: base64 eDg2L2lycTogYXZvaWQgdXNlLWFmdGVyLWZyZWUgb24gZXJyb3IgcGF0aCBp biBwaXJxX2d1ZXN0X2JpbmQoKQoKVGhpcyBpcyBYU0EtODMuCgpDb3Zlcml0 eS1JRDogMTE0Njk1MgpTaWduZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxh bmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpSZXZpZXdlZC1ieTogSmFuIEJl dWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgoKLS0tIGEveGVuL2FyY2gveDg2 L2lycS5jCisrKyBiL3hlbi9hcmNoL3g4Ni9pcnEuYwpAQCAtMTU5MCw4ICsx NTkwLDcgQEAgaW50IHBpcnFfZ3Vlc3RfYmluZChzdHJ1Y3QgdmNwdSAqdiwg c3RydQogICAgICAgICAgICAgcHJpbnRrKFhFTkxPR19HX0lORk8KICAgICAg ICAgICAgICAgICAgICAiQ2Fubm90IGJpbmQgSVJRJWQgdG8gZG9tJWQuIE91 dCBvZiBtZW1vcnkuXG4iLAogICAgICAgICAgICAgICAgICAgIHBpcnEtPnBp cnEsIHYtPmRvbWFpbi0+ZG9tYWluX2lkKTsKLSAgICAgICAgICAgIHJjID0g LUVOT01FTTsKLSAgICAgICAgICAgIGdvdG8gb3V0OworICAgICAgICAgICAg cmV0dXJuIC1FTk9NRU07CiAgICAgICAgIH0KIAogICAgICAgICBhY3Rpb24g PSBuZXdhY3Rpb247Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Jan 23 12:50:35 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 23 Jan 2014 12:50:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1W6Jih-0004tn-TL; Thu, 23 Jan 2014 12:49:19 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1W6Jig-0004tU-49; Thu, 23 Jan 2014 12:49:18 +0000 Received: from [85.158.137.68:57423] by server-5.bemta-3.messagelabs.com id 50/6D-25188-CCF01E25; Thu, 23 Jan 2014 12:49:16 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-4.tower-31.messagelabs.com!1390481355!10910256!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 21130 invoked from network); 23 Jan 2014 12:49:16 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-4.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 23 Jan 2014 12:49:16 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1W6JiY-0004l0-CR; Thu, 23 Jan 2014 12:49:10 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1W6JiW-0005PJ-M7; Thu, 23 Jan 2014 12:49:10 +0000 Date: Thu, 23 Jan 2014 12:49:08 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 83 - Out-of-memory condition yielding memory corruption during IRQ setup X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-83 version 2 Out-of-memory condition yielding memory corruption during IRQ setup UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= When setting up the IRQ for a passed through physical device, a flaw in the error handling could result in a memory allocation being used after it is freed, and then freed a second time. This would typically result in memory corruption. IMPACT ====== Malicious guest administrators can trigger a use-after-free error, resulting in hypervisor memory corruption. The effects of memory corruption could be anything, including a host-wide denial of service, or privilege escalation. VULNERABLE SYSTEMS ================== Xen 4.2.x and later are vulnerable. Xen 4.1.x and earlier are not vulnerable. Only systems making use of device passthrough are vulnerable. Only systems with a 64-bit hypervisor configured to support more than 128 CPUs or with a 32-bit hypervisor configured to support more than 64 CPUs are vulnerable. MITIGATION ========== This issue can be avoided by not assigning PCI devices to untrusted guests on systems supporting Intel VT-d or AMD Vi. CREDITS ======= This issue was discovered by Coverity Scan, prompted by modelling improvements contributed by Andrew Coooper. The issue was diagnosed by Matthew Daley and Andrew Coooper. The patch was prepared by Andrew Cooper. RESOLUTION ========== Applying the attached patch resolves this issue. xsa83.patch Xen 4.2.x, Xen 4.3.x, xen-unstable $ sha256sum xsa83*.patch 71ba62c024ed867f99f335ed63d7e04a7981d348cc29a3718e5c48f15a1e0fb1 xsa83.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS4Q+yAAoJEIP+FMlX6CvZjQQIALVrMD9bMEfBbQJ6ZvZZBP2f g8y7FvzGMC2fiP1gPyOxwHYI2lAsT6euiFgEunamlWAtTpgFhTeXLrx/pbdKpMv9 AwWA94umPrSSNVoUGtX9JqPcg9lzWCxgTjkKcmGyH6Yo/Z78juYeQMTss3/DQ0ms asIYS011i/6lyKDo1XKJiabzOYI0F/R1JQEDnaVZBTk57+1Ux+9acnt5KK1dt9t3 KpcOQCiJKqVDFMaQ0NmTUQS7pC/5N/QZRe5AdMG1LhJI7Yw5tbHnTxdSYxnprQEn KUJfYQYycp4XJU7U6GMFE0Ybqf3FMlNqS+KHcetgN7XA6C8xjyDoMIUsGzA9/3E= =P/H4 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa83.patch" Content-Disposition: attachment; filename="xsa83.patch" Content-Transfer-Encoding: base64 eDg2L2lycTogYXZvaWQgdXNlLWFmdGVyLWZyZWUgb24gZXJyb3IgcGF0aCBp biBwaXJxX2d1ZXN0X2JpbmQoKQoKVGhpcyBpcyBYU0EtODMuCgpDb3Zlcml0 eS1JRDogMTE0Njk1MgpTaWduZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxh bmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpSZXZpZXdlZC1ieTogSmFuIEJl dWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgoKLS0tIGEveGVuL2FyY2gveDg2 L2lycS5jCisrKyBiL3hlbi9hcmNoL3g4Ni9pcnEuYwpAQCAtMTU5MCw4ICsx NTkwLDcgQEAgaW50IHBpcnFfZ3Vlc3RfYmluZChzdHJ1Y3QgdmNwdSAqdiwg c3RydQogICAgICAgICAgICAgcHJpbnRrKFhFTkxPR19HX0lORk8KICAgICAg ICAgICAgICAgICAgICAiQ2Fubm90IGJpbmQgSVJRJWQgdG8gZG9tJWQuIE91 dCBvZiBtZW1vcnkuXG4iLAogICAgICAgICAgICAgICAgICAgIHBpcnEtPnBp cnEsIHYtPmRvbWFpbi0+ZG9tYWluX2lkKTsKLSAgICAgICAgICAgIHJjID0g LUVOT01FTTsKLSAgICAgICAgICAgIGdvdG8gb3V0OworICAgICAgICAgICAg cmV0dXJuIC1FTk9NRU07CiAgICAgICAgIH0KIAogICAgICAgICBhY3Rpb24g PSBuZXdhY3Rpb247Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Jan 23 14:28:53 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 23 Jan 2014 14:28:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1W6LFh-0002hy-Qd; Thu, 23 Jan 2014 14:27:29 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1W6LFf-0002hi-OJ; Thu, 23 Jan 2014 14:27:27 +0000 Received: from [85.158.137.68:13488] by server-9.bemta-3.messagelabs.com id 52/EB-13104-EC621E25; Thu, 23 Jan 2014 14:27:26 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-7.tower-31.messagelabs.com!1390487245!10935544!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 22540 invoked from network); 23 Jan 2014 14:27:26 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-7.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 23 Jan 2014 14:27:26 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1W6LFY-0005r8-AF; Thu, 23 Jan 2014 14:27:20 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1W6LFX-0000mR-TA; Thu, 23 Jan 2014 14:27:20 +0000 Date: Thu, 23 Jan 2014 14:27:20 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 83 (CVE-2014-1642) - Out-of-memory condition yielding memory corruption during IRQ setup X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-1642 / XSA-83 version 3 Out-of-memory condition yielding memory corruption during IRQ setup UPDATES IN VERSION 3 ==================== CVE assigned. ISSUE DESCRIPTION ================= When setting up the IRQ for a passed through physical device, a flaw in the error handling could result in a memory allocation being used after it is freed, and then freed a second time. This would typically result in memory corruption. IMPACT ====== Malicious guest administrators can trigger a use-after-free error, resulting in hypervisor memory corruption. The effects of memory corruption could be anything, including a host-wide denial of service, or privilege escalation. VULNERABLE SYSTEMS ================== Xen 4.2.x and later are vulnerable. Xen 4.1.x and earlier are not vulnerable. Only systems making use of device passthrough are vulnerable. Only systems with a 64-bit hypervisor configured to support more than 128 CPUs or with a 32-bit hypervisor configured to support more than 64 CPUs are vulnerable. MITIGATION ========== This issue can be avoided by not assigning PCI devices to untrusted guests on systems supporting Intel VT-d or AMD Vi. CREDITS ======= This issue was discovered by Coverity Scan, prompted by modelling improvements contributed by Andrew Coooper. The issue was diagnosed by Matthew Daley and Andrew Coooper. The patch was prepared by Andrew Cooper. RESOLUTION ========== Applying the attached patch resolves this issue. xsa83.patch Xen 4.2.x, Xen 4.3.x, xen-unstable $ sha256sum xsa83*.patch 71ba62c024ed867f99f335ed63d7e04a7981d348cc29a3718e5c48f15a1e0fb1 xsa83.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS4SaHAAoJEIP+FMlX6CvZ4GEH/1iRjPPj+FedKNsROJ4XZDYQ rhu5evDxGjFKC1YD5aDexDPMKYn1lLtOy2YnsW4nqPJdHCpBpPIhzTFisaNUqMzE XQwQwBSVYhxZAV2J9v3e7nsz0wswVdAHkbFf2df1eUvmiGsKQPHuCqlCZEbQjW/w 7F9MC2Qo9nlg/1GtNE5J4U4jB9EtEhI5Kbvh3WFoOLz7vtJDKlsYQlcTZLJVdDjN OFoptImqig7Yin0/ix4AKYt5+trnkpvKjR3dfIeM3WUxG3Nc4qKxy5C5cbVfgKnr /sidbCO4K4G56fvl3aBg49594x8aFh8MYZF42CDCEnojXCaiXidwBiWUV9KHN5g= =5A46 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa83.patch" Content-Disposition: attachment; filename="xsa83.patch" Content-Transfer-Encoding: base64 eDg2L2lycTogYXZvaWQgdXNlLWFmdGVyLWZyZWUgb24gZXJyb3IgcGF0aCBp biBwaXJxX2d1ZXN0X2JpbmQoKQoKVGhpcyBpcyBYU0EtODMuCgpDb3Zlcml0 eS1JRDogMTE0Njk1MgpTaWduZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxh bmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpSZXZpZXdlZC1ieTogSmFuIEJl dWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgoKLS0tIGEveGVuL2FyY2gveDg2 L2lycS5jCisrKyBiL3hlbi9hcmNoL3g4Ni9pcnEuYwpAQCAtMTU5MCw4ICsx NTkwLDcgQEAgaW50IHBpcnFfZ3Vlc3RfYmluZChzdHJ1Y3QgdmNwdSAqdiwg c3RydQogICAgICAgICAgICAgcHJpbnRrKFhFTkxPR19HX0lORk8KICAgICAg ICAgICAgICAgICAgICAiQ2Fubm90IGJpbmQgSVJRJWQgdG8gZG9tJWQuIE91 dCBvZiBtZW1vcnkuXG4iLAogICAgICAgICAgICAgICAgICAgIHBpcnEtPnBp cnEsIHYtPmRvbWFpbi0+ZG9tYWluX2lkKTsKLSAgICAgICAgICAgIHJjID0g LUVOT01FTTsKLSAgICAgICAgICAgIGdvdG8gb3V0OworICAgICAgICAgICAg cmV0dXJuIC1FTk9NRU07CiAgICAgICAgIH0KIAogICAgICAgICBhY3Rpb24g PSBuZXdhY3Rpb247Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Jan 23 14:28:53 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 23 Jan 2014 14:28:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1W6LFh-0002hy-Qd; Thu, 23 Jan 2014 14:27:29 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1W6LFf-0002hi-OJ; Thu, 23 Jan 2014 14:27:27 +0000 Received: from [85.158.137.68:13488] by server-9.bemta-3.messagelabs.com id 52/EB-13104-EC621E25; Thu, 23 Jan 2014 14:27:26 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-7.tower-31.messagelabs.com!1390487245!10935544!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 22540 invoked from network); 23 Jan 2014 14:27:26 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-7.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 23 Jan 2014 14:27:26 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1W6LFY-0005r8-AF; Thu, 23 Jan 2014 14:27:20 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1W6LFX-0000mR-TA; Thu, 23 Jan 2014 14:27:20 +0000 Date: Thu, 23 Jan 2014 14:27:20 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 83 (CVE-2014-1642) - Out-of-memory condition yielding memory corruption during IRQ setup X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-1642 / XSA-83 version 3 Out-of-memory condition yielding memory corruption during IRQ setup UPDATES IN VERSION 3 ==================== CVE assigned. ISSUE DESCRIPTION ================= When setting up the IRQ for a passed through physical device, a flaw in the error handling could result in a memory allocation being used after it is freed, and then freed a second time. This would typically result in memory corruption. IMPACT ====== Malicious guest administrators can trigger a use-after-free error, resulting in hypervisor memory corruption. The effects of memory corruption could be anything, including a host-wide denial of service, or privilege escalation. VULNERABLE SYSTEMS ================== Xen 4.2.x and later are vulnerable. Xen 4.1.x and earlier are not vulnerable. Only systems making use of device passthrough are vulnerable. Only systems with a 64-bit hypervisor configured to support more than 128 CPUs or with a 32-bit hypervisor configured to support more than 64 CPUs are vulnerable. MITIGATION ========== This issue can be avoided by not assigning PCI devices to untrusted guests on systems supporting Intel VT-d or AMD Vi. CREDITS ======= This issue was discovered by Coverity Scan, prompted by modelling improvements contributed by Andrew Coooper. The issue was diagnosed by Matthew Daley and Andrew Coooper. The patch was prepared by Andrew Cooper. RESOLUTION ========== Applying the attached patch resolves this issue. xsa83.patch Xen 4.2.x, Xen 4.3.x, xen-unstable $ sha256sum xsa83*.patch 71ba62c024ed867f99f335ed63d7e04a7981d348cc29a3718e5c48f15a1e0fb1 xsa83.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS4SaHAAoJEIP+FMlX6CvZ4GEH/1iRjPPj+FedKNsROJ4XZDYQ rhu5evDxGjFKC1YD5aDexDPMKYn1lLtOy2YnsW4nqPJdHCpBpPIhzTFisaNUqMzE XQwQwBSVYhxZAV2J9v3e7nsz0wswVdAHkbFf2df1eUvmiGsKQPHuCqlCZEbQjW/w 7F9MC2Qo9nlg/1GtNE5J4U4jB9EtEhI5Kbvh3WFoOLz7vtJDKlsYQlcTZLJVdDjN OFoptImqig7Yin0/ix4AKYt5+trnkpvKjR3dfIeM3WUxG3Nc4qKxy5C5cbVfgKnr /sidbCO4K4G56fvl3aBg49594x8aFh8MYZF42CDCEnojXCaiXidwBiWUV9KHN5g= =5A46 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa83.patch" Content-Disposition: attachment; filename="xsa83.patch" Content-Transfer-Encoding: base64 eDg2L2lycTogYXZvaWQgdXNlLWFmdGVyLWZyZWUgb24gZXJyb3IgcGF0aCBp biBwaXJxX2d1ZXN0X2JpbmQoKQoKVGhpcyBpcyBYU0EtODMuCgpDb3Zlcml0 eS1JRDogMTE0Njk1MgpTaWduZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxh bmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpSZXZpZXdlZC1ieTogSmFuIEJl dWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgoKLS0tIGEveGVuL2FyY2gveDg2 L2lycS5jCisrKyBiL3hlbi9hcmNoL3g4Ni9pcnEuYwpAQCAtMTU5MCw4ICsx NTkwLDcgQEAgaW50IHBpcnFfZ3Vlc3RfYmluZChzdHJ1Y3QgdmNwdSAqdiwg c3RydQogICAgICAgICAgICAgcHJpbnRrKFhFTkxPR19HX0lORk8KICAgICAg ICAgICAgICAgICAgICAiQ2Fubm90IGJpbmQgSVJRJWQgdG8gZG9tJWQuIE91 dCBvZiBtZW1vcnkuXG4iLAogICAgICAgICAgICAgICAgICAgIHBpcnEtPnBp cnEsIHYtPmRvbWFpbi0+ZG9tYWluX2lkKTsKLSAgICAgICAgICAgIHJjID0g LUVOT01FTTsKLSAgICAgICAgICAgIGdvdG8gb3V0OworICAgICAgICAgICAg cmV0dXJuIC1FTk9NRU07CiAgICAgICAgIH0KIAogICAgICAgICBhY3Rpb24g PSBuZXdhY3Rpb247Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Fri Jan 24 11:42:43 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 24 Jan 2014 11:42:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1W6f8X-0000TL-CX; Fri, 24 Jan 2014 11:41:25 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1W6f8W-0000T7-7z; Fri, 24 Jan 2014 11:41:24 +0000 Received: from [85.158.139.211:8934] by server-1.bemta-5.messagelabs.com id B6/92-21065-36152E25; Fri, 24 Jan 2014 11:41:23 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-3.tower-206.messagelabs.com!1390563681!11531387!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 23729 invoked from network); 24 Jan 2014 11:41:22 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-3.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 24 Jan 2014 11:41:22 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1W6f8M-0002QH-Ic; Fri, 24 Jan 2014 11:41:14 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1W6f8L-0004Sl-QT; Fri, 24 Jan 2014 11:41:14 +0000 Date: Fri, 24 Jan 2014 11:41:14 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 87 - PHYSDEVOP_{prepare, release}_msix exposed to unprivileged guests X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-87 PHYSDEVOP_{prepare,release}_msix exposed to unprivileged guests ISSUE DESCRIPTION ================= The PHYSDEVOP_{prepare,release}_msix operations are supposed to be available to privileged guests (domain 0 in non-disaggregated setups) only, but the necessary privilege check was missing. IMPACT ====== Malicious or misbehaving unprivileged guests can cause the host or other guests to malfunction. This can result in host-wide denial of service. Privilege escalation, while seeming to be unlikely, cannot be excluded. VULNERABLE SYSTEMS ================== Xen 4.1.5 and 4.1.6.1 as well as 4.2.2 and later are vulnerable. Xen 4.2.1 and 4.2.0 as well as 4.1.4 and earlier are not vulnerable. Only PV guests can take advantage of this vulnerability. MITIGATION ========== Running only HVM guests will avoid this issue. There is no mitigation available for PV guests. NOTE REGARDING LACK OF EMBARGO ============================== This issue was disclosed publicly on the xen-devel mailing list. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa87-unstable-4.3.patch xen-unstable, Xen 4.3.x xsa87-4.2.patch Xen 4.2.x xsa87-4.1.patch Xen 4.1.x $ sha256sum xsa87*.patch 45e5cc892626293067cc088a671a6bbdc18b018f54ff09b6a1cbb1fabbdf114d xsa87-4.1.patch df9c1507d7bb0e5266a2fadd992d1e6ed0f7bf5be7466b8a93ed3bd8e3ab8e8d xsa87-4.2.patch a13ce270b177d33537d627b85471abaa01215cd458541f4c6524914d7c81eb38 xsa87-unstable-4.3.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS4TtaAAoJEIP+FMlX6CvZd+IH/i2WTmxuMRe4znSrGg2JJE1L Wx3ioEKGnU/+5n2T94radln7lA85QvQJpIhwK6aA+BrPYhbtLKI5cq+d5LQ+RLmM 4YUvKZuoolyaHUZSs6XZCopExCz537CCW+rAPhUEGYgP6sLr5aGEG0x8AQimDAJX YwlF1MqhfxYyWWI6xplzBo3ZoKlMQNikGOQN9isBF5J6ygQZYBgyfeK/M8C7PZlp GAtVfLNYhbMuZLCJpUcrei7QXSERKf++Li7Vfc6WOZ4OzqPysNrJmMVlPwe/k9RZ ldNznuYNsTV6WNl/SB4u6W1iygvYhXk4t1xyzIDlmVP+GwsHtuFW9IFiV2aZohc= =ekUq -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa87-4.1.patch" Content-Disposition: attachment; filename="xsa87-4.1.patch" Content-Transfer-Encoding: base64 eDg2OiBQSFlTREVWT1Bfe3ByZXBhcmUscmVsZWFzZX1fbXNpeCBhcmUgcHJp dmlsZWdlZAoKWWV0IHRoaXMgd2Fzbid0IGJlaW5nIGVuZm9yY2VkLgoKVGhp cyBpcyBYU0EtODcuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+CgotLS0gYS94ZW4vYXJjaC94ODYvcGh5c2Rldi5j CisrKyBiL3hlbi9hcmNoL3g4Ni9waHlzZGV2LmMKQEAgLTU1NCw3ICs1NTQs OSBAQCByZXRfdCBkb19waHlzZGV2X29wKGludCBjbWQsIFhFTl9HVUVTVF9I CiAgICAgY2FzZSBQSFlTREVWT1BfcmVsZWFzZV9tc2l4OiB7CiAgICAgICAg IHN0cnVjdCBwaHlzZGV2X3BjaV9kZXZpY2UgZGV2OwogCi0gICAgICAgIGlm ICggY29weV9mcm9tX2d1ZXN0KCZkZXYsIGFyZywgMSkgKQorICAgICAgICBp ZiAoICFJU19QUklWKHYtPmRvbWFpbikgKQorICAgICAgICAgICAgcmV0ID0g LUVQRVJNOworICAgICAgICBlbHNlIGlmICggY29weV9mcm9tX2d1ZXN0KCZk ZXYsIGFyZywgMSkgKQogICAgICAgICAgICAgcmV0ID0gLUVGQVVMVDsKICAg ICAgICAgZWxzZSBpZiAoIGRldi5zZWcgKQogICAgICAgICAgICAgcmV0ID0g LUVPUE5PVFNVUFA7Cg== --=separator Content-Type: application/octet-stream; name="xsa87-4.2.patch" Content-Disposition: attachment; filename="xsa87-4.2.patch" Content-Transfer-Encoding: base64 eDg2OiBQSFlTREVWT1Bfe3ByZXBhcmUscmVsZWFzZX1fbXNpeCBhcmUgcHJp dmlsZWdlZAoKWWV0IHRoaXMgd2Fzbid0IGJlaW5nIGVuZm9yY2VkLgoKVGhp cyBpcyBYU0EtODcuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+CgotLS0gYS94ZW4vYXJjaC94ODYvcGh5c2Rldi5j CisrKyBiL3hlbi9hcmNoL3g4Ni9waHlzZGV2LmMKQEAgLTYxMiw3ICs2MTIs OSBAQCByZXRfdCBkb19waHlzZGV2X29wKGludCBjbWQsIFhFTl9HVUVTVF9I CiAgICAgY2FzZSBQSFlTREVWT1BfcmVsZWFzZV9tc2l4OiB7CiAgICAgICAg IHN0cnVjdCBwaHlzZGV2X3BjaV9kZXZpY2UgZGV2OwogCi0gICAgICAgIGlm ICggY29weV9mcm9tX2d1ZXN0KCZkZXYsIGFyZywgMSkgKQorICAgICAgICBp ZiAoICFJU19QUklWKHYtPmRvbWFpbikgKQorICAgICAgICAgICAgcmV0ID0g LUVQRVJNOworICAgICAgICBlbHNlIGlmICggY29weV9mcm9tX2d1ZXN0KCZk ZXYsIGFyZywgMSkgKQogICAgICAgICAgICAgcmV0ID0gLUVGQVVMVDsKICAg ICAgICAgZWxzZQogICAgICAgICAgICAgcmV0ID0gcGNpX3ByZXBhcmVfbXNp eChkZXYuc2VnLCBkZXYuYnVzLCBkZXYuZGV2Zm4sCg== --=separator Content-Type: application/octet-stream; name="xsa87-unstable-4.3.patch" Content-Disposition: attachment; filename="xsa87-unstable-4.3.patch" Content-Transfer-Encoding: base64 eDg2OiBQSFlTREVWT1Bfe3ByZXBhcmUscmVsZWFzZX1fbXNpeCBhcmUgcHJp dmlsZWdlZAoKWWV0IHRoaXMgd2Fzbid0IGJlaW5nIGVuZm9yY2VkLgoKVGhp cyBpcyBYU0EtODcuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBBbmRyZXcgQ29vcGVyIDxh bmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgoKLS0tIDIwMTQtMDEtMTQub3Jp Zy94ZW4vYXJjaC94ODYvcGh5c2Rldi5jCTIwMTMtMTEtMTggMTE6MDM6Mzcu MDAwMDAwMDAwICswMTAwCisrKyAyMDE0LTAxLTE0L3hlbi9hcmNoL3g4Ni9w aHlzZGV2LmMJMjAxNC0wMS0yMiAxMjo0Nzo0Ny4wMDAwMDAwMDAgKzAxMDAK QEAgLTY0MCw3ICs2NDAsMTAgQEAgcmV0X3QgZG9fcGh5c2Rldl9vcChpbnQg Y21kLCBYRU5fR1VFU1RfSAogICAgICAgICBpZiAoIGNvcHlfZnJvbV9ndWVz dCgmZGV2LCBhcmcsIDEpICkKICAgICAgICAgICAgIHJldCA9IC1FRkFVTFQ7 CiAgICAgICAgIGVsc2UKLSAgICAgICAgICAgIHJldCA9IHBjaV9wcmVwYXJl X21zaXgoZGV2LnNlZywgZGV2LmJ1cywgZGV2LmRldmZuLAorICAgICAgICAg ICAgcmV0ID0geHNtX3Jlc291cmNlX3NldHVwX3BjaShYU01fUFJJViwKKyAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKGRldi5z ZWcgPDwgMTYpIHwgKGRldi5idXMgPDwgOCkgfAorICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICBkZXYuZGV2Zm4pID86CisgICAg ICAgICAgICAgICAgICBwY2lfcHJlcGFyZV9tc2l4KGRldi5zZWcsIGRldi5i dXMsIGRldi5kZXZmbiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgY21kICE9IFBIWVNERVZPUF9wcmVwYXJlX21zaXgpOwogICAgICAg ICBicmVhazsKICAgICB9Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Fri Jan 24 11:42:43 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 24 Jan 2014 11:42:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1W6f8X-0000TL-CX; Fri, 24 Jan 2014 11:41:25 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1W6f8W-0000T7-7z; Fri, 24 Jan 2014 11:41:24 +0000 Received: from [85.158.139.211:8934] by server-1.bemta-5.messagelabs.com id B6/92-21065-36152E25; Fri, 24 Jan 2014 11:41:23 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-3.tower-206.messagelabs.com!1390563681!11531387!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 23729 invoked from network); 24 Jan 2014 11:41:22 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-3.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 24 Jan 2014 11:41:22 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1W6f8M-0002QH-Ic; Fri, 24 Jan 2014 11:41:14 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1W6f8L-0004Sl-QT; Fri, 24 Jan 2014 11:41:14 +0000 Date: Fri, 24 Jan 2014 11:41:14 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 87 - PHYSDEVOP_{prepare, release}_msix exposed to unprivileged guests X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-87 PHYSDEVOP_{prepare,release}_msix exposed to unprivileged guests ISSUE DESCRIPTION ================= The PHYSDEVOP_{prepare,release}_msix operations are supposed to be available to privileged guests (domain 0 in non-disaggregated setups) only, but the necessary privilege check was missing. IMPACT ====== Malicious or misbehaving unprivileged guests can cause the host or other guests to malfunction. This can result in host-wide denial of service. Privilege escalation, while seeming to be unlikely, cannot be excluded. VULNERABLE SYSTEMS ================== Xen 4.1.5 and 4.1.6.1 as well as 4.2.2 and later are vulnerable. Xen 4.2.1 and 4.2.0 as well as 4.1.4 and earlier are not vulnerable. Only PV guests can take advantage of this vulnerability. MITIGATION ========== Running only HVM guests will avoid this issue. There is no mitigation available for PV guests. NOTE REGARDING LACK OF EMBARGO ============================== This issue was disclosed publicly on the xen-devel mailing list. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa87-unstable-4.3.patch xen-unstable, Xen 4.3.x xsa87-4.2.patch Xen 4.2.x xsa87-4.1.patch Xen 4.1.x $ sha256sum xsa87*.patch 45e5cc892626293067cc088a671a6bbdc18b018f54ff09b6a1cbb1fabbdf114d xsa87-4.1.patch df9c1507d7bb0e5266a2fadd992d1e6ed0f7bf5be7466b8a93ed3bd8e3ab8e8d xsa87-4.2.patch a13ce270b177d33537d627b85471abaa01215cd458541f4c6524914d7c81eb38 xsa87-unstable-4.3.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS4TtaAAoJEIP+FMlX6CvZd+IH/i2WTmxuMRe4znSrGg2JJE1L Wx3ioEKGnU/+5n2T94radln7lA85QvQJpIhwK6aA+BrPYhbtLKI5cq+d5LQ+RLmM 4YUvKZuoolyaHUZSs6XZCopExCz537CCW+rAPhUEGYgP6sLr5aGEG0x8AQimDAJX YwlF1MqhfxYyWWI6xplzBo3ZoKlMQNikGOQN9isBF5J6ygQZYBgyfeK/M8C7PZlp GAtVfLNYhbMuZLCJpUcrei7QXSERKf++Li7Vfc6WOZ4OzqPysNrJmMVlPwe/k9RZ ldNznuYNsTV6WNl/SB4u6W1iygvYhXk4t1xyzIDlmVP+GwsHtuFW9IFiV2aZohc= =ekUq -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa87-4.1.patch" Content-Disposition: attachment; filename="xsa87-4.1.patch" Content-Transfer-Encoding: base64 eDg2OiBQSFlTREVWT1Bfe3ByZXBhcmUscmVsZWFzZX1fbXNpeCBhcmUgcHJp dmlsZWdlZAoKWWV0IHRoaXMgd2Fzbid0IGJlaW5nIGVuZm9yY2VkLgoKVGhp cyBpcyBYU0EtODcuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+CgotLS0gYS94ZW4vYXJjaC94ODYvcGh5c2Rldi5j CisrKyBiL3hlbi9hcmNoL3g4Ni9waHlzZGV2LmMKQEAgLTU1NCw3ICs1NTQs OSBAQCByZXRfdCBkb19waHlzZGV2X29wKGludCBjbWQsIFhFTl9HVUVTVF9I CiAgICAgY2FzZSBQSFlTREVWT1BfcmVsZWFzZV9tc2l4OiB7CiAgICAgICAg IHN0cnVjdCBwaHlzZGV2X3BjaV9kZXZpY2UgZGV2OwogCi0gICAgICAgIGlm ICggY29weV9mcm9tX2d1ZXN0KCZkZXYsIGFyZywgMSkgKQorICAgICAgICBp ZiAoICFJU19QUklWKHYtPmRvbWFpbikgKQorICAgICAgICAgICAgcmV0ID0g LUVQRVJNOworICAgICAgICBlbHNlIGlmICggY29weV9mcm9tX2d1ZXN0KCZk ZXYsIGFyZywgMSkgKQogICAgICAgICAgICAgcmV0ID0gLUVGQVVMVDsKICAg ICAgICAgZWxzZSBpZiAoIGRldi5zZWcgKQogICAgICAgICAgICAgcmV0ID0g LUVPUE5PVFNVUFA7Cg== --=separator Content-Type: application/octet-stream; name="xsa87-4.2.patch" Content-Disposition: attachment; filename="xsa87-4.2.patch" Content-Transfer-Encoding: base64 eDg2OiBQSFlTREVWT1Bfe3ByZXBhcmUscmVsZWFzZX1fbXNpeCBhcmUgcHJp dmlsZWdlZAoKWWV0IHRoaXMgd2Fzbid0IGJlaW5nIGVuZm9yY2VkLgoKVGhp cyBpcyBYU0EtODcuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+CgotLS0gYS94ZW4vYXJjaC94ODYvcGh5c2Rldi5j CisrKyBiL3hlbi9hcmNoL3g4Ni9waHlzZGV2LmMKQEAgLTYxMiw3ICs2MTIs OSBAQCByZXRfdCBkb19waHlzZGV2X29wKGludCBjbWQsIFhFTl9HVUVTVF9I CiAgICAgY2FzZSBQSFlTREVWT1BfcmVsZWFzZV9tc2l4OiB7CiAgICAgICAg IHN0cnVjdCBwaHlzZGV2X3BjaV9kZXZpY2UgZGV2OwogCi0gICAgICAgIGlm ICggY29weV9mcm9tX2d1ZXN0KCZkZXYsIGFyZywgMSkgKQorICAgICAgICBp ZiAoICFJU19QUklWKHYtPmRvbWFpbikgKQorICAgICAgICAgICAgcmV0ID0g LUVQRVJNOworICAgICAgICBlbHNlIGlmICggY29weV9mcm9tX2d1ZXN0KCZk ZXYsIGFyZywgMSkgKQogICAgICAgICAgICAgcmV0ID0gLUVGQVVMVDsKICAg ICAgICAgZWxzZQogICAgICAgICAgICAgcmV0ID0gcGNpX3ByZXBhcmVfbXNp eChkZXYuc2VnLCBkZXYuYnVzLCBkZXYuZGV2Zm4sCg== --=separator Content-Type: application/octet-stream; name="xsa87-unstable-4.3.patch" Content-Disposition: attachment; filename="xsa87-unstable-4.3.patch" Content-Transfer-Encoding: base64 eDg2OiBQSFlTREVWT1Bfe3ByZXBhcmUscmVsZWFzZX1fbXNpeCBhcmUgcHJp dmlsZWdlZAoKWWV0IHRoaXMgd2Fzbid0IGJlaW5nIGVuZm9yY2VkLgoKVGhp cyBpcyBYU0EtODcuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBBbmRyZXcgQ29vcGVyIDxh bmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgoKLS0tIDIwMTQtMDEtMTQub3Jp Zy94ZW4vYXJjaC94ODYvcGh5c2Rldi5jCTIwMTMtMTEtMTggMTE6MDM6Mzcu MDAwMDAwMDAwICswMTAwCisrKyAyMDE0LTAxLTE0L3hlbi9hcmNoL3g4Ni9w aHlzZGV2LmMJMjAxNC0wMS0yMiAxMjo0Nzo0Ny4wMDAwMDAwMDAgKzAxMDAK QEAgLTY0MCw3ICs2NDAsMTAgQEAgcmV0X3QgZG9fcGh5c2Rldl9vcChpbnQg Y21kLCBYRU5fR1VFU1RfSAogICAgICAgICBpZiAoIGNvcHlfZnJvbV9ndWVz dCgmZGV2LCBhcmcsIDEpICkKICAgICAgICAgICAgIHJldCA9IC1FRkFVTFQ7 CiAgICAgICAgIGVsc2UKLSAgICAgICAgICAgIHJldCA9IHBjaV9wcmVwYXJl X21zaXgoZGV2LnNlZywgZGV2LmJ1cywgZGV2LmRldmZuLAorICAgICAgICAg ICAgcmV0ID0geHNtX3Jlc291cmNlX3NldHVwX3BjaShYU01fUFJJViwKKyAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKGRldi5z ZWcgPDwgMTYpIHwgKGRldi5idXMgPDwgOCkgfAorICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICBkZXYuZGV2Zm4pID86CisgICAg ICAgICAgICAgICAgICBwY2lfcHJlcGFyZV9tc2l4KGRldi5zZWcsIGRldi5i dXMsIGRldi5kZXZmbiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgY21kICE9IFBIWVNERVZPUF9wcmVwYXJlX21zaXgpOwogICAgICAg ICBicmVhazsKICAgICB9Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Fri Jan 24 15:39:53 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 24 Jan 2014 15:39:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1W6ipx-0006IN-Nm; Fri, 24 Jan 2014 15:38:29 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1W6ipv-0006Hx-OT; Fri, 24 Jan 2014 15:38:28 +0000 Received: from [85.158.137.68:31994] by server-2.bemta-3.messagelabs.com id AA/08-17329-2F882E25; Fri, 24 Jan 2014 15:38:26 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-6.tower-31.messagelabs.com!1390577904!11121997!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 23002 invoked from network); 24 Jan 2014 15:38:25 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-6.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 24 Jan 2014 15:38:25 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1W6ipm-00053o-OT; Fri, 24 Jan 2014 15:38:18 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1W6ipm-0003Y2-D5; Fri, 24 Jan 2014 15:38:18 +0000 Date: Fri, 24 Jan 2014 15:38:18 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 87 (CVE-2014-1666) - PHYSDEVOP_{prepare, release}_msix exposed to unprivileged guests X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-1666 / XSA-87 version 2 PHYSDEVOP_{prepare,release}_msix exposed to unprivileged guests UPDATES IN VERSION 2 ==================== CVE assigned. ISSUE DESCRIPTION ================= The PHYSDEVOP_{prepare,release}_msix operations are supposed to be available to privileged guests (domain 0 in non-disaggregated setups) only, but the necessary privilege check was missing. IMPACT ====== Malicious or misbehaving unprivileged guests can cause the host or other guests to malfunction. This can result in host-wide denial of service. Privilege escalation, while seeming to be unlikely, cannot be excluded. VULNERABLE SYSTEMS ================== Xen 4.1.5 and 4.1.6.1 as well as 4.2.2 and later are vulnerable. Xen 4.2.1 and 4.2.0 as well as 4.1.4 and earlier are not vulnerable. Only PV guests can take advantage of this vulnerability. MITIGATION ========== Running only HVM guests will avoid this issue. There is no mitigation available for PV guests. NOTE REGARDING LACK OF EMBARGO ============================== This issue was disclosed publicly on the xen-devel mailing list. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa87-unstable-4.3.patch xen-unstable, Xen 4.3.x xsa87-4.2.patch Xen 4.2.x xsa87-4.1.patch Xen 4.1.x $ sha256sum xsa87*.patch 45e5cc892626293067cc088a671a6bbdc18b018f54ff09b6a1cbb1fabbdf114d xsa87-4.1.patch df9c1507d7bb0e5266a2fadd992d1e6ed0f7bf5be7466b8a93ed3bd8e3ab8e8d xsa87-4.2.patch a13ce270b177d33537d627b85471abaa01215cd458541f4c6524914d7c81eb38 xsa87-unstable-4.3.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS4ojJAAoJEIP+FMlX6CvZKpsH/3lVDKRMvFVkaHVPt1uRhqQo HxBDflm//lR5M8j8364rRSknSv8X2m/JfKJ7DCbX0WQWPrIU/i8MzTHM9fQqLvAR QYEhXYZC+ctkqk/sUvQaxOkyu8bNszuIOlWM9GuH2OnFN68zSl7kXiX7KZ5dHoYQ eNAjQeCXNaXTiSo3X3ZIFwZOlpkUj+NxJnZlZx5Hb/m5WH86FeqBNMi/jZB/i53F LFu7rhJ4rq25jbfuLp1ISBs5GA+71pNRvhukHijQHks1fApKhqmUiDhrBYX21l/Y 5GJLG6L3sYdScjoeHu+QH0akwTC5L+BauMLMWljJOTKvL0p2yU/vDc2JMjXXnzk= =morx -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa87-4.1.patch" Content-Disposition: attachment; filename="xsa87-4.1.patch" Content-Transfer-Encoding: base64 eDg2OiBQSFlTREVWT1Bfe3ByZXBhcmUscmVsZWFzZX1fbXNpeCBhcmUgcHJp dmlsZWdlZAoKWWV0IHRoaXMgd2Fzbid0IGJlaW5nIGVuZm9yY2VkLgoKVGhp cyBpcyBYU0EtODcuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+CgotLS0gYS94ZW4vYXJjaC94ODYvcGh5c2Rldi5j CisrKyBiL3hlbi9hcmNoL3g4Ni9waHlzZGV2LmMKQEAgLTU1NCw3ICs1NTQs OSBAQCByZXRfdCBkb19waHlzZGV2X29wKGludCBjbWQsIFhFTl9HVUVTVF9I CiAgICAgY2FzZSBQSFlTREVWT1BfcmVsZWFzZV9tc2l4OiB7CiAgICAgICAg IHN0cnVjdCBwaHlzZGV2X3BjaV9kZXZpY2UgZGV2OwogCi0gICAgICAgIGlm ICggY29weV9mcm9tX2d1ZXN0KCZkZXYsIGFyZywgMSkgKQorICAgICAgICBp ZiAoICFJU19QUklWKHYtPmRvbWFpbikgKQorICAgICAgICAgICAgcmV0ID0g LUVQRVJNOworICAgICAgICBlbHNlIGlmICggY29weV9mcm9tX2d1ZXN0KCZk ZXYsIGFyZywgMSkgKQogICAgICAgICAgICAgcmV0ID0gLUVGQVVMVDsKICAg ICAgICAgZWxzZSBpZiAoIGRldi5zZWcgKQogICAgICAgICAgICAgcmV0ID0g LUVPUE5PVFNVUFA7Cg== --=separator Content-Type: application/octet-stream; name="xsa87-4.2.patch" Content-Disposition: attachment; filename="xsa87-4.2.patch" Content-Transfer-Encoding: base64 eDg2OiBQSFlTREVWT1Bfe3ByZXBhcmUscmVsZWFzZX1fbXNpeCBhcmUgcHJp dmlsZWdlZAoKWWV0IHRoaXMgd2Fzbid0IGJlaW5nIGVuZm9yY2VkLgoKVGhp cyBpcyBYU0EtODcuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+CgotLS0gYS94ZW4vYXJjaC94ODYvcGh5c2Rldi5j CisrKyBiL3hlbi9hcmNoL3g4Ni9waHlzZGV2LmMKQEAgLTYxMiw3ICs2MTIs OSBAQCByZXRfdCBkb19waHlzZGV2X29wKGludCBjbWQsIFhFTl9HVUVTVF9I CiAgICAgY2FzZSBQSFlTREVWT1BfcmVsZWFzZV9tc2l4OiB7CiAgICAgICAg IHN0cnVjdCBwaHlzZGV2X3BjaV9kZXZpY2UgZGV2OwogCi0gICAgICAgIGlm ICggY29weV9mcm9tX2d1ZXN0KCZkZXYsIGFyZywgMSkgKQorICAgICAgICBp ZiAoICFJU19QUklWKHYtPmRvbWFpbikgKQorICAgICAgICAgICAgcmV0ID0g LUVQRVJNOworICAgICAgICBlbHNlIGlmICggY29weV9mcm9tX2d1ZXN0KCZk ZXYsIGFyZywgMSkgKQogICAgICAgICAgICAgcmV0ID0gLUVGQVVMVDsKICAg ICAgICAgZWxzZQogICAgICAgICAgICAgcmV0ID0gcGNpX3ByZXBhcmVfbXNp eChkZXYuc2VnLCBkZXYuYnVzLCBkZXYuZGV2Zm4sCg== --=separator Content-Type: application/octet-stream; name="xsa87-unstable-4.3.patch" Content-Disposition: attachment; filename="xsa87-unstable-4.3.patch" Content-Transfer-Encoding: base64 eDg2OiBQSFlTREVWT1Bfe3ByZXBhcmUscmVsZWFzZX1fbXNpeCBhcmUgcHJp dmlsZWdlZAoKWWV0IHRoaXMgd2Fzbid0IGJlaW5nIGVuZm9yY2VkLgoKVGhp cyBpcyBYU0EtODcuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBBbmRyZXcgQ29vcGVyIDxh bmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgoKLS0tIDIwMTQtMDEtMTQub3Jp Zy94ZW4vYXJjaC94ODYvcGh5c2Rldi5jCTIwMTMtMTEtMTggMTE6MDM6Mzcu MDAwMDAwMDAwICswMTAwCisrKyAyMDE0LTAxLTE0L3hlbi9hcmNoL3g4Ni9w aHlzZGV2LmMJMjAxNC0wMS0yMiAxMjo0Nzo0Ny4wMDAwMDAwMDAgKzAxMDAK QEAgLTY0MCw3ICs2NDAsMTAgQEAgcmV0X3QgZG9fcGh5c2Rldl9vcChpbnQg Y21kLCBYRU5fR1VFU1RfSAogICAgICAgICBpZiAoIGNvcHlfZnJvbV9ndWVz dCgmZGV2LCBhcmcsIDEpICkKICAgICAgICAgICAgIHJldCA9IC1FRkFVTFQ7 CiAgICAgICAgIGVsc2UKLSAgICAgICAgICAgIHJldCA9IHBjaV9wcmVwYXJl X21zaXgoZGV2LnNlZywgZGV2LmJ1cywgZGV2LmRldmZuLAorICAgICAgICAg ICAgcmV0ID0geHNtX3Jlc291cmNlX3NldHVwX3BjaShYU01fUFJJViwKKyAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKGRldi5z ZWcgPDwgMTYpIHwgKGRldi5idXMgPDwgOCkgfAorICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICBkZXYuZGV2Zm4pID86CisgICAg ICAgICAgICAgICAgICBwY2lfcHJlcGFyZV9tc2l4KGRldi5zZWcsIGRldi5i dXMsIGRldi5kZXZmbiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgY21kICE9IFBIWVNERVZPUF9wcmVwYXJlX21zaXgpOwogICAgICAg ICBicmVhazsKICAgICB9Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Fri Jan 24 15:39:53 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 24 Jan 2014 15:39:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1W6ipx-0006IN-Nm; Fri, 24 Jan 2014 15:38:29 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1W6ipv-0006Hx-OT; Fri, 24 Jan 2014 15:38:28 +0000 Received: from [85.158.137.68:31994] by server-2.bemta-3.messagelabs.com id AA/08-17329-2F882E25; Fri, 24 Jan 2014 15:38:26 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-6.tower-31.messagelabs.com!1390577904!11121997!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 23002 invoked from network); 24 Jan 2014 15:38:25 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-6.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 24 Jan 2014 15:38:25 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1W6ipm-00053o-OT; Fri, 24 Jan 2014 15:38:18 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1W6ipm-0003Y2-D5; Fri, 24 Jan 2014 15:38:18 +0000 Date: Fri, 24 Jan 2014 15:38:18 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 87 (CVE-2014-1666) - PHYSDEVOP_{prepare, release}_msix exposed to unprivileged guests X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-1666 / XSA-87 version 2 PHYSDEVOP_{prepare,release}_msix exposed to unprivileged guests UPDATES IN VERSION 2 ==================== CVE assigned. ISSUE DESCRIPTION ================= The PHYSDEVOP_{prepare,release}_msix operations are supposed to be available to privileged guests (domain 0 in non-disaggregated setups) only, but the necessary privilege check was missing. IMPACT ====== Malicious or misbehaving unprivileged guests can cause the host or other guests to malfunction. This can result in host-wide denial of service. Privilege escalation, while seeming to be unlikely, cannot be excluded. VULNERABLE SYSTEMS ================== Xen 4.1.5 and 4.1.6.1 as well as 4.2.2 and later are vulnerable. Xen 4.2.1 and 4.2.0 as well as 4.1.4 and earlier are not vulnerable. Only PV guests can take advantage of this vulnerability. MITIGATION ========== Running only HVM guests will avoid this issue. There is no mitigation available for PV guests. NOTE REGARDING LACK OF EMBARGO ============================== This issue was disclosed publicly on the xen-devel mailing list. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa87-unstable-4.3.patch xen-unstable, Xen 4.3.x xsa87-4.2.patch Xen 4.2.x xsa87-4.1.patch Xen 4.1.x $ sha256sum xsa87*.patch 45e5cc892626293067cc088a671a6bbdc18b018f54ff09b6a1cbb1fabbdf114d xsa87-4.1.patch df9c1507d7bb0e5266a2fadd992d1e6ed0f7bf5be7466b8a93ed3bd8e3ab8e8d xsa87-4.2.patch a13ce270b177d33537d627b85471abaa01215cd458541f4c6524914d7c81eb38 xsa87-unstable-4.3.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS4ojJAAoJEIP+FMlX6CvZKpsH/3lVDKRMvFVkaHVPt1uRhqQo HxBDflm//lR5M8j8364rRSknSv8X2m/JfKJ7DCbX0WQWPrIU/i8MzTHM9fQqLvAR QYEhXYZC+ctkqk/sUvQaxOkyu8bNszuIOlWM9GuH2OnFN68zSl7kXiX7KZ5dHoYQ eNAjQeCXNaXTiSo3X3ZIFwZOlpkUj+NxJnZlZx5Hb/m5WH86FeqBNMi/jZB/i53F LFu7rhJ4rq25jbfuLp1ISBs5GA+71pNRvhukHijQHks1fApKhqmUiDhrBYX21l/Y 5GJLG6L3sYdScjoeHu+QH0akwTC5L+BauMLMWljJOTKvL0p2yU/vDc2JMjXXnzk= =morx -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa87-4.1.patch" Content-Disposition: attachment; filename="xsa87-4.1.patch" Content-Transfer-Encoding: base64 eDg2OiBQSFlTREVWT1Bfe3ByZXBhcmUscmVsZWFzZX1fbXNpeCBhcmUgcHJp dmlsZWdlZAoKWWV0IHRoaXMgd2Fzbid0IGJlaW5nIGVuZm9yY2VkLgoKVGhp cyBpcyBYU0EtODcuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+CgotLS0gYS94ZW4vYXJjaC94ODYvcGh5c2Rldi5j CisrKyBiL3hlbi9hcmNoL3g4Ni9waHlzZGV2LmMKQEAgLTU1NCw3ICs1NTQs OSBAQCByZXRfdCBkb19waHlzZGV2X29wKGludCBjbWQsIFhFTl9HVUVTVF9I CiAgICAgY2FzZSBQSFlTREVWT1BfcmVsZWFzZV9tc2l4OiB7CiAgICAgICAg IHN0cnVjdCBwaHlzZGV2X3BjaV9kZXZpY2UgZGV2OwogCi0gICAgICAgIGlm ICggY29weV9mcm9tX2d1ZXN0KCZkZXYsIGFyZywgMSkgKQorICAgICAgICBp ZiAoICFJU19QUklWKHYtPmRvbWFpbikgKQorICAgICAgICAgICAgcmV0ID0g LUVQRVJNOworICAgICAgICBlbHNlIGlmICggY29weV9mcm9tX2d1ZXN0KCZk ZXYsIGFyZywgMSkgKQogICAgICAgICAgICAgcmV0ID0gLUVGQVVMVDsKICAg ICAgICAgZWxzZSBpZiAoIGRldi5zZWcgKQogICAgICAgICAgICAgcmV0ID0g LUVPUE5PVFNVUFA7Cg== --=separator Content-Type: application/octet-stream; name="xsa87-4.2.patch" Content-Disposition: attachment; filename="xsa87-4.2.patch" Content-Transfer-Encoding: base64 eDg2OiBQSFlTREVWT1Bfe3ByZXBhcmUscmVsZWFzZX1fbXNpeCBhcmUgcHJp dmlsZWdlZAoKWWV0IHRoaXMgd2Fzbid0IGJlaW5nIGVuZm9yY2VkLgoKVGhp cyBpcyBYU0EtODcuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+CgotLS0gYS94ZW4vYXJjaC94ODYvcGh5c2Rldi5j CisrKyBiL3hlbi9hcmNoL3g4Ni9waHlzZGV2LmMKQEAgLTYxMiw3ICs2MTIs OSBAQCByZXRfdCBkb19waHlzZGV2X29wKGludCBjbWQsIFhFTl9HVUVTVF9I CiAgICAgY2FzZSBQSFlTREVWT1BfcmVsZWFzZV9tc2l4OiB7CiAgICAgICAg IHN0cnVjdCBwaHlzZGV2X3BjaV9kZXZpY2UgZGV2OwogCi0gICAgICAgIGlm ICggY29weV9mcm9tX2d1ZXN0KCZkZXYsIGFyZywgMSkgKQorICAgICAgICBp ZiAoICFJU19QUklWKHYtPmRvbWFpbikgKQorICAgICAgICAgICAgcmV0ID0g LUVQRVJNOworICAgICAgICBlbHNlIGlmICggY29weV9mcm9tX2d1ZXN0KCZk ZXYsIGFyZywgMSkgKQogICAgICAgICAgICAgcmV0ID0gLUVGQVVMVDsKICAg ICAgICAgZWxzZQogICAgICAgICAgICAgcmV0ID0gcGNpX3ByZXBhcmVfbXNp eChkZXYuc2VnLCBkZXYuYnVzLCBkZXYuZGV2Zm4sCg== --=separator Content-Type: application/octet-stream; name="xsa87-unstable-4.3.patch" Content-Disposition: attachment; filename="xsa87-unstable-4.3.patch" Content-Transfer-Encoding: base64 eDg2OiBQSFlTREVWT1Bfe3ByZXBhcmUscmVsZWFzZX1fbXNpeCBhcmUgcHJp dmlsZWdlZAoKWWV0IHRoaXMgd2Fzbid0IGJlaW5nIGVuZm9yY2VkLgoKVGhp cyBpcyBYU0EtODcuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBBbmRyZXcgQ29vcGVyIDxh bmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgoKLS0tIDIwMTQtMDEtMTQub3Jp Zy94ZW4vYXJjaC94ODYvcGh5c2Rldi5jCTIwMTMtMTEtMTggMTE6MDM6Mzcu MDAwMDAwMDAwICswMTAwCisrKyAyMDE0LTAxLTE0L3hlbi9hcmNoL3g4Ni9w aHlzZGV2LmMJMjAxNC0wMS0yMiAxMjo0Nzo0Ny4wMDAwMDAwMDAgKzAxMDAK QEAgLTY0MCw3ICs2NDAsMTAgQEAgcmV0X3QgZG9fcGh5c2Rldl9vcChpbnQg Y21kLCBYRU5fR1VFU1RfSAogICAgICAgICBpZiAoIGNvcHlfZnJvbV9ndWVz dCgmZGV2LCBhcmcsIDEpICkKICAgICAgICAgICAgIHJldCA9IC1FRkFVTFQ7 CiAgICAgICAgIGVsc2UKLSAgICAgICAgICAgIHJldCA9IHBjaV9wcmVwYXJl X21zaXgoZGV2LnNlZywgZGV2LmJ1cywgZGV2LmRldmZuLAorICAgICAgICAg ICAgcmV0ID0geHNtX3Jlc291cmNlX3NldHVwX3BjaShYU01fUFJJViwKKyAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKGRldi5z ZWcgPDwgMTYpIHwgKGRldi5idXMgPDwgOCkgfAorICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICBkZXYuZGV2Zm4pID86CisgICAg ICAgICAgICAgICAgICBwY2lfcHJlcGFyZV9tc2l4KGRldi5zZWcsIGRldi5i dXMsIGRldi5kZXZmbiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgY21kICE9IFBIWVNERVZPUF9wcmVwYXJlX21zaXgpOwogICAgICAg ICBicmVhazsKICAgICB9Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator--