From xen-announce-bounces@lists.xen.org Thu Feb 06 12:40:12 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 06 Feb 2014 12:40:12 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WBOEO-0006io-BU; Thu, 06 Feb 2014 12:39:00 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WBOEM-0006iH-GZ; Thu, 06 Feb 2014 12:38:58 +0000 Received: from [85.158.143.35:20726] by server-3.bemta-4.messagelabs.com id 9C/FB-11539-16283F25; Thu, 06 Feb 2014 12:38:57 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-14.tower-21.messagelabs.com!1391690336!3626393!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 10992 invoked from network); 6 Feb 2014 12:38:56 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-14.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 6 Feb 2014 12:38:56 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WBOEG-0008Oc-1y; Thu, 06 Feb 2014 12:38:52 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WBOEF-0000Zm-Nk; Thu, 06 Feb 2014 12:38:52 +0000 Date: Thu, 06 Feb 2014 12:38:51 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 85 - Off-by-one error in FLASK_AVC_CACHESTAT hypercall X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-85 version 2 Off-by-one error in FLASK_AVC_CACHESTAT hypercall UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The FLASK_AVC_CACHESTAT hypercall, which provides access to per-cpu statistics on the Flask security policy, incorrectly validates the CPU for which statistics are being requested. IMPACT ====== An attacker can cause the hypervisor to read past the end of an array. This may result in either a host crash, leading to a denial of service, or access to a small and static region of hypervisor memory, leading to an information leak. VULNERABLE SYSTEMS ================== Xen version 4.2 and later are vulnerable to this issue when built with XSM/Flask support. XSM support is disabled by default and is enabled by building with XSM_ENABLE=y. Only systems with the maximum supported number of physical CPUs are vulnerable. Systems with a greater number of physical CPUs will only make use of the maximum supported number and are therefore vulnerable. By default the following maximums apply: * x86_32: 128 (only until Xen 4.2.x) * x86_64: 256 These defaults can be overridden at build time via max_phys_cpus=N. The vulnerable hypercall is exposed to all domains. MITIGATION ========== Rebuilding Xen with more supported physical CPUs can avoid the vulnerability; provided that the supported number is strictly greater than the actual number of CPUs on any host on which the hypervisor is to run. If XSM is compiled in, but not actually in use, compiling it out (with XSM_ENABLE=n) will avoid the vulnerability. CREDITS ======= This issue was discovered by Matthew Daley. RESOLUTION ========== Applying the attached patch resolves this issue. xsa85.patch xen-unstable, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa85*.patch 20571024e6815eeb40d2f92a3d70ae699047cffafb5431ec74b652e0843a5315 xsa85.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS84H+AAoJEIP+FMlX6CvZXy8H/An+HT3e3Av9G3PWIv+i10O3 FE7fhT53tBCbDlcqDghoO9PE6YctWV8glJHdg5TfpzXkjbVL2Go/poUhwvVqxePj ja5x5saXHvXoKwglc7sZmryil5bhecTKspNL5AfTlvP4dyNZMnOAvlbnyCtKUS45 bH0TSonTL50yRH1tCEaIKYDnOisIk3E5yduIpkRnqwamKw+DbHMGlmq5sPZq4rLH EYa/yhqh4bDStGAlRuBHG8ms+F7SgxH8dTjXhCbTe5BeAxYg1cP5yGX61y14xJJt KAObUS4E1KOcP1jRWIQ1HhHQxwWwEDdRk+ZQspGuIt34hY1SfMcbpFu7LutcI4Y= =SiDW -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa85.patch" Content-Disposition: attachment; filename="xsa85.patch" Content-Transfer-Encoding: base64 RnJvbSA1OTNiYzhjNjNkNTgyZWMwZmMyYjNhMzUzMzYxMDZjZjljM2E4YjM0 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBNYXR0aGV3IERhbGV5 IDxtYXR0ZEBidWdmdXp6LmNvbT4KRGF0ZTogU3VuLCAxMiBKYW4gMjAxNCAx NDoyOTozMiArMTMwMApTdWJqZWN0OiBbUEFUQ0hdIHhzbS9mbGFzazogY29y cmVjdCBvZmYtYnktb25lIGluCiBmbGFza19zZWN1cml0eV9hdmNfY2FjaGVz dGF0cyBjcHUgaWQgY2hlY2sKClRoaXMgaXMgWFNBLTg1CgpTaWduZWQtb2Zm LWJ5OiBNYXR0aGV3IERhbGV5IDxtYXR0ZEBidWdmdXp6LmNvbT4KUmV2aWV3 ZWQtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3 ZWQtYnk6IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+ Ci0tLQogeGVuL3hzbS9mbGFzay9mbGFza19vcC5jIHwgMiArLQogMSBmaWxl IGNoYW5nZWQsIDEgaW5zZXJ0aW9uKCspLCAxIGRlbGV0aW9uKC0pCgpkaWZm IC0tZ2l0IGEveGVuL3hzbS9mbGFzay9mbGFza19vcC5jIGIveGVuL3hzbS9m bGFzay9mbGFza19vcC5jCmluZGV4IDQ0MjZhYjkuLjIyODc4ZjUgMTAwNjQ0 Ci0tLSBhL3hlbi94c20vZmxhc2svZmxhc2tfb3AuYworKysgYi94ZW4veHNt L2ZsYXNrL2ZsYXNrX29wLmMKQEAgLTQ1Nyw3ICs0NTcsNyBAQCBzdGF0aWMg aW50IGZsYXNrX3NlY3VyaXR5X2F2Y19jYWNoZXN0YXRzKHN0cnVjdCB4ZW5f Zmxhc2tfY2FjaGVfc3RhdHMgKmFyZykKIHsKICAgICBzdHJ1Y3QgYXZjX2Nh Y2hlX3N0YXRzICpzdDsKIAotICAgIGlmICggYXJnLT5jcHUgPiBucl9jcHVf aWRzICkKKyAgICBpZiAoIGFyZy0+Y3B1ID49IG5yX2NwdV9pZHMgKQogICAg ICAgICByZXR1cm4gLUVOT0VOVDsKICAgICBpZiAoICFjcHVfb25saW5lKGFy Zy0+Y3B1KSApCiAgICAgICAgIHJldHVybiAtRU5PRU5UOwotLSAKMS44LjUu MgoK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Feb 06 12:40:12 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 06 Feb 2014 12:40:12 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WBOEn-0006qt-Nr; Thu, 06 Feb 2014 12:39:25 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WBOEl-0006q9-VA; Thu, 06 Feb 2014 12:39:24 +0000 Received: from [85.158.143.35:32043] by server-3.bemta-4.messagelabs.com id C6/0D-11539-B7283F25; Thu, 06 Feb 2014 12:39:23 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-15.tower-21.messagelabs.com!1391690361!3632109!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 5432 invoked from network); 6 Feb 2014 12:39:22 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-15.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 6 Feb 2014 12:39:22 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WBOEg-0008Pj-3h; Thu, 06 Feb 2014 12:39:18 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WBOEf-0000s1-Tq; Thu, 06 Feb 2014 12:39:18 +0000 Date: Thu, 06 Feb 2014 12:39:17 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 86 - libvchan failure handling malicious ring indexes X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-86 version 2 libvchan failure handling malicious ring indexes UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= libvchan (a library for inter-domain communication) does not correctly handle unusual or malicious contents in the xenstore ring. A malicious guest can exploit this to cause a libvchan-using facility to read or write past the end of the ring. IMPACT ====== libvchan-using facilities are vulnerable to denial of service and perhaps privilege escalation. There are no such services provided in the upstream Xen Project codebase. VULNERABLE SYSTEMS ================== All versions of libvchan are vulnerable. Only installations which use libvchan for communication involving untrusted domains are vulnerable. libvirt, xapi, xend, libxl and xl do not use libvchan. If your installation contains other Xen-related software components it is possible that they use libvchan and might be vulnerable. Xen versions 4.1 and earlier do not contain libvchan. MITIGATION ========== Disabling libvchan-based facilities could be used to mitigate the vulnerability. CREDITS ======= This issue was discovered by Marek Marczykowski-Górecki of Invisible Things Lab. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. After the patch is applied to the Xen tree and built, any software which is statically linked against libvchan will need to be relinked against the new libvchan.a for the fix to take effect. xsa86.patch Xen 4.2.x, 4.3.x, 4.4-RC series, and xen-unstable $ sha256sum xsa86*.patch cd2df017e42717dd2a1b6f2fdd3ad30a38d3c0fbdd9d08b5f56ee0a01cd87b51 xsa86.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS84JeAAoJEIP+FMlX6CvZsvYH/3HbxPvs42Al1gncMsc4uh+R V+j48ENTQzSNhVTtXQq9bUgNk5Dp/kok7RpZbxCWIBl79UUP/fpPUT/FjD5egMOX NU8FslhmalOkkpmyeX0Kt1SvhQt6FvaozTTOdR47wHerfd+mKkYchFRrkCBvllBU /UIVItU6fA5xyXSsFy8quT66g2a88OTlv30YTsg3jhDo48FxO7A54ay4xVAIyOFK 4Wl+hpEgTSE47VRSIGriAvjOMSSQjiMFPjR/DSbUMj8FaVhwVSitIEG9cRhn+3HE I6HqPFzy2jP+Lzj/WFkkZrt/k12GL4cZafg7th3/YcmABfR23QMN5SwfYDLKqqw= =XbpF -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa86.patch" Content-Disposition: attachment; filename="xsa86.patch" Content-Transfer-Encoding: base64 RnJvbSBiNGM0NTI2NDZlZmQzN2I0Y2QwOTk2MjU2ZGQwYWI3YmY2Y2NiN2Y2 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiA9P1VURi04P3E/TWFy ZWs9MjBNYXJjenlrb3dza2ktRz1DMz1CM3JlY2tpPz0KIDxtYXJtYXJla0Bp bnZpc2libGV0aGluZ3NsYWIuY29tPgpEYXRlOiBNb24sIDIwIEphbiAyMDE0 IDE1OjUxOjU2ICswMDAwClN1YmplY3Q6IFtQQVRDSF0gbGlidmNoYW46IEZp eCBoYW5kbGluZyBvZiBpbnZhbGlkIHJpbmcgYnVmZmVyIGluZGljZXMKTUlN RS1WZXJzaW9uOiAxLjAKQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFy c2V0PVVURi04CkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDhiaXQKClRo ZSByZW1vdGUgKGhvc3RpbGUpIHByb2Nlc3MgY2FuIHNldCByaW5nIGJ1ZmZl ciBpbmRpY2VzIHRvIGFueSB2YWx1ZQphdCBhbnkgdGltZS4gSWYgdGhhdCBo YXBwZW5zLCBpdCBpcyBwb3NzaWJsZSB0byBnZXQgImJ1ZmZlciBzcGFjZSIK KGVpdGhlciBmb3Igd3JpdGluZyBkYXRhLCBvciByZWFkeSBmb3IgcmVhZGlu ZykgbmVnYXRpdmUgb3IgZ3JlYXRlcgp0aGFuIGJ1ZmZlciBzaXplLiAgVGhp cyB3aWxsIGVuZCB1cCB3aXRoIGJ1ZmZlciBvdmVyZmxvdyBpbiB0aGUgc2Vj b25kCm1lbWNweSBpbnNpZGUgb2YgZG9fc2VuZC9kb19yZWN2LgoKRml4IHRo aXMgYnkgaW50cm9kdWNpbmcgbmV3IGF2YWlsYWJsZSBieXRlcyBhY2Nlc3Nv ciBmdW5jdGlvbnMKcmF3X2dldF9kYXRhX3JlYWR5IGFuZCByYXdfZ2V0X2J1 ZmZlcl9zcGFjZSB3aGljaCBhcmUgcm9idXN0IGFnYWluc3QKbWFkIHJpbmcg c3RhdGVzLCBhbmQgb25seSByZXR1cm4gc2FuaXRpc2VkIHZhbHVlcy4KClBy b29mIHNrZXRjaCBvZiBjb3JyZWN0bmVzczoKCk5vdyB7cmQsd3J9X3tjb25z LHByb2R9IGFyZSBvbmx5IGV2ZXIgdXNlZCBpbiB0aGUgcmF3IGF2YWlsYWJs ZSBieXRlcwpmdW5jdGlvbnMsIGFuZCBpbiBkb19zZW5kIGFuZCBkb19yZWN2 LgoKVGhlIHJhdyBhdmFpbGFibGUgYnl0ZXMgZnVuY3Rpb25zIGRvIHVuc2ln bmVkIGFyaXRobWV0aWMgb24gdGhlCnJldHVybmVkIHZhbHVlcy4gIElmIHRo ZSByZXN1bHQgaXMgIm5lZ2F0aXZlIiBvciB0b28gYmlnIGl0IHdpbGwgYmUK PnJpbmdfc2l6ZSAoc2luY2Ugd2UgdXNlZCB1bnNpZ25lZCBhcml0aG1ldGlj KS4gIE90aGVyd2lzZSB0aGUgcmVzdWx0CmlzIGEgcG9zaXRpdmUgaW4tcmFu Z2UgdmFsdWUgcmVwcmVzZW50aW5nIGEgcmVhc29uYWJsZSByaW5nIHN0YXRl LCBpbgp3aGljaCBjYXNlIHdlIGNhbiBzYWZlbHkgY29udmVydCBpdCB0byBp bnQgKGFzIHRoZSByZXN0IG9mIHRoZSBjb2RlCmV4cGVjdHMpLgoKZG9fc2Vu ZCBhbmQgZG9fcmVjdiBpbW1lZGlhdGVseSBtYXNrIHRoZSByaW5nIGluZGV4 IHZhbHVlIHdpdGggdGhlCnJpbmcgc2l6ZS4gIFRoZSByZXN1bHQgaXMgYWx3 YXlzIGdvaW5nIHRvIGJlIHBsYXVzaWJsZS4gIElmIHRoZSByaW5nCnN0YXRl IGhhcyBiZWNvbWUgbWFkLCB0aGUgd29yc3QgY2FzZSBpcyB0aGF0IG91ciBi ZWhhdmlvdXIgaXMKaW5jb25zaXN0ZW50IHdpdGggdGhlIHBlZXIncyByaW5n IHBvaW50ZXIuICBJLmUuIHdlIHJlYWQgb3Igd3JpdGUgdG8KYXJndWFibHkt aW5jb3JyZWN0IHBhcnRzIG9mIHRoZSByaW5nIC0gYnV0IGFsd2F5cyBwYXJ0 cyBvZiB0aGUgcmluZy4KQW5kIG9mIGNvdXJzZSBpZiBhIHBlZXIgbWlzb3Bl cmF0ZXMgdGhlIHJpbmcgdGhleSBjYW4gYWNoaWV2ZSB0aGlzCmVmZmVjdCBh bnl3YXkuCgpTbyB0aGUgc2VjdXJpdHkgcHJvYmxlbSBpcyBmaXhlZC4KClRo aXMgaXMgWFNBLTg2LgoKKFRoZSBwYXRjaCBpcyBlc3NlbnRpYWxseSBJYW4g SmFja3NvbidzIHdvcmssIGFsdGhvdWdoIHBhcnRzIG9mIHRoZQpjb21taXQg bWVzc2FnZSBhcmUgYnkgTWFyZWsuKQoKU2lnbmVkLW9mZi1ieTogTWFyZWsg TWFyY3p5a293c2tpLUfDs3JlY2tpIDxtYXJtYXJla0BpbnZpc2libGV0aGlu Z3NsYWIuY29tPgpTaWduZWQtb2ZmLWJ5OiBJYW4gSmFja3NvbiA8aWFuLmph Y2tzb25AZXUuY2l0cml4LmNvbT4KQ2M6IE1hcmVrIE1hcmN6eWtvd3NraS1H w7NyZWNraSA8bWFybWFyZWtAaW52aXNpYmxldGhpbmdzbGFiLmNvbT4KQ2M6 IEpvYW5uYSBSdXRrb3dza2EgPGpvYW5uYUBpbnZpc2libGV0aGluZ3NsYWIu Y29tPgotLS0KIHRvb2xzL2xpYnZjaGFuL2lvLmMgfCAgIDQ3ICsrKysrKysr KysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrLS0tLS0tCiAxIGZp bGUgY2hhbmdlZCwgNDEgaW5zZXJ0aW9ucygrKSwgNiBkZWxldGlvbnMoLSkK CmRpZmYgLS1naXQgYS90b29scy9saWJ2Y2hhbi9pby5jIGIvdG9vbHMvbGli dmNoYW4vaW8uYwppbmRleCAyMzgzMzY0Li44MDRjNjNjIDEwMDY0NAotLS0g YS90b29scy9saWJ2Y2hhbi9pby5jCisrKyBiL3Rvb2xzL2xpYnZjaGFuL2lv LmMKQEAgLTExMSwxMiArMTExLDI2IEBAIHN0YXRpYyBpbmxpbmUgaW50IHNl bmRfbm90aWZ5KHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3RybCwgdWludDhfdCBi aXQpCiAJCXJldHVybiAwOwogfQogCisvKgorICogR2V0IHRoZSBhbW91bnQg b2YgYnVmZmVyIHNwYWNlIGF2YWlsYWJsZSwgYW5kIGRvIG5vdGhpbmcgYWJv dXQKKyAqIG5vdGlmaWNhdGlvbnMuCisgKi8KK3N0YXRpYyBpbmxpbmUgaW50 IHJhd19nZXRfZGF0YV9yZWFkeShzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwp Cit7CisJdWludDMyX3QgcmVhZHkgPSByZF9wcm9kKGN0cmwpIC0gcmRfY29u cyhjdHJsKTsKKwlpZiAocmVhZHkgPj0gcmRfcmluZ19zaXplKGN0cmwpKQor CQkvKiBXZSBoYXZlIG5vIHdheSB0byByZXR1cm4gZXJyb3JzLiAgTG9ja2lu ZyB1cCB0aGUgcmluZyBpcworCQkgKiBiZXR0ZXIgdGhhbiB0aGUgYWx0ZXJu YXRpdmVzLiAqLworCQlyZXR1cm4gMDsKKwlyZXR1cm4gcmVhZHk7Cit9CisK IC8qKgogICogR2V0IHRoZSBhbW91bnQgb2YgYnVmZmVyIHNwYWNlIGF2YWls YWJsZSBhbmQgZW5hYmxlIG5vdGlmaWNhdGlvbnMgaWYgbmVlZGVkLgogICov CiBzdGF0aWMgaW5saW5lIGludCBmYXN0X2dldF9kYXRhX3JlYWR5KHN0cnVj dCBsaWJ4ZW52Y2hhbiAqY3RybCwgc2l6ZV90IHJlcXVlc3QpCiB7Ci0JaW50 IHJlYWR5ID0gcmRfcHJvZChjdHJsKSAtIHJkX2NvbnMoY3RybCk7CisJaW50 IHJlYWR5ID0gcmF3X2dldF9kYXRhX3JlYWR5KGN0cmwpOwogCWlmIChyZWFk eSA+PSByZXF1ZXN0KQogCQlyZXR1cm4gcmVhZHk7CiAJLyogV2UgcGxhbiB0 byBjb25zdW1lIGFsbCBkYXRhOyBwbGVhc2UgdGVsbCB1cyBpZiB5b3Ugc2Vu ZCBtb3JlICovCkBAIC0xMjYsNyArMTQwLDcgQEAgc3RhdGljIGlubGluZSBp bnQgZmFzdF9nZXRfZGF0YV9yZWFkeShzdHJ1Y3QgbGlieGVudmNoYW4gKmN0 cmwsIHNpemVfdCByZXF1ZXN0KQogCSAqIHdpbGwgbm90IGdldCBub3RpZmll ZCBldmVuIHRob3VnaCB0aGUgYWN0dWFsIGFtb3VudCBvZiBkYXRhIHJlYWR5 IGlzCiAJICogYWJvdmUgcmVxdWVzdC4gUmVyZWFkIHJkX3Byb2QgdG8gY292 ZXIgdGhpcyBjYXNlLgogCSAqLwotCXJldHVybiByZF9wcm9kKGN0cmwpIC0g cmRfY29ucyhjdHJsKTsKKwlyZXR1cm4gcmF3X2dldF9kYXRhX3JlYWR5KGN0 cmwpOwogfQogCiBpbnQgbGlieGVudmNoYW5fZGF0YV9yZWFkeShzdHJ1Y3Qg bGlieGVudmNoYW4gKmN0cmwpCkBAIC0xMzUsNyArMTQ5LDIxIEBAIGludCBs aWJ4ZW52Y2hhbl9kYXRhX3JlYWR5KHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3Ry bCkKIAkgKiB3aGVuIGl0IGNoYW5nZXMKIAkgKi8KIAlyZXF1ZXN0X25vdGlm eShjdHJsLCBWQ0hBTl9OT1RJRllfV1JJVEUpOwotCXJldHVybiByZF9wcm9k KGN0cmwpIC0gcmRfY29ucyhjdHJsKTsKKwlyZXR1cm4gcmF3X2dldF9kYXRh X3JlYWR5KGN0cmwpOworfQorCisvKioKKyAqIEdldCB0aGUgYW1vdW50IG9m IGJ1ZmZlciBzcGFjZSBhdmFpbGFibGUsIGFuZCBkbyBub3RoaW5nCisgKiBh Ym91dCBub3RpZmljYXRpb25zCisgKi8KK3N0YXRpYyBpbmxpbmUgaW50IHJh d19nZXRfYnVmZmVyX3NwYWNlKHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3RybCkK K3sKKwl1aW50MzJfdCByZWFkeSA9IHdyX3Jpbmdfc2l6ZShjdHJsKSAtICh3 cl9wcm9kKGN0cmwpIC0gd3JfY29ucyhjdHJsKSk7CisJaWYgKHJlYWR5ID4g d3JfcmluZ19zaXplKGN0cmwpKQorCQkvKiBXZSBoYXZlIG5vIHdheSB0byBy ZXR1cm4gZXJyb3JzLiAgTG9ja2luZyB1cCB0aGUgcmluZyBpcworCQkgKiBi ZXR0ZXIgdGhhbiB0aGUgYWx0ZXJuYXRpdmVzLiAqLworCQlyZXR1cm4gMDsK KwlyZXR1cm4gcmVhZHk7CiB9CiAKIC8qKgpAQCAtMTQzLDcgKzE3MSw3IEBA IGludCBsaWJ4ZW52Y2hhbl9kYXRhX3JlYWR5KHN0cnVjdCBsaWJ4ZW52Y2hh biAqY3RybCkKICAqLwogc3RhdGljIGlubGluZSBpbnQgZmFzdF9nZXRfYnVm ZmVyX3NwYWNlKHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3RybCwgc2l6ZV90IHJl cXVlc3QpCiB7Ci0JaW50IHJlYWR5ID0gd3JfcmluZ19zaXplKGN0cmwpIC0g KHdyX3Byb2QoY3RybCkgLSB3cl9jb25zKGN0cmwpKTsKKwlpbnQgcmVhZHkg PSByYXdfZ2V0X2J1ZmZlcl9zcGFjZShjdHJsKTsKIAlpZiAocmVhZHkgPj0g cmVxdWVzdCkKIAkJcmV0dXJuIHJlYWR5OwogCS8qIFdlIHBsYW4gdG8gZmls bCB0aGUgYnVmZmVyOyBwbGVhc2UgdGVsbCB1cyB3aGVuIHlvdSd2ZSByZWFk IGl0ICovCkBAIC0xNTMsNyArMTgxLDcgQEAgc3RhdGljIGlubGluZSBpbnQg ZmFzdF9nZXRfYnVmZmVyX3NwYWNlKHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3Ry bCwgc2l6ZV90IHJlcXVlc3QKIAkgKiB3aWxsIG5vdCBnZXQgbm90aWZpZWQg ZXZlbiB0aG91Z2ggdGhlIGFjdHVhbCBhbW91bnQgb2YgYnVmZmVyIHNwYWNl CiAJICogaXMgYWJvdmUgcmVxdWVzdC4gUmVyZWFkIHdyX2NvbnMgdG8gY292 ZXIgdGhpcyBjYXNlLgogCSAqLwotCXJldHVybiB3cl9yaW5nX3NpemUoY3Ry bCkgLSAod3JfcHJvZChjdHJsKSAtIHdyX2NvbnMoY3RybCkpOworCXJldHVy biByYXdfZ2V0X2J1ZmZlcl9zcGFjZShjdHJsKTsKIH0KIAogaW50IGxpYnhl bnZjaGFuX2J1ZmZlcl9zcGFjZShzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwp CkBAIC0xNjIsNyArMTkwLDcgQEAgaW50IGxpYnhlbnZjaGFuX2J1ZmZlcl9z cGFjZShzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwpCiAJICogd2hlbiBpdCBj aGFuZ2VzCiAJICovCiAJcmVxdWVzdF9ub3RpZnkoY3RybCwgVkNIQU5fTk9U SUZZX1JFQUQpOwotCXJldHVybiB3cl9yaW5nX3NpemUoY3RybCkgLSAod3Jf cHJvZChjdHJsKSAtIHdyX2NvbnMoY3RybCkpOworCXJldHVybiByYXdfZ2V0 X2J1ZmZlcl9zcGFjZShjdHJsKTsKIH0KIAogaW50IGxpYnhlbnZjaGFuX3dh aXQoc3RydWN0IGxpYnhlbnZjaGFuICpjdHJsKQpAQCAtMTc2LDYgKzIwNCw4 IEBAIGludCBsaWJ4ZW52Y2hhbl93YWl0KHN0cnVjdCBsaWJ4ZW52Y2hhbiAq Y3RybCkKIAogLyoqCiAgKiByZXR1cm5zIC0xIG9uIGVycm9yLCBvciBzaXpl IG9uIHN1Y2Nlc3MKKyAqCisgKiBjYWxsZXIgbXVzdCBoYXZlIGNoZWNrZWQg dGhhdCBlbm91Z2ggc3BhY2UgaXMgYXZhaWxhYmxlCiAgKi8KIHN0YXRpYyBp bnQgZG9fc2VuZChzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwsIGNvbnN0IHZv aWQgKmRhdGEsIHNpemVfdCBzaXplKQogewpAQCAtMjQ4LDYgKzI3OCwxMSBA QCBpbnQgbGlieGVudmNoYW5fd3JpdGUoc3RydWN0IGxpYnhlbnZjaGFuICpj dHJsLCBjb25zdCB2b2lkICpkYXRhLCBzaXplX3Qgc2l6ZSkKIAl9CiB9CiAK Ky8qKgorICogcmV0dXJucyAtMSBvbiBlcnJvciwgb3Igc2l6ZSBvbiBzdWNj ZXNzCisgKgorICogY2FsbGVyIG11c3QgaGF2ZSBjaGVja2VkIHRoYXQgZW5v dWdoIGRhdGEgaXMgYXZhaWxhYmxlCisgKi8KIHN0YXRpYyBpbnQgZG9fcmVj dihzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwsIHZvaWQgKmRhdGEsIHNpemVf dCBzaXplKQogewogCWludCByZWFsX2lkeCA9IHJkX2NvbnMoY3RybCkgJiAo cmRfcmluZ19zaXplKGN0cmwpIC0gMSk7Ci0tIAoxLjcuMTAuNAoK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Feb 06 12:40:12 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 06 Feb 2014 12:40:12 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WBOEO-0006io-BU; Thu, 06 Feb 2014 12:39:00 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WBOEM-0006iH-GZ; Thu, 06 Feb 2014 12:38:58 +0000 Received: from [85.158.143.35:20726] by server-3.bemta-4.messagelabs.com id 9C/FB-11539-16283F25; Thu, 06 Feb 2014 12:38:57 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-14.tower-21.messagelabs.com!1391690336!3626393!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 10992 invoked from network); 6 Feb 2014 12:38:56 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-14.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 6 Feb 2014 12:38:56 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WBOEG-0008Oc-1y; Thu, 06 Feb 2014 12:38:52 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WBOEF-0000Zm-Nk; Thu, 06 Feb 2014 12:38:52 +0000 Date: Thu, 06 Feb 2014 12:38:51 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 85 - Off-by-one error in FLASK_AVC_CACHESTAT hypercall X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-85 version 2 Off-by-one error in FLASK_AVC_CACHESTAT hypercall UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The FLASK_AVC_CACHESTAT hypercall, which provides access to per-cpu statistics on the Flask security policy, incorrectly validates the CPU for which statistics are being requested. IMPACT ====== An attacker can cause the hypervisor to read past the end of an array. This may result in either a host crash, leading to a denial of service, or access to a small and static region of hypervisor memory, leading to an information leak. VULNERABLE SYSTEMS ================== Xen version 4.2 and later are vulnerable to this issue when built with XSM/Flask support. XSM support is disabled by default and is enabled by building with XSM_ENABLE=y. Only systems with the maximum supported number of physical CPUs are vulnerable. Systems with a greater number of physical CPUs will only make use of the maximum supported number and are therefore vulnerable. By default the following maximums apply: * x86_32: 128 (only until Xen 4.2.x) * x86_64: 256 These defaults can be overridden at build time via max_phys_cpus=N. The vulnerable hypercall is exposed to all domains. MITIGATION ========== Rebuilding Xen with more supported physical CPUs can avoid the vulnerability; provided that the supported number is strictly greater than the actual number of CPUs on any host on which the hypervisor is to run. If XSM is compiled in, but not actually in use, compiling it out (with XSM_ENABLE=n) will avoid the vulnerability. CREDITS ======= This issue was discovered by Matthew Daley. RESOLUTION ========== Applying the attached patch resolves this issue. xsa85.patch xen-unstable, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa85*.patch 20571024e6815eeb40d2f92a3d70ae699047cffafb5431ec74b652e0843a5315 xsa85.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS84H+AAoJEIP+FMlX6CvZXy8H/An+HT3e3Av9G3PWIv+i10O3 FE7fhT53tBCbDlcqDghoO9PE6YctWV8glJHdg5TfpzXkjbVL2Go/poUhwvVqxePj ja5x5saXHvXoKwglc7sZmryil5bhecTKspNL5AfTlvP4dyNZMnOAvlbnyCtKUS45 bH0TSonTL50yRH1tCEaIKYDnOisIk3E5yduIpkRnqwamKw+DbHMGlmq5sPZq4rLH EYa/yhqh4bDStGAlRuBHG8ms+F7SgxH8dTjXhCbTe5BeAxYg1cP5yGX61y14xJJt KAObUS4E1KOcP1jRWIQ1HhHQxwWwEDdRk+ZQspGuIt34hY1SfMcbpFu7LutcI4Y= =SiDW -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa85.patch" Content-Disposition: attachment; filename="xsa85.patch" Content-Transfer-Encoding: base64 RnJvbSA1OTNiYzhjNjNkNTgyZWMwZmMyYjNhMzUzMzYxMDZjZjljM2E4YjM0 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBNYXR0aGV3IERhbGV5 IDxtYXR0ZEBidWdmdXp6LmNvbT4KRGF0ZTogU3VuLCAxMiBKYW4gMjAxNCAx NDoyOTozMiArMTMwMApTdWJqZWN0OiBbUEFUQ0hdIHhzbS9mbGFzazogY29y cmVjdCBvZmYtYnktb25lIGluCiBmbGFza19zZWN1cml0eV9hdmNfY2FjaGVz dGF0cyBjcHUgaWQgY2hlY2sKClRoaXMgaXMgWFNBLTg1CgpTaWduZWQtb2Zm LWJ5OiBNYXR0aGV3IERhbGV5IDxtYXR0ZEBidWdmdXp6LmNvbT4KUmV2aWV3 ZWQtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3 ZWQtYnk6IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+ Ci0tLQogeGVuL3hzbS9mbGFzay9mbGFza19vcC5jIHwgMiArLQogMSBmaWxl IGNoYW5nZWQsIDEgaW5zZXJ0aW9uKCspLCAxIGRlbGV0aW9uKC0pCgpkaWZm IC0tZ2l0IGEveGVuL3hzbS9mbGFzay9mbGFza19vcC5jIGIveGVuL3hzbS9m bGFzay9mbGFza19vcC5jCmluZGV4IDQ0MjZhYjkuLjIyODc4ZjUgMTAwNjQ0 Ci0tLSBhL3hlbi94c20vZmxhc2svZmxhc2tfb3AuYworKysgYi94ZW4veHNt L2ZsYXNrL2ZsYXNrX29wLmMKQEAgLTQ1Nyw3ICs0NTcsNyBAQCBzdGF0aWMg aW50IGZsYXNrX3NlY3VyaXR5X2F2Y19jYWNoZXN0YXRzKHN0cnVjdCB4ZW5f Zmxhc2tfY2FjaGVfc3RhdHMgKmFyZykKIHsKICAgICBzdHJ1Y3QgYXZjX2Nh Y2hlX3N0YXRzICpzdDsKIAotICAgIGlmICggYXJnLT5jcHUgPiBucl9jcHVf aWRzICkKKyAgICBpZiAoIGFyZy0+Y3B1ID49IG5yX2NwdV9pZHMgKQogICAg ICAgICByZXR1cm4gLUVOT0VOVDsKICAgICBpZiAoICFjcHVfb25saW5lKGFy Zy0+Y3B1KSApCiAgICAgICAgIHJldHVybiAtRU5PRU5UOwotLSAKMS44LjUu MgoK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Feb 06 12:40:12 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 06 Feb 2014 12:40:12 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WBOEn-0006qt-Nr; Thu, 06 Feb 2014 12:39:25 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WBOEl-0006q9-VA; Thu, 06 Feb 2014 12:39:24 +0000 Received: from [85.158.143.35:32043] by server-3.bemta-4.messagelabs.com id C6/0D-11539-B7283F25; Thu, 06 Feb 2014 12:39:23 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-15.tower-21.messagelabs.com!1391690361!3632109!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 5432 invoked from network); 6 Feb 2014 12:39:22 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-15.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 6 Feb 2014 12:39:22 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WBOEg-0008Pj-3h; Thu, 06 Feb 2014 12:39:18 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WBOEf-0000s1-Tq; Thu, 06 Feb 2014 12:39:18 +0000 Date: Thu, 06 Feb 2014 12:39:17 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 86 - libvchan failure handling malicious ring indexes X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-86 version 2 libvchan failure handling malicious ring indexes UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= libvchan (a library for inter-domain communication) does not correctly handle unusual or malicious contents in the xenstore ring. A malicious guest can exploit this to cause a libvchan-using facility to read or write past the end of the ring. IMPACT ====== libvchan-using facilities are vulnerable to denial of service and perhaps privilege escalation. There are no such services provided in the upstream Xen Project codebase. VULNERABLE SYSTEMS ================== All versions of libvchan are vulnerable. Only installations which use libvchan for communication involving untrusted domains are vulnerable. libvirt, xapi, xend, libxl and xl do not use libvchan. If your installation contains other Xen-related software components it is possible that they use libvchan and might be vulnerable. Xen versions 4.1 and earlier do not contain libvchan. MITIGATION ========== Disabling libvchan-based facilities could be used to mitigate the vulnerability. CREDITS ======= This issue was discovered by Marek Marczykowski-Górecki of Invisible Things Lab. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. After the patch is applied to the Xen tree and built, any software which is statically linked against libvchan will need to be relinked against the new libvchan.a for the fix to take effect. xsa86.patch Xen 4.2.x, 4.3.x, 4.4-RC series, and xen-unstable $ sha256sum xsa86*.patch cd2df017e42717dd2a1b6f2fdd3ad30a38d3c0fbdd9d08b5f56ee0a01cd87b51 xsa86.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS84JeAAoJEIP+FMlX6CvZsvYH/3HbxPvs42Al1gncMsc4uh+R V+j48ENTQzSNhVTtXQq9bUgNk5Dp/kok7RpZbxCWIBl79UUP/fpPUT/FjD5egMOX NU8FslhmalOkkpmyeX0Kt1SvhQt6FvaozTTOdR47wHerfd+mKkYchFRrkCBvllBU /UIVItU6fA5xyXSsFy8quT66g2a88OTlv30YTsg3jhDo48FxO7A54ay4xVAIyOFK 4Wl+hpEgTSE47VRSIGriAvjOMSSQjiMFPjR/DSbUMj8FaVhwVSitIEG9cRhn+3HE I6HqPFzy2jP+Lzj/WFkkZrt/k12GL4cZafg7th3/YcmABfR23QMN5SwfYDLKqqw= =XbpF -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa86.patch" Content-Disposition: attachment; filename="xsa86.patch" Content-Transfer-Encoding: base64 RnJvbSBiNGM0NTI2NDZlZmQzN2I0Y2QwOTk2MjU2ZGQwYWI3YmY2Y2NiN2Y2 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiA9P1VURi04P3E/TWFy ZWs9MjBNYXJjenlrb3dza2ktRz1DMz1CM3JlY2tpPz0KIDxtYXJtYXJla0Bp bnZpc2libGV0aGluZ3NsYWIuY29tPgpEYXRlOiBNb24sIDIwIEphbiAyMDE0 IDE1OjUxOjU2ICswMDAwClN1YmplY3Q6IFtQQVRDSF0gbGlidmNoYW46IEZp eCBoYW5kbGluZyBvZiBpbnZhbGlkIHJpbmcgYnVmZmVyIGluZGljZXMKTUlN RS1WZXJzaW9uOiAxLjAKQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFy c2V0PVVURi04CkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDhiaXQKClRo ZSByZW1vdGUgKGhvc3RpbGUpIHByb2Nlc3MgY2FuIHNldCByaW5nIGJ1ZmZl ciBpbmRpY2VzIHRvIGFueSB2YWx1ZQphdCBhbnkgdGltZS4gSWYgdGhhdCBo YXBwZW5zLCBpdCBpcyBwb3NzaWJsZSB0byBnZXQgImJ1ZmZlciBzcGFjZSIK KGVpdGhlciBmb3Igd3JpdGluZyBkYXRhLCBvciByZWFkeSBmb3IgcmVhZGlu ZykgbmVnYXRpdmUgb3IgZ3JlYXRlcgp0aGFuIGJ1ZmZlciBzaXplLiAgVGhp cyB3aWxsIGVuZCB1cCB3aXRoIGJ1ZmZlciBvdmVyZmxvdyBpbiB0aGUgc2Vj b25kCm1lbWNweSBpbnNpZGUgb2YgZG9fc2VuZC9kb19yZWN2LgoKRml4IHRo aXMgYnkgaW50cm9kdWNpbmcgbmV3IGF2YWlsYWJsZSBieXRlcyBhY2Nlc3Nv ciBmdW5jdGlvbnMKcmF3X2dldF9kYXRhX3JlYWR5IGFuZCByYXdfZ2V0X2J1 ZmZlcl9zcGFjZSB3aGljaCBhcmUgcm9idXN0IGFnYWluc3QKbWFkIHJpbmcg c3RhdGVzLCBhbmQgb25seSByZXR1cm4gc2FuaXRpc2VkIHZhbHVlcy4KClBy b29mIHNrZXRjaCBvZiBjb3JyZWN0bmVzczoKCk5vdyB7cmQsd3J9X3tjb25z LHByb2R9IGFyZSBvbmx5IGV2ZXIgdXNlZCBpbiB0aGUgcmF3IGF2YWlsYWJs ZSBieXRlcwpmdW5jdGlvbnMsIGFuZCBpbiBkb19zZW5kIGFuZCBkb19yZWN2 LgoKVGhlIHJhdyBhdmFpbGFibGUgYnl0ZXMgZnVuY3Rpb25zIGRvIHVuc2ln bmVkIGFyaXRobWV0aWMgb24gdGhlCnJldHVybmVkIHZhbHVlcy4gIElmIHRo ZSByZXN1bHQgaXMgIm5lZ2F0aXZlIiBvciB0b28gYmlnIGl0IHdpbGwgYmUK PnJpbmdfc2l6ZSAoc2luY2Ugd2UgdXNlZCB1bnNpZ25lZCBhcml0aG1ldGlj KS4gIE90aGVyd2lzZSB0aGUgcmVzdWx0CmlzIGEgcG9zaXRpdmUgaW4tcmFu Z2UgdmFsdWUgcmVwcmVzZW50aW5nIGEgcmVhc29uYWJsZSByaW5nIHN0YXRl LCBpbgp3aGljaCBjYXNlIHdlIGNhbiBzYWZlbHkgY29udmVydCBpdCB0byBp bnQgKGFzIHRoZSByZXN0IG9mIHRoZSBjb2RlCmV4cGVjdHMpLgoKZG9fc2Vu ZCBhbmQgZG9fcmVjdiBpbW1lZGlhdGVseSBtYXNrIHRoZSByaW5nIGluZGV4 IHZhbHVlIHdpdGggdGhlCnJpbmcgc2l6ZS4gIFRoZSByZXN1bHQgaXMgYWx3 YXlzIGdvaW5nIHRvIGJlIHBsYXVzaWJsZS4gIElmIHRoZSByaW5nCnN0YXRl IGhhcyBiZWNvbWUgbWFkLCB0aGUgd29yc3QgY2FzZSBpcyB0aGF0IG91ciBi ZWhhdmlvdXIgaXMKaW5jb25zaXN0ZW50IHdpdGggdGhlIHBlZXIncyByaW5n IHBvaW50ZXIuICBJLmUuIHdlIHJlYWQgb3Igd3JpdGUgdG8KYXJndWFibHkt aW5jb3JyZWN0IHBhcnRzIG9mIHRoZSByaW5nIC0gYnV0IGFsd2F5cyBwYXJ0 cyBvZiB0aGUgcmluZy4KQW5kIG9mIGNvdXJzZSBpZiBhIHBlZXIgbWlzb3Bl cmF0ZXMgdGhlIHJpbmcgdGhleSBjYW4gYWNoaWV2ZSB0aGlzCmVmZmVjdCBh bnl3YXkuCgpTbyB0aGUgc2VjdXJpdHkgcHJvYmxlbSBpcyBmaXhlZC4KClRo aXMgaXMgWFNBLTg2LgoKKFRoZSBwYXRjaCBpcyBlc3NlbnRpYWxseSBJYW4g SmFja3NvbidzIHdvcmssIGFsdGhvdWdoIHBhcnRzIG9mIHRoZQpjb21taXQg bWVzc2FnZSBhcmUgYnkgTWFyZWsuKQoKU2lnbmVkLW9mZi1ieTogTWFyZWsg TWFyY3p5a293c2tpLUfDs3JlY2tpIDxtYXJtYXJla0BpbnZpc2libGV0aGlu Z3NsYWIuY29tPgpTaWduZWQtb2ZmLWJ5OiBJYW4gSmFja3NvbiA8aWFuLmph Y2tzb25AZXUuY2l0cml4LmNvbT4KQ2M6IE1hcmVrIE1hcmN6eWtvd3NraS1H w7NyZWNraSA8bWFybWFyZWtAaW52aXNpYmxldGhpbmdzbGFiLmNvbT4KQ2M6 IEpvYW5uYSBSdXRrb3dza2EgPGpvYW5uYUBpbnZpc2libGV0aGluZ3NsYWIu Y29tPgotLS0KIHRvb2xzL2xpYnZjaGFuL2lvLmMgfCAgIDQ3ICsrKysrKysr KysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrLS0tLS0tCiAxIGZp bGUgY2hhbmdlZCwgNDEgaW5zZXJ0aW9ucygrKSwgNiBkZWxldGlvbnMoLSkK CmRpZmYgLS1naXQgYS90b29scy9saWJ2Y2hhbi9pby5jIGIvdG9vbHMvbGli dmNoYW4vaW8uYwppbmRleCAyMzgzMzY0Li44MDRjNjNjIDEwMDY0NAotLS0g YS90b29scy9saWJ2Y2hhbi9pby5jCisrKyBiL3Rvb2xzL2xpYnZjaGFuL2lv LmMKQEAgLTExMSwxMiArMTExLDI2IEBAIHN0YXRpYyBpbmxpbmUgaW50IHNl bmRfbm90aWZ5KHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3RybCwgdWludDhfdCBi aXQpCiAJCXJldHVybiAwOwogfQogCisvKgorICogR2V0IHRoZSBhbW91bnQg b2YgYnVmZmVyIHNwYWNlIGF2YWlsYWJsZSwgYW5kIGRvIG5vdGhpbmcgYWJv dXQKKyAqIG5vdGlmaWNhdGlvbnMuCisgKi8KK3N0YXRpYyBpbmxpbmUgaW50 IHJhd19nZXRfZGF0YV9yZWFkeShzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwp Cit7CisJdWludDMyX3QgcmVhZHkgPSByZF9wcm9kKGN0cmwpIC0gcmRfY29u cyhjdHJsKTsKKwlpZiAocmVhZHkgPj0gcmRfcmluZ19zaXplKGN0cmwpKQor CQkvKiBXZSBoYXZlIG5vIHdheSB0byByZXR1cm4gZXJyb3JzLiAgTG9ja2lu ZyB1cCB0aGUgcmluZyBpcworCQkgKiBiZXR0ZXIgdGhhbiB0aGUgYWx0ZXJu YXRpdmVzLiAqLworCQlyZXR1cm4gMDsKKwlyZXR1cm4gcmVhZHk7Cit9CisK IC8qKgogICogR2V0IHRoZSBhbW91bnQgb2YgYnVmZmVyIHNwYWNlIGF2YWls YWJsZSBhbmQgZW5hYmxlIG5vdGlmaWNhdGlvbnMgaWYgbmVlZGVkLgogICov CiBzdGF0aWMgaW5saW5lIGludCBmYXN0X2dldF9kYXRhX3JlYWR5KHN0cnVj dCBsaWJ4ZW52Y2hhbiAqY3RybCwgc2l6ZV90IHJlcXVlc3QpCiB7Ci0JaW50 IHJlYWR5ID0gcmRfcHJvZChjdHJsKSAtIHJkX2NvbnMoY3RybCk7CisJaW50 IHJlYWR5ID0gcmF3X2dldF9kYXRhX3JlYWR5KGN0cmwpOwogCWlmIChyZWFk eSA+PSByZXF1ZXN0KQogCQlyZXR1cm4gcmVhZHk7CiAJLyogV2UgcGxhbiB0 byBjb25zdW1lIGFsbCBkYXRhOyBwbGVhc2UgdGVsbCB1cyBpZiB5b3Ugc2Vu ZCBtb3JlICovCkBAIC0xMjYsNyArMTQwLDcgQEAgc3RhdGljIGlubGluZSBp bnQgZmFzdF9nZXRfZGF0YV9yZWFkeShzdHJ1Y3QgbGlieGVudmNoYW4gKmN0 cmwsIHNpemVfdCByZXF1ZXN0KQogCSAqIHdpbGwgbm90IGdldCBub3RpZmll ZCBldmVuIHRob3VnaCB0aGUgYWN0dWFsIGFtb3VudCBvZiBkYXRhIHJlYWR5 IGlzCiAJICogYWJvdmUgcmVxdWVzdC4gUmVyZWFkIHJkX3Byb2QgdG8gY292 ZXIgdGhpcyBjYXNlLgogCSAqLwotCXJldHVybiByZF9wcm9kKGN0cmwpIC0g cmRfY29ucyhjdHJsKTsKKwlyZXR1cm4gcmF3X2dldF9kYXRhX3JlYWR5KGN0 cmwpOwogfQogCiBpbnQgbGlieGVudmNoYW5fZGF0YV9yZWFkeShzdHJ1Y3Qg bGlieGVudmNoYW4gKmN0cmwpCkBAIC0xMzUsNyArMTQ5LDIxIEBAIGludCBs aWJ4ZW52Y2hhbl9kYXRhX3JlYWR5KHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3Ry bCkKIAkgKiB3aGVuIGl0IGNoYW5nZXMKIAkgKi8KIAlyZXF1ZXN0X25vdGlm eShjdHJsLCBWQ0hBTl9OT1RJRllfV1JJVEUpOwotCXJldHVybiByZF9wcm9k KGN0cmwpIC0gcmRfY29ucyhjdHJsKTsKKwlyZXR1cm4gcmF3X2dldF9kYXRh X3JlYWR5KGN0cmwpOworfQorCisvKioKKyAqIEdldCB0aGUgYW1vdW50IG9m IGJ1ZmZlciBzcGFjZSBhdmFpbGFibGUsIGFuZCBkbyBub3RoaW5nCisgKiBh Ym91dCBub3RpZmljYXRpb25zCisgKi8KK3N0YXRpYyBpbmxpbmUgaW50IHJh d19nZXRfYnVmZmVyX3NwYWNlKHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3RybCkK K3sKKwl1aW50MzJfdCByZWFkeSA9IHdyX3Jpbmdfc2l6ZShjdHJsKSAtICh3 cl9wcm9kKGN0cmwpIC0gd3JfY29ucyhjdHJsKSk7CisJaWYgKHJlYWR5ID4g d3JfcmluZ19zaXplKGN0cmwpKQorCQkvKiBXZSBoYXZlIG5vIHdheSB0byBy ZXR1cm4gZXJyb3JzLiAgTG9ja2luZyB1cCB0aGUgcmluZyBpcworCQkgKiBi ZXR0ZXIgdGhhbiB0aGUgYWx0ZXJuYXRpdmVzLiAqLworCQlyZXR1cm4gMDsK KwlyZXR1cm4gcmVhZHk7CiB9CiAKIC8qKgpAQCAtMTQzLDcgKzE3MSw3IEBA IGludCBsaWJ4ZW52Y2hhbl9kYXRhX3JlYWR5KHN0cnVjdCBsaWJ4ZW52Y2hh biAqY3RybCkKICAqLwogc3RhdGljIGlubGluZSBpbnQgZmFzdF9nZXRfYnVm ZmVyX3NwYWNlKHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3RybCwgc2l6ZV90IHJl cXVlc3QpCiB7Ci0JaW50IHJlYWR5ID0gd3JfcmluZ19zaXplKGN0cmwpIC0g KHdyX3Byb2QoY3RybCkgLSB3cl9jb25zKGN0cmwpKTsKKwlpbnQgcmVhZHkg PSByYXdfZ2V0X2J1ZmZlcl9zcGFjZShjdHJsKTsKIAlpZiAocmVhZHkgPj0g cmVxdWVzdCkKIAkJcmV0dXJuIHJlYWR5OwogCS8qIFdlIHBsYW4gdG8gZmls bCB0aGUgYnVmZmVyOyBwbGVhc2UgdGVsbCB1cyB3aGVuIHlvdSd2ZSByZWFk IGl0ICovCkBAIC0xNTMsNyArMTgxLDcgQEAgc3RhdGljIGlubGluZSBpbnQg ZmFzdF9nZXRfYnVmZmVyX3NwYWNlKHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3Ry bCwgc2l6ZV90IHJlcXVlc3QKIAkgKiB3aWxsIG5vdCBnZXQgbm90aWZpZWQg ZXZlbiB0aG91Z2ggdGhlIGFjdHVhbCBhbW91bnQgb2YgYnVmZmVyIHNwYWNl CiAJICogaXMgYWJvdmUgcmVxdWVzdC4gUmVyZWFkIHdyX2NvbnMgdG8gY292 ZXIgdGhpcyBjYXNlLgogCSAqLwotCXJldHVybiB3cl9yaW5nX3NpemUoY3Ry bCkgLSAod3JfcHJvZChjdHJsKSAtIHdyX2NvbnMoY3RybCkpOworCXJldHVy biByYXdfZ2V0X2J1ZmZlcl9zcGFjZShjdHJsKTsKIH0KIAogaW50IGxpYnhl bnZjaGFuX2J1ZmZlcl9zcGFjZShzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwp CkBAIC0xNjIsNyArMTkwLDcgQEAgaW50IGxpYnhlbnZjaGFuX2J1ZmZlcl9z cGFjZShzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwpCiAJICogd2hlbiBpdCBj aGFuZ2VzCiAJICovCiAJcmVxdWVzdF9ub3RpZnkoY3RybCwgVkNIQU5fTk9U SUZZX1JFQUQpOwotCXJldHVybiB3cl9yaW5nX3NpemUoY3RybCkgLSAod3Jf cHJvZChjdHJsKSAtIHdyX2NvbnMoY3RybCkpOworCXJldHVybiByYXdfZ2V0 X2J1ZmZlcl9zcGFjZShjdHJsKTsKIH0KIAogaW50IGxpYnhlbnZjaGFuX3dh aXQoc3RydWN0IGxpYnhlbnZjaGFuICpjdHJsKQpAQCAtMTc2LDYgKzIwNCw4 IEBAIGludCBsaWJ4ZW52Y2hhbl93YWl0KHN0cnVjdCBsaWJ4ZW52Y2hhbiAq Y3RybCkKIAogLyoqCiAgKiByZXR1cm5zIC0xIG9uIGVycm9yLCBvciBzaXpl IG9uIHN1Y2Nlc3MKKyAqCisgKiBjYWxsZXIgbXVzdCBoYXZlIGNoZWNrZWQg dGhhdCBlbm91Z2ggc3BhY2UgaXMgYXZhaWxhYmxlCiAgKi8KIHN0YXRpYyBp bnQgZG9fc2VuZChzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwsIGNvbnN0IHZv aWQgKmRhdGEsIHNpemVfdCBzaXplKQogewpAQCAtMjQ4LDYgKzI3OCwxMSBA QCBpbnQgbGlieGVudmNoYW5fd3JpdGUoc3RydWN0IGxpYnhlbnZjaGFuICpj dHJsLCBjb25zdCB2b2lkICpkYXRhLCBzaXplX3Qgc2l6ZSkKIAl9CiB9CiAK Ky8qKgorICogcmV0dXJucyAtMSBvbiBlcnJvciwgb3Igc2l6ZSBvbiBzdWNj ZXNzCisgKgorICogY2FsbGVyIG11c3QgaGF2ZSBjaGVja2VkIHRoYXQgZW5v dWdoIGRhdGEgaXMgYXZhaWxhYmxlCisgKi8KIHN0YXRpYyBpbnQgZG9fcmVj dihzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwsIHZvaWQgKmRhdGEsIHNpemVf dCBzaXplKQogewogCWludCByZWFsX2lkeCA9IHJkX2NvbnMoY3RybCkgJiAo cmRfcmluZ19zaXplKGN0cmwpIC0gMSk7Ci0tIAoxLjcuMTAuNAoK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Feb 06 14:20:18 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 06 Feb 2014 14:20:18 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WBPnC-0006Y9-Lq; Thu, 06 Feb 2014 14:19:02 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WBPn8-0006Xt-U5; Thu, 06 Feb 2014 14:18:59 +0000 Received: from [85.158.139.211:42461] by server-17.bemta-5.messagelabs.com id EA/05-31975-1D993F25; Thu, 06 Feb 2014 14:18:57 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-9.tower-206.messagelabs.com!1391696336!2137646!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 4639 invoked from network); 6 Feb 2014 14:18:57 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-9.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 6 Feb 2014 14:18:57 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WBPmz-0000zk-1z; Thu, 06 Feb 2014 14:18:49 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WBPmy-0004Ab-3K; Thu, 06 Feb 2014 14:18:48 +0000 Date: Thu, 06 Feb 2014 14:18:48 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 84 - integer overflow in several XSM/Flask hypercalls X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-84 version 2 integer overflow in several XSM/Flask hypercalls UPDATES IN VERSION 2 ==================== Public release. The patch for 4.1 was extended to cover a few further similar issues. ISSUE DESCRIPTION ================= The FLASK_{GET,SET}BOOL, FLASK_USER and FLASK_CONTEXT_TO_SID suboperations of the flask hypercall are vulnerable to an integer overflow on the input size. The hypercalls attempt to allocate a buffer which is 1 larger than this size and is therefore vulnerable to integer overflow and an attempt to allocate then access a zero byte buffer. Xen 3.3 through 4.1, while not affected by the above overflow, have a different overflow issue on FLASK_{GET,SET}BOOL and expose unreasonably large memory allocation to aribitrary guests. Xen 3.2 (and presumably earlier) exhibit both problems, with the overflow issue being present for more than just the suboperations listed above. The FLASK_GETBOOL op is available to all domains. The FLASK_SETBOOL op is only available to domains which are granted access via the Flask policy. However the permissions check is performed only after running the vulnerable code and the vulnerability via this subop is exposed to all domains. The FLASK_USER and FLASK_CONTEXT_TO_SID ops are only available to domains which are granted access via the Flask policy. IMPACT ====== Attempting to access the result of a zero byte allocation results in a processor fault leading to a denial of service. VULNERABLE SYSTEMS ================== All Xen versions back to at least 3.2 are vulnerable to this issue when built with XSM/Flask support. XSM support is disabled by default and is enabled by building with XSM_ENABLE=y. We have not checked earlier versions of Xen, but it is likely that they are vulnerable to this or related vulnerabilities. All Xen versions built with XSM_ENABLE=y are vulnerable. MITIGATION ========== There is no useful mitigation available in installations where XSM support is actually in use. In other systems, compiling it out (with XSM_ENABLE=n) will avoid the vulnerability. CREDITS ======= This issue was discovered by Matthew Daley. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa84-unstable-4.3.patch xen-unstable,Xen 4.3.x xsa84-4.2.patch Xen 4.2.x xsa84-4.1.patch Xen 4.1.x $ sha256sum xsa84*.patch e33dd94499959363ad01bebefda9733683c49fd42a9641cf2d7edcd87f853d55 xsa84-4.1.patch 433f3c8a202482c51a48dc0e9e47ac8751d1c0d0759b7bcd22804e1856279a89 xsa84-4.2.patch 64ae433eb606c5446184c08e6fceb9f660ed9a9c28ec112c8cc529251b3b49fb xsa84-unstable-4.3.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS85mEAAoJEIP+FMlX6CvZpLkH/1+K6cyCORgAmm1z4zzq4lwg 2XNHen88xZ/NAzZN/ETiGrvtafpGe2yBUAQlJWrYoKGNimBKVh4wlVUmymm/GLRp Fcg+eck6q5BGF1L4ojMrWkZy1XqEOHrdzBk7nYxsJ/LN6lKKupvtPG67x65qBMkP z/jEq5vP37J9mWtaZjBCn9wpfGrrUnoOi+MKw/5Wmr44eDm/V5+tJmZiAqxxvB9H fFs2CI7alIvX4j848dG17juYGemlnVqOMHS65+IchDShAcde9ho6EoQMpDISFK+Q HSCY5HfSPn4XmpqWHKlONL3sQAMj6WqZvok3WxlU0lIq9PPVrvdQDrbP4GdJKz4= =dK4H -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa84-4.1.patch" Content-Disposition: attachment; filename="xsa84-4.1.patch" Content-Transfer-Encoding: base64 UmVmZXJlbmNlczogYm5jIzg2MDE2MyBYU0EtODQKCmZsYXNrOiByZXN0cmlj dCBhbGxvY2F0aW9ucyBkb25lIGJ5IGh5cGVyY2FsbCBpbnRlcmZhY2UKCk90 aGVyIHRoYW4gaW4gNC4yIGFuZCBuZXdlciwgd2UncmUgbm90IGhhdmluZyBh biBvdmVyZmxvdyBpc3N1ZSBoZXJlLApidXQgdW5jb250cm9sbGVkIGV4cG9z dXJlIG9mIHRoZSBvcGVyYXRpb25zIG9wZW5zIHRoZSBob3N0IHRvIGJlIGRy aXZlbgpvdXQgb2YgbWVtb3J5IGJ5IGFuIGFyYml0cmFyeSBndWVzdC4gU2lu Y2UgYWxsIG9wZXJhdGlvbnMgb3RoZXIgdGhhbgpGTEFTS19MT0FEIHNpbXBs eSBkZWFsIHdpdGggQVNDSUkgc3RyaW5ncywgbGltaXRpbmcgdGhlIGFsbG9j YXRpb25zCihhbmQgaW5jb21pbmcgYnVmZmVyIHNpemVzKSB0byBhIHBhZ2Ug d29ydGggb2YgbWVtb3J5IHNlZW1zIGxpa2UgdGhlCmJlc3QgdGhpbmcgd2Ug Y2FuIGRvLgoKQ29uc2VxdWVudGx5LCBpbiBvcmRlciB0byBub3QgZXhwb3Nl IHRoZSBsYXJnZXIgYWxsb2NhdGlvbiB0byBhcmJpdHJhcnkKZ3Vlc3RzLCB0 aGUgcGVybWlzc2lvbiBjaGVjayBmb3IgRkxBU0tfTE9BRCBuZWVkcyB0byBi ZSBwdWxsZWQgYWhlYWQgb2YKdGhlIGFsbG9jYXRpb24gKGFuZCBpdCdzIHBl cmhhcHMgd29ydGggbm90aW5nIHRoYXQgLSBhZmFpY3QgLSBpdCB3YXMKcG9p bnRsZXNzbHkgZG9uZSB3aXRoIHRoZSBzZWxfc2VtIHNwaW4gbG9jayBoZWxk KS4KCk5vdGUgdGhhdCB0aGlzIGJyZWFrcyBGTEFTS19BVkNfQ0FDSEVTVEFU UyBvbiBzeXN0ZW1zIHdpdGggc3VmZmljaWVudGx5Cm1hbnkgQ1BVcyAoYXMg cmVxdWlyaW5nIGEgYnVmZmVyIGJpZ2dlciB0aGFuIFBBR0VfU0laRSB0aGVy ZSkuIE5vCmF0dGVtcHQgaXMgbWFkZSB0byBhZGRyZXNzIHRoaXMgaGVyZSwg YXMgaXQgd291bGQgbmVlZGxlc3NseSBjb21wbGljYXRlCnRoaXMgZml4IHdp dGggcmF0aGVyIGxpdHRsZSBnYWluLgoKVGhpcyBpcyBYU0EtODQuCgpSZXBv cnRlZC1ieTogTWF0dGhldyBEYWxleSA8bWF0dGRAYnVnZnV6ei5jb20+ClNp Z25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4K ClRoZSBpbmRleCBvZiBib29sZWFuIHZhcmlhYmxlcyBpbiBGTEFTS197R0VU LFNFVH1CT09MIHdhcyBub3QgYWx3YXlzCmNoZWNrZWQgYWdhaW5zdCB0aGUg Ym91bmRzIG9mIHRoZSBhcnJheS4KClJlcG9ydGVkLWJ5OiBKb2huIE1jRGVy bW90dCA8am9obi5tY2Rlcm1vdHRAbnJsLm5hdnkubWlsPgpTaWduZWQtb2Zm LWJ5OiBEYW5pZWwgRGUgR3JhYWYgPGRnZGVncmFAdHljaG8ubnNhLmdvdj4K Ci0tLSBhL3hlbi94c20vZmxhc2svZmxhc2tfb3AuYworKysgYi94ZW4veHNt L2ZsYXNrL2ZsYXNrX29wLmMKQEAgLTU3Myw3ICs1NzMsNyBAQCBzdGF0aWMg aW50IGZsYXNrX3NlY3VyaXR5X3NldGF2Y190aHJlc2hvCiBzdGF0aWMgaW50 IGZsYXNrX3NlY3VyaXR5X3NldF9ib29sKGNoYXIgKmJ1ZiwgdWludDMyX3Qg Y291bnQpCiB7CiAgICAgaW50IGxlbmd0aCA9IC1FRkFVTFQ7Ci0gICAgaW50 IGksIG5ld192YWx1ZTsKKyAgICB1bnNpZ25lZCBpbnQgaSwgbmV3X3ZhbHVl OwogCiAgICAgc3Bpbl9sb2NrKCZzZWxfc2VtKTsKIApAQCAtNTg1LDYgKzU4 NSw5IEBAIHN0YXRpYyBpbnQgZmxhc2tfc2VjdXJpdHlfc2V0X2Jvb2woY2hh ciAKICAgICBpZiAoIHNzY2FuZihidWYsICIlZCAlZCIsICZpLCAmbmV3X3Zh bHVlKSAhPSAyICkKICAgICAgICAgZ290byBvdXQ7CiAKKyAgICBpZiAoIGkg Pj0gYm9vbF9udW0gKQorICAgICAgICBnb3RvIG91dDsKKwogICAgIGlmICgg bmV3X3ZhbHVlICkKICAgICB7CiAgICAgICAgIG5ld192YWx1ZSA9IDE7CkBA IC03MzQsMTAgKzczNyw2IEBAIHN0YXRpYyBpbnQgZmxhc2tfc2VjdXJpdHlf bG9hZChjaGFyICpidWYKIAogICAgIHNwaW5fbG9jaygmc2VsX3NlbSk7CiAK LSAgICBsZW5ndGggPSBkb21haW5faGFzX3NlY3VyaXR5KGN1cnJlbnQtPmRv bWFpbiwgU0VDVVJJVFlfX0xPQURfUE9MSUNZKTsKLSAgICBpZiAoIGxlbmd0 aCApCi0gICAgICAgIGdvdG8gb3V0OwotCiAgICAgbGVuZ3RoID0gc2VjdXJp dHlfbG9hZF9wb2xpY3koYnVmLCBjb3VudCk7CiAgICAgaWYgKCBsZW5ndGgg KQogICAgICAgICBnb3RvIG91dDsKQEAgLTg1Myw3ICs4NTIsMTUgQEAgbG9u ZyBkb19mbGFza19vcChYRU5fR1VFU1RfSEFORExFKHhzbV9vcAogICAgIGlm ICggb3AtPmNtZCA+IEZMQVNLX0xBU1QpCiAgICAgICAgIHJldHVybiAtRUlO VkFMOwogCi0gICAgaWYgKCBvcC0+c2l6ZSA+IE1BWF9QT0xJQ1lfU0laRSAp CisgICAgaWYgKCBvcC0+Y21kID09IEZMQVNLX0xPQUQgKQorICAgIHsKKyAg ICAgICAgcmMgPSBkb21haW5faGFzX3NlY3VyaXR5KGN1cnJlbnQtPmRvbWFp biwgU0VDVVJJVFlfX0xPQURfUE9MSUNZKTsKKyAgICAgICAgaWYgKCByYyAp CisgICAgICAgICAgICByZXR1cm4gcmM7CisgICAgICAgIGlmICggb3AtPnNp emUgPiBNQVhfUE9MSUNZX1NJWkUgKQorICAgICAgICAgICAgcmV0dXJuIC1F SU5WQUw7CisgICAgfQorICAgIGVsc2UgaWYgKCBvcC0+c2l6ZSA+PSBQQUdF X1NJWkUgKQogICAgICAgICByZXR1cm4gLUVJTlZBTDsKIAogICAgIGlmICgg KG9wLT5idWYgPT0gTlVMTCAmJiBvcC0+c2l6ZSAhPSAwKSB8fCAKLS0tIGEv eGVuL3hzbS9mbGFzay9zcy9zZXJ2aWNlcy5jCisrKyBiL3hlbi94c20vZmxh c2svc3Mvc2VydmljZXMuYwpAQCAtMTk5MSw3ICsxOTkxLDcgQEAgaW50IHNl Y3VyaXR5X2dldF9ib29sX3ZhbHVlKGludCBib29sKQogICAgIFBPTElDWV9S RExPQ0s7CiAKICAgICBsZW4gPSBwb2xpY3lkYi5wX2Jvb2xzLm5wcmltOwot ICAgIGlmICggYm9vbCA+PSBsZW4gKQorICAgIGlmICggYm9vbCA+PSBsZW4g fHwgYm9vbCA8IDAgKQogICAgIHsKICAgICAgICAgcmMgPSAtRUZBVUxUOwog ICAgICAgICBnb3RvIG91dDsK --=separator Content-Type: application/octet-stream; name="xsa84-4.2.patch" Content-Disposition: attachment; filename="xsa84-4.2.patch" Content-Transfer-Encoding: base64 Zmxhc2s6IGZpeCByZWFkaW5nIHN0cmluZ3MgZnJvbSBndWVzdCBtZW1vcnkK ClNpbmNlIHRoZSBzdHJpbmcgc2l6ZSBpcyBiZWluZyBzcGVjaWZpZWQgYnkg dGhlIGd1ZXN0LCB3ZSBtdXN0IHJhbmdlCmNoZWNrIGl0IHByb3Blcmx5IGJl Zm9yZSBkb2luZyBhbGxvY2F0aW9ucyBiYXNlZCBvbiBpdC4gV2hpbGUgZm9y IHRoZQp0d28gY2FzZXMgdGhhdCBhcmUgZXhwb3NlZCBvbmx5IHRvIHRydXN0 ZWQgZ3Vlc3RzICh2aWEgcG9saWN5CnJlc3RyaWN0aW9uKSB0aGlzIGp1c3Qg dXNlcyBhbiBhcmJpdHJhcnkgdXBwZXIgbGltaXQgKFBBR0VfU0laRSksIGZv cgp0aGUgRkxBU0tfW0dTXUVUQk9PTCBjYXNlICh3aGljaCBhbnkgZ3Vlc3Qg Y2FuIHVzZSkgdGhlIHVwcGVyIGxpbWl0CmdldHMgZW5mb3JjZWQgYmFzZWQg b24gdGhlIGxvbmdlc3QgbmFtZSBhY3Jvc3MgYWxsIGJvb2xlYW4gc2V0dGlu Z3MuCgpUaGlzIGlzIFhTQS04NC4KClJlcG9ydGVkLWJ5OiBNYXR0aGV3IERh bGV5IDxtYXR0ZEBidWdmdXp6LmNvbT4KU2lnbmVkLW9mZi1ieTogSmFuIEJl dWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpBY2tlZC1ieTogRGFuaWVsIERl IEdyYWFmIDxkZ2RlZ3JhQHR5Y2hvLm5zYS5nb3Y+CgotLS0gYS94ZW4veHNt L2ZsYXNrL2ZsYXNrX29wLmMKKysrIGIveGVuL3hzbS9mbGFzay9mbGFza19v cC5jCkBAIC01Myw2ICs1Myw3IEBAIHN0YXRpYyBERUZJTkVfU1BJTkxPQ0so c2VsX3NlbSk7CiAvKiBnbG9iYWwgZGF0YSBmb3IgYm9vbGVhbnMgKi8KIHN0 YXRpYyBpbnQgYm9vbF9udW0gPSAwOwogc3RhdGljIGludCAqYm9vbF9wZW5k aW5nX3ZhbHVlcyA9IE5VTEw7CitzdGF0aWMgc2l6ZV90IGJvb2xfbWF4c3Ry Owogc3RhdGljIGludCBmbGFza19zZWN1cml0eV9tYWtlX2Jvb2xzKHZvaWQp OwogCiBleHRlcm4gaW50IHNzX2luaXRpYWxpemVkOwpAQCAtNzEsOSArNzIs MTUgQEAgc3RhdGljIGludCBkb21haW5faGFzX3NlY3VyaXR5KHN0cnVjdCBk bwogICAgICAgICAgICAgICAgICAgICAgICAgcGVybXMsIE5VTEwpOwogfQog Ci1zdGF0aWMgaW50IGZsYXNrX2NvcHlpbl9zdHJpbmcoWEVOX0dVRVNUX0hB TkRMRShjaGFyKSB1X2J1ZiwgY2hhciAqKmJ1ZiwgdWludDMyX3Qgc2l6ZSkK K3N0YXRpYyBpbnQgZmxhc2tfY29weWluX3N0cmluZyhYRU5fR1VFU1RfSEFO RExFKGNoYXIpIHVfYnVmLCBjaGFyICoqYnVmLAorICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIHNpemVfdCBzaXplLCBzaXplX3QgbWF4X3NpemUp CiB7Ci0gICAgY2hhciAqdG1wID0geG1hbGxvY19ieXRlcyhzaXplICsgMSk7 CisgICAgY2hhciAqdG1wOworCisgICAgaWYgKCBzaXplID4gbWF4X3NpemUg KQorICAgICAgICByZXR1cm4gLUVOT0VOVDsKKworICAgIHRtcCA9IHhtYWxs b2NfYXJyYXkoY2hhciwgc2l6ZSArIDEpOwogICAgIGlmICggIXRtcCApCiAg ICAgICAgIHJldHVybiAtRU5PTUVNOwogCkBAIC05OSw3ICsxMDYsNyBAQCBz dGF0aWMgaW50IGZsYXNrX3NlY3VyaXR5X3VzZXIoc3RydWN0IHhlCiAgICAg aWYgKCBydiApCiAgICAgICAgIHJldHVybiBydjsKIAotICAgIHJ2ID0gZmxh c2tfY29weWluX3N0cmluZyhhcmctPnUudXNlciwgJnVzZXIsIGFyZy0+c2l6 ZSk7CisgICAgcnYgPSBmbGFza19jb3B5aW5fc3RyaW5nKGFyZy0+dS51c2Vy LCAmdXNlciwgYXJnLT5zaXplLCBQQUdFX1NJWkUpOwogICAgIGlmICggcnYg KQogICAgICAgICByZXR1cm4gcnY7CiAKQEAgLTIxMCw3ICsyMTcsNyBAQCBz dGF0aWMgaW50IGZsYXNrX3NlY3VyaXR5X2NvbnRleHQoc3RydWN0CiAgICAg aWYgKCBydiApCiAgICAgICAgIHJldHVybiBydjsKIAotICAgIHJ2ID0gZmxh c2tfY29weWluX3N0cmluZyhhcmctPmNvbnRleHQsICZidWYsIGFyZy0+c2l6 ZSk7CisgICAgcnYgPSBmbGFza19jb3B5aW5fc3RyaW5nKGFyZy0+Y29udGV4 dCwgJmJ1ZiwgYXJnLT5zaXplLCBQQUdFX1NJWkUpOwogICAgIGlmICggcnYg KQogICAgICAgICByZXR1cm4gcnY7CiAKQEAgLTMwMyw3ICszMTAsNyBAQCBz dGF0aWMgaW50IGZsYXNrX3NlY3VyaXR5X3Jlc29sdmVfYm9vbChzCiAgICAg aWYgKCBhcmctPmJvb2xfaWQgIT0gLTEgKQogICAgICAgICByZXR1cm4gMDsK IAotICAgIHJ2ID0gZmxhc2tfY29weWluX3N0cmluZyhhcmctPm5hbWUsICZu YW1lLCBhcmctPnNpemUpOworICAgIHJ2ID0gZmxhc2tfY29weWluX3N0cmlu ZyhhcmctPm5hbWUsICZuYW1lLCBhcmctPnNpemUsIGJvb2xfbWF4c3RyKTsK ICAgICBpZiAoIHJ2ICkKICAgICAgICAgcmV0dXJuIHJ2OwogCkBAIC0zMzQs NyArMzQxLDcgQEAgc3RhdGljIGludCBmbGFza19zZWN1cml0eV9zZXRfYm9v bChzdHJ1YwogICAgICAgICBpbnQgbnVtOwogICAgICAgICBpbnQgKnZhbHVl czsKIAotICAgICAgICBydiA9IHNlY3VyaXR5X2dldF9ib29scygmbnVtLCBO VUxMLCAmdmFsdWVzKTsKKyAgICAgICAgcnYgPSBzZWN1cml0eV9nZXRfYm9v bHMoJm51bSwgTlVMTCwgJnZhbHVlcywgTlVMTCk7CiAgICAgICAgIGlmICgg cnYgIT0gMCApCiAgICAgICAgICAgICBnb3RvIG91dDsKIApAQCAtNDQwLDcg KzQ0Nyw3IEBAIHN0YXRpYyBpbnQgZmxhc2tfc2VjdXJpdHlfbWFrZV9ib29s cyh2b2kKICAgICAKICAgICB4ZnJlZShib29sX3BlbmRpbmdfdmFsdWVzKTsK ICAgICAKLSAgICByZXQgPSBzZWN1cml0eV9nZXRfYm9vbHMoJm51bSwgTlVM TCwgJnZhbHVlcyk7CisgICAgcmV0ID0gc2VjdXJpdHlfZ2V0X2Jvb2xzKCZu dW0sIE5VTEwsICZ2YWx1ZXMsICZib29sX21heHN0cik7CiAgICAgaWYgKCBy ZXQgIT0gMCApCiAgICAgICAgIGdvdG8gb3V0OwogCi0tLSBhL3hlbi94c20v Zmxhc2svaW5jbHVkZS9jb25kaXRpb25hbC5oCisrKyBiL3hlbi94c20vZmxh c2svaW5jbHVkZS9jb25kaXRpb25hbC5oCkBAIC0xMyw3ICsxMyw5IEBACiAj aWZuZGVmIF9GTEFTS19DT05ESVRJT05BTF9IXwogI2RlZmluZSBfRkxBU0tf Q09ORElUSU9OQUxfSF8KIAotaW50IHNlY3VyaXR5X2dldF9ib29scyhpbnQg KmxlbiwgY2hhciAqKipuYW1lcywgaW50ICoqdmFsdWVzKTsKKyNpbmNsdWRl IDx4ZW4vdHlwZXMuaD4KKworaW50IHNlY3VyaXR5X2dldF9ib29scyhpbnQg KmxlbiwgY2hhciAqKipuYW1lcywgaW50ICoqdmFsdWVzLCBzaXplX3QgKm1h eHN0cik7CiAKIGludCBzZWN1cml0eV9zZXRfYm9vbHMoaW50IGxlbiwgaW50 ICp2YWx1ZXMpOwogCi0tLSBhL3hlbi94c20vZmxhc2svc3Mvc2VydmljZXMu YworKysgYi94ZW4veHNtL2ZsYXNrL3NzL3NlcnZpY2VzLmMKQEAgLTE5MDAs NyArMTkwMCw3IEBAIGludCBzZWN1cml0eV9maW5kX2Jvb2woY29uc3QgY2hh ciAqbmFtZSkKICAgICByZXR1cm4gcnY7CiB9CiAKLWludCBzZWN1cml0eV9n ZXRfYm9vbHMoaW50ICpsZW4sIGNoYXIgKioqbmFtZXMsIGludCAqKnZhbHVl cykKK2ludCBzZWN1cml0eV9nZXRfYm9vbHMoaW50ICpsZW4sIGNoYXIgKioq bmFtZXMsIGludCAqKnZhbHVlcywgc2l6ZV90ICptYXhzdHIpCiB7CiAgICAg aW50IGksIHJjID0gLUVOT01FTTsKIApAQCAtMTkwOCw2ICsxOTA4LDggQEAg aW50IHNlY3VyaXR5X2dldF9ib29scyhpbnQgKmxlbiwgY2hhciAqKgogICAg IGlmICggbmFtZXMgKQogICAgICAgICAqbmFtZXMgPSBOVUxMOwogICAgICp2 YWx1ZXMgPSBOVUxMOworICAgIGlmICggbWF4c3RyICkKKyAgICAgICAgKm1h eHN0ciA9IDA7CiAKICAgICAqbGVuID0gcG9saWN5ZGIucF9ib29scy5ucHJp bTsKICAgICBpZiAoICEqbGVuICkKQEAgLTE5MjksMTYgKzE5MzEsMTcgQEAg aW50IHNlY3VyaXR5X2dldF9ib29scyhpbnQgKmxlbiwgY2hhciAqKgogCiAg ICAgZm9yICggaSA9IDA7IGkgPCAqbGVuOyBpKysgKQogICAgIHsKLSAgICAg ICAgc2l6ZV90IG5hbWVfbGVuOworICAgICAgICBzaXplX3QgbmFtZV9sZW4g PSBzdHJsZW4ocG9saWN5ZGIucF9ib29sX3ZhbF90b19uYW1lW2ldKTsKKwog ICAgICAgICAoKnZhbHVlcylbaV0gPSBwb2xpY3lkYi5ib29sX3ZhbF90b19z dHJ1Y3RbaV0tPnN0YXRlOwogICAgICAgICBpZiAoIG5hbWVzICkgewotICAg ICAgICAgICAgbmFtZV9sZW4gPSBzdHJsZW4ocG9saWN5ZGIucF9ib29sX3Zh bF90b19uYW1lW2ldKSArIDE7Ci0gICAgICAgICAgICAoKm5hbWVzKVtpXSA9 IChjaGFyKil4bWFsbG9jX2FycmF5KGNoYXIsIG5hbWVfbGVuKTsKKyAgICAg ICAgICAgICgqbmFtZXMpW2ldID0geG1hbGxvY19hcnJheShjaGFyLCBuYW1l X2xlbiArIDEpOwogICAgICAgICAgICAgaWYgKCAhKCpuYW1lcylbaV0gKQog ICAgICAgICAgICAgICAgIGdvdG8gZXJyOwotICAgICAgICAgICAgc3RybGNw eSgoKm5hbWVzKVtpXSwgcG9saWN5ZGIucF9ib29sX3ZhbF90b19uYW1lW2ld LCBuYW1lX2xlbik7Ci0gICAgICAgICAgICAoKm5hbWVzKVtpXVtuYW1lX2xl biAtIDFdID0gMDsKKyAgICAgICAgICAgIHN0cmxjcHkoKCpuYW1lcylbaV0s IHBvbGljeWRiLnBfYm9vbF92YWxfdG9fbmFtZVtpXSwgbmFtZV9sZW4gKyAx KTsKICAgICAgICAgfQorICAgICAgICBpZiAoIG1heHN0ciAmJiBuYW1lX2xl biA+ICptYXhzdHIgKQorICAgICAgICAgICAgKm1heHN0ciA9IG5hbWVfbGVu OwogICAgIH0KICAgICByYyA9IDA7CiBvdXQ6CkBAIC0yMDU2LDcgKzIwNTks NyBAQCBzdGF0aWMgaW50IHNlY3VyaXR5X3ByZXNlcnZlX2Jvb2xzKHN0cnVj CiAgICAgc3RydWN0IGNvbmRfYm9vbF9kYXR1bSAqYm9vbGRhdHVtOwogICAg IHN0cnVjdCBjb25kX25vZGUgKmN1cjsKIAotICAgIHJjID0gc2VjdXJpdHlf Z2V0X2Jvb2xzKCZuYm9vbHMsICZibmFtZXMsICZidmFsdWVzKTsKKyAgICBy YyA9IHNlY3VyaXR5X2dldF9ib29scygmbmJvb2xzLCAmYm5hbWVzLCAmYnZh bHVlcywgTlVMTCk7CiAgICAgaWYgKCByYyApCiAgICAgICAgIGdvdG8gb3V0 OwogICAgIGZvciAoIGkgPSAwOyBpIDwgbmJvb2xzOyBpKysgKQo= --=separator Content-Type: application/octet-stream; name="xsa84-unstable-4.3.patch" Content-Disposition: attachment; filename="xsa84-unstable-4.3.patch" Content-Transfer-Encoding: base64 Zmxhc2s6IGZpeCByZWFkaW5nIHN0cmluZ3MgZnJvbSBndWVzdCBtZW1vcnkK ClNpbmNlIHRoZSBzdHJpbmcgc2l6ZSBpcyBiZWluZyBzcGVjaWZpZWQgYnkg dGhlIGd1ZXN0LCB3ZSBtdXN0IHJhbmdlCmNoZWNrIGl0IHByb3Blcmx5IGJl Zm9yZSBkb2luZyBhbGxvY2F0aW9ucyBiYXNlZCBvbiBpdC4gV2hpbGUgZm9y IHRoZQp0d28gY2FzZXMgdGhhdCBhcmUgZXhwb3NlZCBvbmx5IHRvIHRydXN0 ZWQgZ3Vlc3RzICh2aWEgcG9saWN5CnJlc3RyaWN0aW9uKSB0aGlzIGp1c3Qg dXNlcyBhbiBhcmJpdHJhcnkgdXBwZXIgbGltaXQgKFBBR0VfU0laRSksIGZv cgp0aGUgRkxBU0tfW0dTXUVUQk9PTCBjYXNlICh3aGljaCBhbnkgZ3Vlc3Qg Y2FuIHVzZSkgdGhlIHVwcGVyIGxpbWl0CmdldHMgZW5mb3JjZWQgYmFzZWQg b24gdGhlIGxvbmdlc3QgbmFtZSBhY3Jvc3MgYWxsIGJvb2xlYW4gc2V0dGlu Z3MuCgpUaGlzIGlzIFhTQS04NC4KClJlcG9ydGVkLWJ5OiBNYXR0aGV3IERh bGV5IDxtYXR0ZEBidWdmdXp6LmNvbT4KU2lnbmVkLW9mZi1ieTogSmFuIEJl dWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpBY2tlZC1ieTogRGFuaWVsIERl IEdyYWFmIDxkZ2RlZ3JhQHR5Y2hvLm5zYS5nb3Y+CgotLS0gYS94ZW4veHNt L2ZsYXNrL2ZsYXNrX29wLmMKKysrIGIveGVuL3hzbS9mbGFzay9mbGFza19v cC5jCkBAIC01Myw2ICs1Myw3IEBAIHN0YXRpYyBERUZJTkVfU1BJTkxPQ0so c2VsX3NlbSk7CiAvKiBnbG9iYWwgZGF0YSBmb3IgYm9vbGVhbnMgKi8KIHN0 YXRpYyBpbnQgYm9vbF9udW0gPSAwOwogc3RhdGljIGludCAqYm9vbF9wZW5k aW5nX3ZhbHVlcyA9IE5VTEw7CitzdGF0aWMgc2l6ZV90IGJvb2xfbWF4c3Ry Owogc3RhdGljIGludCBmbGFza19zZWN1cml0eV9tYWtlX2Jvb2xzKHZvaWQp OwogCiBleHRlcm4gaW50IHNzX2luaXRpYWxpemVkOwpAQCAtNzEsOSArNzIs MTUgQEAgc3RhdGljIGludCBkb21haW5faGFzX3NlY3VyaXR5KHN0cnVjdCBk bwogICAgICAgICAgICAgICAgICAgICAgICAgcGVybXMsIE5VTEwpOwogfQog Ci1zdGF0aWMgaW50IGZsYXNrX2NvcHlpbl9zdHJpbmcoWEVOX0dVRVNUX0hB TkRMRV9QQVJBTShjaGFyKSB1X2J1ZiwgY2hhciAqKmJ1ZiwgdWludDMyX3Qg c2l6ZSkKK3N0YXRpYyBpbnQgZmxhc2tfY29weWluX3N0cmluZyhYRU5fR1VF U1RfSEFORExFX1BBUkFNKGNoYXIpIHVfYnVmLCBjaGFyICoqYnVmLAorICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNpemVfdCBzaXplLCBzaXpl X3QgbWF4X3NpemUpCiB7Ci0gICAgY2hhciAqdG1wID0geG1hbGxvY19ieXRl cyhzaXplICsgMSk7CisgICAgY2hhciAqdG1wOworCisgICAgaWYgKCBzaXpl ID4gbWF4X3NpemUgKQorICAgICAgICByZXR1cm4gLUVOT0VOVDsKKworICAg IHRtcCA9IHhtYWxsb2NfYXJyYXkoY2hhciwgc2l6ZSArIDEpOwogICAgIGlm ICggIXRtcCApCiAgICAgICAgIHJldHVybiAtRU5PTUVNOwogCkBAIC05OSw3 ICsxMDYsNyBAQCBzdGF0aWMgaW50IGZsYXNrX3NlY3VyaXR5X3VzZXIoc3Ry dWN0IHhlCiAgICAgaWYgKCBydiApCiAgICAgICAgIHJldHVybiBydjsKIAot ICAgIHJ2ID0gZmxhc2tfY29weWluX3N0cmluZyhhcmctPnUudXNlciwgJnVz ZXIsIGFyZy0+c2l6ZSk7CisgICAgcnYgPSBmbGFza19jb3B5aW5fc3RyaW5n KGFyZy0+dS51c2VyLCAmdXNlciwgYXJnLT5zaXplLCBQQUdFX1NJWkUpOwog ICAgIGlmICggcnYgKQogICAgICAgICByZXR1cm4gcnY7CiAKQEAgLTIxMCw3 ICsyMTcsNyBAQCBzdGF0aWMgaW50IGZsYXNrX3NlY3VyaXR5X2NvbnRleHQo c3RydWN0CiAgICAgaWYgKCBydiApCiAgICAgICAgIHJldHVybiBydjsKIAot ICAgIHJ2ID0gZmxhc2tfY29weWluX3N0cmluZyhhcmctPmNvbnRleHQsICZi dWYsIGFyZy0+c2l6ZSk7CisgICAgcnYgPSBmbGFza19jb3B5aW5fc3RyaW5n KGFyZy0+Y29udGV4dCwgJmJ1ZiwgYXJnLT5zaXplLCBQQUdFX1NJWkUpOwog ICAgIGlmICggcnYgKQogICAgICAgICByZXR1cm4gcnY7CiAKQEAgLTMwMyw3 ICszMTAsNyBAQCBzdGF0aWMgaW50IGZsYXNrX3NlY3VyaXR5X3Jlc29sdmVf Ym9vbChzCiAgICAgaWYgKCBhcmctPmJvb2xfaWQgIT0gLTEgKQogICAgICAg ICByZXR1cm4gMDsKIAotICAgIHJ2ID0gZmxhc2tfY29weWluX3N0cmluZyhh cmctPm5hbWUsICZuYW1lLCBhcmctPnNpemUpOworICAgIHJ2ID0gZmxhc2tf Y29weWluX3N0cmluZyhhcmctPm5hbWUsICZuYW1lLCBhcmctPnNpemUsIGJv b2xfbWF4c3RyKTsKICAgICBpZiAoIHJ2ICkKICAgICAgICAgcmV0dXJuIHJ2 OwogCkBAIC0zMzQsNyArMzQxLDcgQEAgc3RhdGljIGludCBmbGFza19zZWN1 cml0eV9zZXRfYm9vbChzdHJ1YwogICAgICAgICBpbnQgbnVtOwogICAgICAg ICBpbnQgKnZhbHVlczsKIAotICAgICAgICBydiA9IHNlY3VyaXR5X2dldF9i b29scygmbnVtLCBOVUxMLCAmdmFsdWVzKTsKKyAgICAgICAgcnYgPSBzZWN1 cml0eV9nZXRfYm9vbHMoJm51bSwgTlVMTCwgJnZhbHVlcywgTlVMTCk7CiAg ICAgICAgIGlmICggcnYgIT0gMCApCiAgICAgICAgICAgICBnb3RvIG91dDsK IApAQCAtNDQwLDcgKzQ0Nyw3IEBAIHN0YXRpYyBpbnQgZmxhc2tfc2VjdXJp dHlfbWFrZV9ib29scyh2b2kKICAgICAKICAgICB4ZnJlZShib29sX3BlbmRp bmdfdmFsdWVzKTsKICAgICAKLSAgICByZXQgPSBzZWN1cml0eV9nZXRfYm9v bHMoJm51bSwgTlVMTCwgJnZhbHVlcyk7CisgICAgcmV0ID0gc2VjdXJpdHlf Z2V0X2Jvb2xzKCZudW0sIE5VTEwsICZ2YWx1ZXMsICZib29sX21heHN0cik7 CiAgICAgaWYgKCByZXQgIT0gMCApCiAgICAgICAgIGdvdG8gb3V0OwogCi0t LSBhL3hlbi94c20vZmxhc2svaW5jbHVkZS9jb25kaXRpb25hbC5oCisrKyBi L3hlbi94c20vZmxhc2svaW5jbHVkZS9jb25kaXRpb25hbC5oCkBAIC0xMyw3 ICsxMyw5IEBACiAjaWZuZGVmIF9GTEFTS19DT05ESVRJT05BTF9IXwogI2Rl ZmluZSBfRkxBU0tfQ09ORElUSU9OQUxfSF8KIAotaW50IHNlY3VyaXR5X2dl dF9ib29scyhpbnQgKmxlbiwgY2hhciAqKipuYW1lcywgaW50ICoqdmFsdWVz KTsKKyNpbmNsdWRlIDx4ZW4vdHlwZXMuaD4KKworaW50IHNlY3VyaXR5X2dl dF9ib29scyhpbnQgKmxlbiwgY2hhciAqKipuYW1lcywgaW50ICoqdmFsdWVz LCBzaXplX3QgKm1heHN0cik7CiAKIGludCBzZWN1cml0eV9zZXRfYm9vbHMo aW50IGxlbiwgaW50ICp2YWx1ZXMpOwogCi0tLSBhL3hlbi94c20vZmxhc2sv c3Mvc2VydmljZXMuYworKysgYi94ZW4veHNtL2ZsYXNrL3NzL3NlcnZpY2Vz LmMKQEAgLTE4NTAsNyArMTg1MCw3IEBAIGludCBzZWN1cml0eV9maW5kX2Jv b2woY29uc3QgY2hhciAqbmFtZSkKICAgICByZXR1cm4gcnY7CiB9CiAKLWlu dCBzZWN1cml0eV9nZXRfYm9vbHMoaW50ICpsZW4sIGNoYXIgKioqbmFtZXMs IGludCAqKnZhbHVlcykKK2ludCBzZWN1cml0eV9nZXRfYm9vbHMoaW50ICps ZW4sIGNoYXIgKioqbmFtZXMsIGludCAqKnZhbHVlcywgc2l6ZV90ICptYXhz dHIpCiB7CiAgICAgaW50IGksIHJjID0gLUVOT01FTTsKIApAQCAtMTg1OCw2 ICsxODU4LDggQEAgaW50IHNlY3VyaXR5X2dldF9ib29scyhpbnQgKmxlbiwg Y2hhciAqKgogICAgIGlmICggbmFtZXMgKQogICAgICAgICAqbmFtZXMgPSBO VUxMOwogICAgICp2YWx1ZXMgPSBOVUxMOworICAgIGlmICggbWF4c3RyICkK KyAgICAgICAgKm1heHN0ciA9IDA7CiAKICAgICAqbGVuID0gcG9saWN5ZGIu cF9ib29scy5ucHJpbTsKICAgICBpZiAoICEqbGVuICkKQEAgLTE4NzksMTYg KzE4ODEsMTcgQEAgaW50IHNlY3VyaXR5X2dldF9ib29scyhpbnQgKmxlbiwg Y2hhciAqKgogCiAgICAgZm9yICggaSA9IDA7IGkgPCAqbGVuOyBpKysgKQog ICAgIHsKLSAgICAgICAgc2l6ZV90IG5hbWVfbGVuOworICAgICAgICBzaXpl X3QgbmFtZV9sZW4gPSBzdHJsZW4ocG9saWN5ZGIucF9ib29sX3ZhbF90b19u YW1lW2ldKTsKKwogICAgICAgICAoKnZhbHVlcylbaV0gPSBwb2xpY3lkYi5i b29sX3ZhbF90b19zdHJ1Y3RbaV0tPnN0YXRlOwogICAgICAgICBpZiAoIG5h bWVzICkgewotICAgICAgICAgICAgbmFtZV9sZW4gPSBzdHJsZW4ocG9saWN5 ZGIucF9ib29sX3ZhbF90b19uYW1lW2ldKSArIDE7Ci0gICAgICAgICAgICAo Km5hbWVzKVtpXSA9IChjaGFyKil4bWFsbG9jX2FycmF5KGNoYXIsIG5hbWVf bGVuKTsKKyAgICAgICAgICAgICgqbmFtZXMpW2ldID0geG1hbGxvY19hcnJh eShjaGFyLCBuYW1lX2xlbiArIDEpOwogICAgICAgICAgICAgaWYgKCAhKCpu YW1lcylbaV0gKQogICAgICAgICAgICAgICAgIGdvdG8gZXJyOwotICAgICAg ICAgICAgc3RybGNweSgoKm5hbWVzKVtpXSwgcG9saWN5ZGIucF9ib29sX3Zh bF90b19uYW1lW2ldLCBuYW1lX2xlbik7Ci0gICAgICAgICAgICAoKm5hbWVz KVtpXVtuYW1lX2xlbiAtIDFdID0gMDsKKyAgICAgICAgICAgIHN0cmxjcHko KCpuYW1lcylbaV0sIHBvbGljeWRiLnBfYm9vbF92YWxfdG9fbmFtZVtpXSwg bmFtZV9sZW4gKyAxKTsKICAgICAgICAgfQorICAgICAgICBpZiAoIG1heHN0 ciAmJiBuYW1lX2xlbiA+ICptYXhzdHIgKQorICAgICAgICAgICAgKm1heHN0 ciA9IG5hbWVfbGVuOwogICAgIH0KICAgICByYyA9IDA7CiBvdXQ6CkBAIC0y MDA2LDcgKzIwMDksNyBAQCBzdGF0aWMgaW50IHNlY3VyaXR5X3ByZXNlcnZl X2Jvb2xzKHN0cnVjCiAgICAgc3RydWN0IGNvbmRfYm9vbF9kYXR1bSAqYm9v bGRhdHVtOwogICAgIHN0cnVjdCBjb25kX25vZGUgKmN1cjsKIAotICAgIHJj ID0gc2VjdXJpdHlfZ2V0X2Jvb2xzKCZuYm9vbHMsICZibmFtZXMsICZidmFs dWVzKTsKKyAgICByYyA9IHNlY3VyaXR5X2dldF9ib29scygmbmJvb2xzLCAm Ym5hbWVzLCAmYnZhbHVlcywgTlVMTCk7CiAgICAgaWYgKCByYyApCiAgICAg ICAgIGdvdG8gb3V0OwogICAgIGZvciAoIGkgPSAwOyBpIDwgbmJvb2xzOyBp KysgKQo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Feb 06 14:20:18 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 06 Feb 2014 14:20:18 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WBPnC-0006Y9-Lq; Thu, 06 Feb 2014 14:19:02 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WBPn8-0006Xt-U5; Thu, 06 Feb 2014 14:18:59 +0000 Received: from [85.158.139.211:42461] by server-17.bemta-5.messagelabs.com id EA/05-31975-1D993F25; Thu, 06 Feb 2014 14:18:57 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-9.tower-206.messagelabs.com!1391696336!2137646!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 4639 invoked from network); 6 Feb 2014 14:18:57 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-9.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 6 Feb 2014 14:18:57 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WBPmz-0000zk-1z; Thu, 06 Feb 2014 14:18:49 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WBPmy-0004Ab-3K; Thu, 06 Feb 2014 14:18:48 +0000 Date: Thu, 06 Feb 2014 14:18:48 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 84 - integer overflow in several XSM/Flask hypercalls X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-84 version 2 integer overflow in several XSM/Flask hypercalls UPDATES IN VERSION 2 ==================== Public release. The patch for 4.1 was extended to cover a few further similar issues. ISSUE DESCRIPTION ================= The FLASK_{GET,SET}BOOL, FLASK_USER and FLASK_CONTEXT_TO_SID suboperations of the flask hypercall are vulnerable to an integer overflow on the input size. The hypercalls attempt to allocate a buffer which is 1 larger than this size and is therefore vulnerable to integer overflow and an attempt to allocate then access a zero byte buffer. Xen 3.3 through 4.1, while not affected by the above overflow, have a different overflow issue on FLASK_{GET,SET}BOOL and expose unreasonably large memory allocation to aribitrary guests. Xen 3.2 (and presumably earlier) exhibit both problems, with the overflow issue being present for more than just the suboperations listed above. The FLASK_GETBOOL op is available to all domains. The FLASK_SETBOOL op is only available to domains which are granted access via the Flask policy. However the permissions check is performed only after running the vulnerable code and the vulnerability via this subop is exposed to all domains. The FLASK_USER and FLASK_CONTEXT_TO_SID ops are only available to domains which are granted access via the Flask policy. IMPACT ====== Attempting to access the result of a zero byte allocation results in a processor fault leading to a denial of service. VULNERABLE SYSTEMS ================== All Xen versions back to at least 3.2 are vulnerable to this issue when built with XSM/Flask support. XSM support is disabled by default and is enabled by building with XSM_ENABLE=y. We have not checked earlier versions of Xen, but it is likely that they are vulnerable to this or related vulnerabilities. All Xen versions built with XSM_ENABLE=y are vulnerable. MITIGATION ========== There is no useful mitigation available in installations where XSM support is actually in use. In other systems, compiling it out (with XSM_ENABLE=n) will avoid the vulnerability. CREDITS ======= This issue was discovered by Matthew Daley. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa84-unstable-4.3.patch xen-unstable,Xen 4.3.x xsa84-4.2.patch Xen 4.2.x xsa84-4.1.patch Xen 4.1.x $ sha256sum xsa84*.patch e33dd94499959363ad01bebefda9733683c49fd42a9641cf2d7edcd87f853d55 xsa84-4.1.patch 433f3c8a202482c51a48dc0e9e47ac8751d1c0d0759b7bcd22804e1856279a89 xsa84-4.2.patch 64ae433eb606c5446184c08e6fceb9f660ed9a9c28ec112c8cc529251b3b49fb xsa84-unstable-4.3.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS85mEAAoJEIP+FMlX6CvZpLkH/1+K6cyCORgAmm1z4zzq4lwg 2XNHen88xZ/NAzZN/ETiGrvtafpGe2yBUAQlJWrYoKGNimBKVh4wlVUmymm/GLRp Fcg+eck6q5BGF1L4ojMrWkZy1XqEOHrdzBk7nYxsJ/LN6lKKupvtPG67x65qBMkP z/jEq5vP37J9mWtaZjBCn9wpfGrrUnoOi+MKw/5Wmr44eDm/V5+tJmZiAqxxvB9H fFs2CI7alIvX4j848dG17juYGemlnVqOMHS65+IchDShAcde9ho6EoQMpDISFK+Q HSCY5HfSPn4XmpqWHKlONL3sQAMj6WqZvok3WxlU0lIq9PPVrvdQDrbP4GdJKz4= =dK4H -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa84-4.1.patch" Content-Disposition: attachment; filename="xsa84-4.1.patch" Content-Transfer-Encoding: base64 UmVmZXJlbmNlczogYm5jIzg2MDE2MyBYU0EtODQKCmZsYXNrOiByZXN0cmlj dCBhbGxvY2F0aW9ucyBkb25lIGJ5IGh5cGVyY2FsbCBpbnRlcmZhY2UKCk90 aGVyIHRoYW4gaW4gNC4yIGFuZCBuZXdlciwgd2UncmUgbm90IGhhdmluZyBh biBvdmVyZmxvdyBpc3N1ZSBoZXJlLApidXQgdW5jb250cm9sbGVkIGV4cG9z dXJlIG9mIHRoZSBvcGVyYXRpb25zIG9wZW5zIHRoZSBob3N0IHRvIGJlIGRy aXZlbgpvdXQgb2YgbWVtb3J5IGJ5IGFuIGFyYml0cmFyeSBndWVzdC4gU2lu Y2UgYWxsIG9wZXJhdGlvbnMgb3RoZXIgdGhhbgpGTEFTS19MT0FEIHNpbXBs eSBkZWFsIHdpdGggQVNDSUkgc3RyaW5ncywgbGltaXRpbmcgdGhlIGFsbG9j YXRpb25zCihhbmQgaW5jb21pbmcgYnVmZmVyIHNpemVzKSB0byBhIHBhZ2Ug d29ydGggb2YgbWVtb3J5IHNlZW1zIGxpa2UgdGhlCmJlc3QgdGhpbmcgd2Ug Y2FuIGRvLgoKQ29uc2VxdWVudGx5LCBpbiBvcmRlciB0byBub3QgZXhwb3Nl IHRoZSBsYXJnZXIgYWxsb2NhdGlvbiB0byBhcmJpdHJhcnkKZ3Vlc3RzLCB0 aGUgcGVybWlzc2lvbiBjaGVjayBmb3IgRkxBU0tfTE9BRCBuZWVkcyB0byBi ZSBwdWxsZWQgYWhlYWQgb2YKdGhlIGFsbG9jYXRpb24gKGFuZCBpdCdzIHBl cmhhcHMgd29ydGggbm90aW5nIHRoYXQgLSBhZmFpY3QgLSBpdCB3YXMKcG9p bnRsZXNzbHkgZG9uZSB3aXRoIHRoZSBzZWxfc2VtIHNwaW4gbG9jayBoZWxk KS4KCk5vdGUgdGhhdCB0aGlzIGJyZWFrcyBGTEFTS19BVkNfQ0FDSEVTVEFU UyBvbiBzeXN0ZW1zIHdpdGggc3VmZmljaWVudGx5Cm1hbnkgQ1BVcyAoYXMg cmVxdWlyaW5nIGEgYnVmZmVyIGJpZ2dlciB0aGFuIFBBR0VfU0laRSB0aGVy ZSkuIE5vCmF0dGVtcHQgaXMgbWFkZSB0byBhZGRyZXNzIHRoaXMgaGVyZSwg YXMgaXQgd291bGQgbmVlZGxlc3NseSBjb21wbGljYXRlCnRoaXMgZml4IHdp dGggcmF0aGVyIGxpdHRsZSBnYWluLgoKVGhpcyBpcyBYU0EtODQuCgpSZXBv cnRlZC1ieTogTWF0dGhldyBEYWxleSA8bWF0dGRAYnVnZnV6ei5jb20+ClNp Z25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4K ClRoZSBpbmRleCBvZiBib29sZWFuIHZhcmlhYmxlcyBpbiBGTEFTS197R0VU LFNFVH1CT09MIHdhcyBub3QgYWx3YXlzCmNoZWNrZWQgYWdhaW5zdCB0aGUg Ym91bmRzIG9mIHRoZSBhcnJheS4KClJlcG9ydGVkLWJ5OiBKb2huIE1jRGVy bW90dCA8am9obi5tY2Rlcm1vdHRAbnJsLm5hdnkubWlsPgpTaWduZWQtb2Zm LWJ5OiBEYW5pZWwgRGUgR3JhYWYgPGRnZGVncmFAdHljaG8ubnNhLmdvdj4K Ci0tLSBhL3hlbi94c20vZmxhc2svZmxhc2tfb3AuYworKysgYi94ZW4veHNt L2ZsYXNrL2ZsYXNrX29wLmMKQEAgLTU3Myw3ICs1NzMsNyBAQCBzdGF0aWMg aW50IGZsYXNrX3NlY3VyaXR5X3NldGF2Y190aHJlc2hvCiBzdGF0aWMgaW50 IGZsYXNrX3NlY3VyaXR5X3NldF9ib29sKGNoYXIgKmJ1ZiwgdWludDMyX3Qg Y291bnQpCiB7CiAgICAgaW50IGxlbmd0aCA9IC1FRkFVTFQ7Ci0gICAgaW50 IGksIG5ld192YWx1ZTsKKyAgICB1bnNpZ25lZCBpbnQgaSwgbmV3X3ZhbHVl OwogCiAgICAgc3Bpbl9sb2NrKCZzZWxfc2VtKTsKIApAQCAtNTg1LDYgKzU4 NSw5IEBAIHN0YXRpYyBpbnQgZmxhc2tfc2VjdXJpdHlfc2V0X2Jvb2woY2hh ciAKICAgICBpZiAoIHNzY2FuZihidWYsICIlZCAlZCIsICZpLCAmbmV3X3Zh bHVlKSAhPSAyICkKICAgICAgICAgZ290byBvdXQ7CiAKKyAgICBpZiAoIGkg Pj0gYm9vbF9udW0gKQorICAgICAgICBnb3RvIG91dDsKKwogICAgIGlmICgg bmV3X3ZhbHVlICkKICAgICB7CiAgICAgICAgIG5ld192YWx1ZSA9IDE7CkBA IC03MzQsMTAgKzczNyw2IEBAIHN0YXRpYyBpbnQgZmxhc2tfc2VjdXJpdHlf bG9hZChjaGFyICpidWYKIAogICAgIHNwaW5fbG9jaygmc2VsX3NlbSk7CiAK LSAgICBsZW5ndGggPSBkb21haW5faGFzX3NlY3VyaXR5KGN1cnJlbnQtPmRv bWFpbiwgU0VDVVJJVFlfX0xPQURfUE9MSUNZKTsKLSAgICBpZiAoIGxlbmd0 aCApCi0gICAgICAgIGdvdG8gb3V0OwotCiAgICAgbGVuZ3RoID0gc2VjdXJp dHlfbG9hZF9wb2xpY3koYnVmLCBjb3VudCk7CiAgICAgaWYgKCBsZW5ndGgg KQogICAgICAgICBnb3RvIG91dDsKQEAgLTg1Myw3ICs4NTIsMTUgQEAgbG9u ZyBkb19mbGFza19vcChYRU5fR1VFU1RfSEFORExFKHhzbV9vcAogICAgIGlm ICggb3AtPmNtZCA+IEZMQVNLX0xBU1QpCiAgICAgICAgIHJldHVybiAtRUlO VkFMOwogCi0gICAgaWYgKCBvcC0+c2l6ZSA+IE1BWF9QT0xJQ1lfU0laRSAp CisgICAgaWYgKCBvcC0+Y21kID09IEZMQVNLX0xPQUQgKQorICAgIHsKKyAg ICAgICAgcmMgPSBkb21haW5faGFzX3NlY3VyaXR5KGN1cnJlbnQtPmRvbWFp biwgU0VDVVJJVFlfX0xPQURfUE9MSUNZKTsKKyAgICAgICAgaWYgKCByYyAp CisgICAgICAgICAgICByZXR1cm4gcmM7CisgICAgICAgIGlmICggb3AtPnNp emUgPiBNQVhfUE9MSUNZX1NJWkUgKQorICAgICAgICAgICAgcmV0dXJuIC1F SU5WQUw7CisgICAgfQorICAgIGVsc2UgaWYgKCBvcC0+c2l6ZSA+PSBQQUdF X1NJWkUgKQogICAgICAgICByZXR1cm4gLUVJTlZBTDsKIAogICAgIGlmICgg KG9wLT5idWYgPT0gTlVMTCAmJiBvcC0+c2l6ZSAhPSAwKSB8fCAKLS0tIGEv eGVuL3hzbS9mbGFzay9zcy9zZXJ2aWNlcy5jCisrKyBiL3hlbi94c20vZmxh c2svc3Mvc2VydmljZXMuYwpAQCAtMTk5MSw3ICsxOTkxLDcgQEAgaW50IHNl Y3VyaXR5X2dldF9ib29sX3ZhbHVlKGludCBib29sKQogICAgIFBPTElDWV9S RExPQ0s7CiAKICAgICBsZW4gPSBwb2xpY3lkYi5wX2Jvb2xzLm5wcmltOwot ICAgIGlmICggYm9vbCA+PSBsZW4gKQorICAgIGlmICggYm9vbCA+PSBsZW4g fHwgYm9vbCA8IDAgKQogICAgIHsKICAgICAgICAgcmMgPSAtRUZBVUxUOwog ICAgICAgICBnb3RvIG91dDsK --=separator Content-Type: application/octet-stream; name="xsa84-4.2.patch" Content-Disposition: attachment; filename="xsa84-4.2.patch" Content-Transfer-Encoding: base64 Zmxhc2s6IGZpeCByZWFkaW5nIHN0cmluZ3MgZnJvbSBndWVzdCBtZW1vcnkK ClNpbmNlIHRoZSBzdHJpbmcgc2l6ZSBpcyBiZWluZyBzcGVjaWZpZWQgYnkg dGhlIGd1ZXN0LCB3ZSBtdXN0IHJhbmdlCmNoZWNrIGl0IHByb3Blcmx5IGJl Zm9yZSBkb2luZyBhbGxvY2F0aW9ucyBiYXNlZCBvbiBpdC4gV2hpbGUgZm9y IHRoZQp0d28gY2FzZXMgdGhhdCBhcmUgZXhwb3NlZCBvbmx5IHRvIHRydXN0 ZWQgZ3Vlc3RzICh2aWEgcG9saWN5CnJlc3RyaWN0aW9uKSB0aGlzIGp1c3Qg dXNlcyBhbiBhcmJpdHJhcnkgdXBwZXIgbGltaXQgKFBBR0VfU0laRSksIGZv cgp0aGUgRkxBU0tfW0dTXUVUQk9PTCBjYXNlICh3aGljaCBhbnkgZ3Vlc3Qg Y2FuIHVzZSkgdGhlIHVwcGVyIGxpbWl0CmdldHMgZW5mb3JjZWQgYmFzZWQg b24gdGhlIGxvbmdlc3QgbmFtZSBhY3Jvc3MgYWxsIGJvb2xlYW4gc2V0dGlu Z3MuCgpUaGlzIGlzIFhTQS04NC4KClJlcG9ydGVkLWJ5OiBNYXR0aGV3IERh bGV5IDxtYXR0ZEBidWdmdXp6LmNvbT4KU2lnbmVkLW9mZi1ieTogSmFuIEJl dWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpBY2tlZC1ieTogRGFuaWVsIERl IEdyYWFmIDxkZ2RlZ3JhQHR5Y2hvLm5zYS5nb3Y+CgotLS0gYS94ZW4veHNt L2ZsYXNrL2ZsYXNrX29wLmMKKysrIGIveGVuL3hzbS9mbGFzay9mbGFza19v cC5jCkBAIC01Myw2ICs1Myw3IEBAIHN0YXRpYyBERUZJTkVfU1BJTkxPQ0so c2VsX3NlbSk7CiAvKiBnbG9iYWwgZGF0YSBmb3IgYm9vbGVhbnMgKi8KIHN0 YXRpYyBpbnQgYm9vbF9udW0gPSAwOwogc3RhdGljIGludCAqYm9vbF9wZW5k aW5nX3ZhbHVlcyA9IE5VTEw7CitzdGF0aWMgc2l6ZV90IGJvb2xfbWF4c3Ry Owogc3RhdGljIGludCBmbGFza19zZWN1cml0eV9tYWtlX2Jvb2xzKHZvaWQp OwogCiBleHRlcm4gaW50IHNzX2luaXRpYWxpemVkOwpAQCAtNzEsOSArNzIs MTUgQEAgc3RhdGljIGludCBkb21haW5faGFzX3NlY3VyaXR5KHN0cnVjdCBk bwogICAgICAgICAgICAgICAgICAgICAgICAgcGVybXMsIE5VTEwpOwogfQog Ci1zdGF0aWMgaW50IGZsYXNrX2NvcHlpbl9zdHJpbmcoWEVOX0dVRVNUX0hB TkRMRShjaGFyKSB1X2J1ZiwgY2hhciAqKmJ1ZiwgdWludDMyX3Qgc2l6ZSkK K3N0YXRpYyBpbnQgZmxhc2tfY29weWluX3N0cmluZyhYRU5fR1VFU1RfSEFO RExFKGNoYXIpIHVfYnVmLCBjaGFyICoqYnVmLAorICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIHNpemVfdCBzaXplLCBzaXplX3QgbWF4X3NpemUp CiB7Ci0gICAgY2hhciAqdG1wID0geG1hbGxvY19ieXRlcyhzaXplICsgMSk7 CisgICAgY2hhciAqdG1wOworCisgICAgaWYgKCBzaXplID4gbWF4X3NpemUg KQorICAgICAgICByZXR1cm4gLUVOT0VOVDsKKworICAgIHRtcCA9IHhtYWxs b2NfYXJyYXkoY2hhciwgc2l6ZSArIDEpOwogICAgIGlmICggIXRtcCApCiAg ICAgICAgIHJldHVybiAtRU5PTUVNOwogCkBAIC05OSw3ICsxMDYsNyBAQCBz dGF0aWMgaW50IGZsYXNrX3NlY3VyaXR5X3VzZXIoc3RydWN0IHhlCiAgICAg aWYgKCBydiApCiAgICAgICAgIHJldHVybiBydjsKIAotICAgIHJ2ID0gZmxh c2tfY29weWluX3N0cmluZyhhcmctPnUudXNlciwgJnVzZXIsIGFyZy0+c2l6 ZSk7CisgICAgcnYgPSBmbGFza19jb3B5aW5fc3RyaW5nKGFyZy0+dS51c2Vy LCAmdXNlciwgYXJnLT5zaXplLCBQQUdFX1NJWkUpOwogICAgIGlmICggcnYg KQogICAgICAgICByZXR1cm4gcnY7CiAKQEAgLTIxMCw3ICsyMTcsNyBAQCBz dGF0aWMgaW50IGZsYXNrX3NlY3VyaXR5X2NvbnRleHQoc3RydWN0CiAgICAg aWYgKCBydiApCiAgICAgICAgIHJldHVybiBydjsKIAotICAgIHJ2ID0gZmxh c2tfY29weWluX3N0cmluZyhhcmctPmNvbnRleHQsICZidWYsIGFyZy0+c2l6 ZSk7CisgICAgcnYgPSBmbGFza19jb3B5aW5fc3RyaW5nKGFyZy0+Y29udGV4 dCwgJmJ1ZiwgYXJnLT5zaXplLCBQQUdFX1NJWkUpOwogICAgIGlmICggcnYg KQogICAgICAgICByZXR1cm4gcnY7CiAKQEAgLTMwMyw3ICszMTAsNyBAQCBz dGF0aWMgaW50IGZsYXNrX3NlY3VyaXR5X3Jlc29sdmVfYm9vbChzCiAgICAg aWYgKCBhcmctPmJvb2xfaWQgIT0gLTEgKQogICAgICAgICByZXR1cm4gMDsK IAotICAgIHJ2ID0gZmxhc2tfY29weWluX3N0cmluZyhhcmctPm5hbWUsICZu YW1lLCBhcmctPnNpemUpOworICAgIHJ2ID0gZmxhc2tfY29weWluX3N0cmlu ZyhhcmctPm5hbWUsICZuYW1lLCBhcmctPnNpemUsIGJvb2xfbWF4c3RyKTsK ICAgICBpZiAoIHJ2ICkKICAgICAgICAgcmV0dXJuIHJ2OwogCkBAIC0zMzQs NyArMzQxLDcgQEAgc3RhdGljIGludCBmbGFza19zZWN1cml0eV9zZXRfYm9v bChzdHJ1YwogICAgICAgICBpbnQgbnVtOwogICAgICAgICBpbnQgKnZhbHVl czsKIAotICAgICAgICBydiA9IHNlY3VyaXR5X2dldF9ib29scygmbnVtLCBO VUxMLCAmdmFsdWVzKTsKKyAgICAgICAgcnYgPSBzZWN1cml0eV9nZXRfYm9v bHMoJm51bSwgTlVMTCwgJnZhbHVlcywgTlVMTCk7CiAgICAgICAgIGlmICgg cnYgIT0gMCApCiAgICAgICAgICAgICBnb3RvIG91dDsKIApAQCAtNDQwLDcg KzQ0Nyw3IEBAIHN0YXRpYyBpbnQgZmxhc2tfc2VjdXJpdHlfbWFrZV9ib29s cyh2b2kKICAgICAKICAgICB4ZnJlZShib29sX3BlbmRpbmdfdmFsdWVzKTsK ICAgICAKLSAgICByZXQgPSBzZWN1cml0eV9nZXRfYm9vbHMoJm51bSwgTlVM TCwgJnZhbHVlcyk7CisgICAgcmV0ID0gc2VjdXJpdHlfZ2V0X2Jvb2xzKCZu dW0sIE5VTEwsICZ2YWx1ZXMsICZib29sX21heHN0cik7CiAgICAgaWYgKCBy ZXQgIT0gMCApCiAgICAgICAgIGdvdG8gb3V0OwogCi0tLSBhL3hlbi94c20v Zmxhc2svaW5jbHVkZS9jb25kaXRpb25hbC5oCisrKyBiL3hlbi94c20vZmxh c2svaW5jbHVkZS9jb25kaXRpb25hbC5oCkBAIC0xMyw3ICsxMyw5IEBACiAj aWZuZGVmIF9GTEFTS19DT05ESVRJT05BTF9IXwogI2RlZmluZSBfRkxBU0tf Q09ORElUSU9OQUxfSF8KIAotaW50IHNlY3VyaXR5X2dldF9ib29scyhpbnQg KmxlbiwgY2hhciAqKipuYW1lcywgaW50ICoqdmFsdWVzKTsKKyNpbmNsdWRl IDx4ZW4vdHlwZXMuaD4KKworaW50IHNlY3VyaXR5X2dldF9ib29scyhpbnQg KmxlbiwgY2hhciAqKipuYW1lcywgaW50ICoqdmFsdWVzLCBzaXplX3QgKm1h eHN0cik7CiAKIGludCBzZWN1cml0eV9zZXRfYm9vbHMoaW50IGxlbiwgaW50 ICp2YWx1ZXMpOwogCi0tLSBhL3hlbi94c20vZmxhc2svc3Mvc2VydmljZXMu YworKysgYi94ZW4veHNtL2ZsYXNrL3NzL3NlcnZpY2VzLmMKQEAgLTE5MDAs NyArMTkwMCw3IEBAIGludCBzZWN1cml0eV9maW5kX2Jvb2woY29uc3QgY2hh ciAqbmFtZSkKICAgICByZXR1cm4gcnY7CiB9CiAKLWludCBzZWN1cml0eV9n ZXRfYm9vbHMoaW50ICpsZW4sIGNoYXIgKioqbmFtZXMsIGludCAqKnZhbHVl cykKK2ludCBzZWN1cml0eV9nZXRfYm9vbHMoaW50ICpsZW4sIGNoYXIgKioq bmFtZXMsIGludCAqKnZhbHVlcywgc2l6ZV90ICptYXhzdHIpCiB7CiAgICAg aW50IGksIHJjID0gLUVOT01FTTsKIApAQCAtMTkwOCw2ICsxOTA4LDggQEAg aW50IHNlY3VyaXR5X2dldF9ib29scyhpbnQgKmxlbiwgY2hhciAqKgogICAg IGlmICggbmFtZXMgKQogICAgICAgICAqbmFtZXMgPSBOVUxMOwogICAgICp2 YWx1ZXMgPSBOVUxMOworICAgIGlmICggbWF4c3RyICkKKyAgICAgICAgKm1h eHN0ciA9IDA7CiAKICAgICAqbGVuID0gcG9saWN5ZGIucF9ib29scy5ucHJp bTsKICAgICBpZiAoICEqbGVuICkKQEAgLTE5MjksMTYgKzE5MzEsMTcgQEAg aW50IHNlY3VyaXR5X2dldF9ib29scyhpbnQgKmxlbiwgY2hhciAqKgogCiAg ICAgZm9yICggaSA9IDA7IGkgPCAqbGVuOyBpKysgKQogICAgIHsKLSAgICAg ICAgc2l6ZV90IG5hbWVfbGVuOworICAgICAgICBzaXplX3QgbmFtZV9sZW4g PSBzdHJsZW4ocG9saWN5ZGIucF9ib29sX3ZhbF90b19uYW1lW2ldKTsKKwog ICAgICAgICAoKnZhbHVlcylbaV0gPSBwb2xpY3lkYi5ib29sX3ZhbF90b19z dHJ1Y3RbaV0tPnN0YXRlOwogICAgICAgICBpZiAoIG5hbWVzICkgewotICAg ICAgICAgICAgbmFtZV9sZW4gPSBzdHJsZW4ocG9saWN5ZGIucF9ib29sX3Zh bF90b19uYW1lW2ldKSArIDE7Ci0gICAgICAgICAgICAoKm5hbWVzKVtpXSA9 IChjaGFyKil4bWFsbG9jX2FycmF5KGNoYXIsIG5hbWVfbGVuKTsKKyAgICAg ICAgICAgICgqbmFtZXMpW2ldID0geG1hbGxvY19hcnJheShjaGFyLCBuYW1l X2xlbiArIDEpOwogICAgICAgICAgICAgaWYgKCAhKCpuYW1lcylbaV0gKQog ICAgICAgICAgICAgICAgIGdvdG8gZXJyOwotICAgICAgICAgICAgc3RybGNw eSgoKm5hbWVzKVtpXSwgcG9saWN5ZGIucF9ib29sX3ZhbF90b19uYW1lW2ld LCBuYW1lX2xlbik7Ci0gICAgICAgICAgICAoKm5hbWVzKVtpXVtuYW1lX2xl biAtIDFdID0gMDsKKyAgICAgICAgICAgIHN0cmxjcHkoKCpuYW1lcylbaV0s IHBvbGljeWRiLnBfYm9vbF92YWxfdG9fbmFtZVtpXSwgbmFtZV9sZW4gKyAx KTsKICAgICAgICAgfQorICAgICAgICBpZiAoIG1heHN0ciAmJiBuYW1lX2xl biA+ICptYXhzdHIgKQorICAgICAgICAgICAgKm1heHN0ciA9IG5hbWVfbGVu OwogICAgIH0KICAgICByYyA9IDA7CiBvdXQ6CkBAIC0yMDU2LDcgKzIwNTks NyBAQCBzdGF0aWMgaW50IHNlY3VyaXR5X3ByZXNlcnZlX2Jvb2xzKHN0cnVj CiAgICAgc3RydWN0IGNvbmRfYm9vbF9kYXR1bSAqYm9vbGRhdHVtOwogICAg IHN0cnVjdCBjb25kX25vZGUgKmN1cjsKIAotICAgIHJjID0gc2VjdXJpdHlf Z2V0X2Jvb2xzKCZuYm9vbHMsICZibmFtZXMsICZidmFsdWVzKTsKKyAgICBy YyA9IHNlY3VyaXR5X2dldF9ib29scygmbmJvb2xzLCAmYm5hbWVzLCAmYnZh bHVlcywgTlVMTCk7CiAgICAgaWYgKCByYyApCiAgICAgICAgIGdvdG8gb3V0 OwogICAgIGZvciAoIGkgPSAwOyBpIDwgbmJvb2xzOyBpKysgKQo= --=separator Content-Type: application/octet-stream; name="xsa84-unstable-4.3.patch" Content-Disposition: attachment; filename="xsa84-unstable-4.3.patch" Content-Transfer-Encoding: base64 Zmxhc2s6IGZpeCByZWFkaW5nIHN0cmluZ3MgZnJvbSBndWVzdCBtZW1vcnkK ClNpbmNlIHRoZSBzdHJpbmcgc2l6ZSBpcyBiZWluZyBzcGVjaWZpZWQgYnkg dGhlIGd1ZXN0LCB3ZSBtdXN0IHJhbmdlCmNoZWNrIGl0IHByb3Blcmx5IGJl Zm9yZSBkb2luZyBhbGxvY2F0aW9ucyBiYXNlZCBvbiBpdC4gV2hpbGUgZm9y IHRoZQp0d28gY2FzZXMgdGhhdCBhcmUgZXhwb3NlZCBvbmx5IHRvIHRydXN0 ZWQgZ3Vlc3RzICh2aWEgcG9saWN5CnJlc3RyaWN0aW9uKSB0aGlzIGp1c3Qg dXNlcyBhbiBhcmJpdHJhcnkgdXBwZXIgbGltaXQgKFBBR0VfU0laRSksIGZv cgp0aGUgRkxBU0tfW0dTXUVUQk9PTCBjYXNlICh3aGljaCBhbnkgZ3Vlc3Qg Y2FuIHVzZSkgdGhlIHVwcGVyIGxpbWl0CmdldHMgZW5mb3JjZWQgYmFzZWQg b24gdGhlIGxvbmdlc3QgbmFtZSBhY3Jvc3MgYWxsIGJvb2xlYW4gc2V0dGlu Z3MuCgpUaGlzIGlzIFhTQS04NC4KClJlcG9ydGVkLWJ5OiBNYXR0aGV3IERh bGV5IDxtYXR0ZEBidWdmdXp6LmNvbT4KU2lnbmVkLW9mZi1ieTogSmFuIEJl dWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpBY2tlZC1ieTogRGFuaWVsIERl IEdyYWFmIDxkZ2RlZ3JhQHR5Y2hvLm5zYS5nb3Y+CgotLS0gYS94ZW4veHNt L2ZsYXNrL2ZsYXNrX29wLmMKKysrIGIveGVuL3hzbS9mbGFzay9mbGFza19v cC5jCkBAIC01Myw2ICs1Myw3IEBAIHN0YXRpYyBERUZJTkVfU1BJTkxPQ0so c2VsX3NlbSk7CiAvKiBnbG9iYWwgZGF0YSBmb3IgYm9vbGVhbnMgKi8KIHN0 YXRpYyBpbnQgYm9vbF9udW0gPSAwOwogc3RhdGljIGludCAqYm9vbF9wZW5k aW5nX3ZhbHVlcyA9IE5VTEw7CitzdGF0aWMgc2l6ZV90IGJvb2xfbWF4c3Ry Owogc3RhdGljIGludCBmbGFza19zZWN1cml0eV9tYWtlX2Jvb2xzKHZvaWQp OwogCiBleHRlcm4gaW50IHNzX2luaXRpYWxpemVkOwpAQCAtNzEsOSArNzIs MTUgQEAgc3RhdGljIGludCBkb21haW5faGFzX3NlY3VyaXR5KHN0cnVjdCBk bwogICAgICAgICAgICAgICAgICAgICAgICAgcGVybXMsIE5VTEwpOwogfQog Ci1zdGF0aWMgaW50IGZsYXNrX2NvcHlpbl9zdHJpbmcoWEVOX0dVRVNUX0hB TkRMRV9QQVJBTShjaGFyKSB1X2J1ZiwgY2hhciAqKmJ1ZiwgdWludDMyX3Qg c2l6ZSkKK3N0YXRpYyBpbnQgZmxhc2tfY29weWluX3N0cmluZyhYRU5fR1VF U1RfSEFORExFX1BBUkFNKGNoYXIpIHVfYnVmLCBjaGFyICoqYnVmLAorICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNpemVfdCBzaXplLCBzaXpl X3QgbWF4X3NpemUpCiB7Ci0gICAgY2hhciAqdG1wID0geG1hbGxvY19ieXRl cyhzaXplICsgMSk7CisgICAgY2hhciAqdG1wOworCisgICAgaWYgKCBzaXpl ID4gbWF4X3NpemUgKQorICAgICAgICByZXR1cm4gLUVOT0VOVDsKKworICAg IHRtcCA9IHhtYWxsb2NfYXJyYXkoY2hhciwgc2l6ZSArIDEpOwogICAgIGlm ICggIXRtcCApCiAgICAgICAgIHJldHVybiAtRU5PTUVNOwogCkBAIC05OSw3 ICsxMDYsNyBAQCBzdGF0aWMgaW50IGZsYXNrX3NlY3VyaXR5X3VzZXIoc3Ry dWN0IHhlCiAgICAgaWYgKCBydiApCiAgICAgICAgIHJldHVybiBydjsKIAot ICAgIHJ2ID0gZmxhc2tfY29weWluX3N0cmluZyhhcmctPnUudXNlciwgJnVz ZXIsIGFyZy0+c2l6ZSk7CisgICAgcnYgPSBmbGFza19jb3B5aW5fc3RyaW5n KGFyZy0+dS51c2VyLCAmdXNlciwgYXJnLT5zaXplLCBQQUdFX1NJWkUpOwog ICAgIGlmICggcnYgKQogICAgICAgICByZXR1cm4gcnY7CiAKQEAgLTIxMCw3 ICsyMTcsNyBAQCBzdGF0aWMgaW50IGZsYXNrX3NlY3VyaXR5X2NvbnRleHQo c3RydWN0CiAgICAgaWYgKCBydiApCiAgICAgICAgIHJldHVybiBydjsKIAot ICAgIHJ2ID0gZmxhc2tfY29weWluX3N0cmluZyhhcmctPmNvbnRleHQsICZi dWYsIGFyZy0+c2l6ZSk7CisgICAgcnYgPSBmbGFza19jb3B5aW5fc3RyaW5n KGFyZy0+Y29udGV4dCwgJmJ1ZiwgYXJnLT5zaXplLCBQQUdFX1NJWkUpOwog ICAgIGlmICggcnYgKQogICAgICAgICByZXR1cm4gcnY7CiAKQEAgLTMwMyw3 ICszMTAsNyBAQCBzdGF0aWMgaW50IGZsYXNrX3NlY3VyaXR5X3Jlc29sdmVf Ym9vbChzCiAgICAgaWYgKCBhcmctPmJvb2xfaWQgIT0gLTEgKQogICAgICAg ICByZXR1cm4gMDsKIAotICAgIHJ2ID0gZmxhc2tfY29weWluX3N0cmluZyhh cmctPm5hbWUsICZuYW1lLCBhcmctPnNpemUpOworICAgIHJ2ID0gZmxhc2tf Y29weWluX3N0cmluZyhhcmctPm5hbWUsICZuYW1lLCBhcmctPnNpemUsIGJv b2xfbWF4c3RyKTsKICAgICBpZiAoIHJ2ICkKICAgICAgICAgcmV0dXJuIHJ2 OwogCkBAIC0zMzQsNyArMzQxLDcgQEAgc3RhdGljIGludCBmbGFza19zZWN1 cml0eV9zZXRfYm9vbChzdHJ1YwogICAgICAgICBpbnQgbnVtOwogICAgICAg ICBpbnQgKnZhbHVlczsKIAotICAgICAgICBydiA9IHNlY3VyaXR5X2dldF9i b29scygmbnVtLCBOVUxMLCAmdmFsdWVzKTsKKyAgICAgICAgcnYgPSBzZWN1 cml0eV9nZXRfYm9vbHMoJm51bSwgTlVMTCwgJnZhbHVlcywgTlVMTCk7CiAg ICAgICAgIGlmICggcnYgIT0gMCApCiAgICAgICAgICAgICBnb3RvIG91dDsK IApAQCAtNDQwLDcgKzQ0Nyw3IEBAIHN0YXRpYyBpbnQgZmxhc2tfc2VjdXJp dHlfbWFrZV9ib29scyh2b2kKICAgICAKICAgICB4ZnJlZShib29sX3BlbmRp bmdfdmFsdWVzKTsKICAgICAKLSAgICByZXQgPSBzZWN1cml0eV9nZXRfYm9v bHMoJm51bSwgTlVMTCwgJnZhbHVlcyk7CisgICAgcmV0ID0gc2VjdXJpdHlf Z2V0X2Jvb2xzKCZudW0sIE5VTEwsICZ2YWx1ZXMsICZib29sX21heHN0cik7 CiAgICAgaWYgKCByZXQgIT0gMCApCiAgICAgICAgIGdvdG8gb3V0OwogCi0t LSBhL3hlbi94c20vZmxhc2svaW5jbHVkZS9jb25kaXRpb25hbC5oCisrKyBi L3hlbi94c20vZmxhc2svaW5jbHVkZS9jb25kaXRpb25hbC5oCkBAIC0xMyw3 ICsxMyw5IEBACiAjaWZuZGVmIF9GTEFTS19DT05ESVRJT05BTF9IXwogI2Rl ZmluZSBfRkxBU0tfQ09ORElUSU9OQUxfSF8KIAotaW50IHNlY3VyaXR5X2dl dF9ib29scyhpbnQgKmxlbiwgY2hhciAqKipuYW1lcywgaW50ICoqdmFsdWVz KTsKKyNpbmNsdWRlIDx4ZW4vdHlwZXMuaD4KKworaW50IHNlY3VyaXR5X2dl dF9ib29scyhpbnQgKmxlbiwgY2hhciAqKipuYW1lcywgaW50ICoqdmFsdWVz LCBzaXplX3QgKm1heHN0cik7CiAKIGludCBzZWN1cml0eV9zZXRfYm9vbHMo aW50IGxlbiwgaW50ICp2YWx1ZXMpOwogCi0tLSBhL3hlbi94c20vZmxhc2sv c3Mvc2VydmljZXMuYworKysgYi94ZW4veHNtL2ZsYXNrL3NzL3NlcnZpY2Vz LmMKQEAgLTE4NTAsNyArMTg1MCw3IEBAIGludCBzZWN1cml0eV9maW5kX2Jv b2woY29uc3QgY2hhciAqbmFtZSkKICAgICByZXR1cm4gcnY7CiB9CiAKLWlu dCBzZWN1cml0eV9nZXRfYm9vbHMoaW50ICpsZW4sIGNoYXIgKioqbmFtZXMs IGludCAqKnZhbHVlcykKK2ludCBzZWN1cml0eV9nZXRfYm9vbHMoaW50ICps ZW4sIGNoYXIgKioqbmFtZXMsIGludCAqKnZhbHVlcywgc2l6ZV90ICptYXhz dHIpCiB7CiAgICAgaW50IGksIHJjID0gLUVOT01FTTsKIApAQCAtMTg1OCw2 ICsxODU4LDggQEAgaW50IHNlY3VyaXR5X2dldF9ib29scyhpbnQgKmxlbiwg Y2hhciAqKgogICAgIGlmICggbmFtZXMgKQogICAgICAgICAqbmFtZXMgPSBO VUxMOwogICAgICp2YWx1ZXMgPSBOVUxMOworICAgIGlmICggbWF4c3RyICkK KyAgICAgICAgKm1heHN0ciA9IDA7CiAKICAgICAqbGVuID0gcG9saWN5ZGIu cF9ib29scy5ucHJpbTsKICAgICBpZiAoICEqbGVuICkKQEAgLTE4NzksMTYg KzE4ODEsMTcgQEAgaW50IHNlY3VyaXR5X2dldF9ib29scyhpbnQgKmxlbiwg Y2hhciAqKgogCiAgICAgZm9yICggaSA9IDA7IGkgPCAqbGVuOyBpKysgKQog ICAgIHsKLSAgICAgICAgc2l6ZV90IG5hbWVfbGVuOworICAgICAgICBzaXpl X3QgbmFtZV9sZW4gPSBzdHJsZW4ocG9saWN5ZGIucF9ib29sX3ZhbF90b19u YW1lW2ldKTsKKwogICAgICAgICAoKnZhbHVlcylbaV0gPSBwb2xpY3lkYi5i b29sX3ZhbF90b19zdHJ1Y3RbaV0tPnN0YXRlOwogICAgICAgICBpZiAoIG5h bWVzICkgewotICAgICAgICAgICAgbmFtZV9sZW4gPSBzdHJsZW4ocG9saWN5 ZGIucF9ib29sX3ZhbF90b19uYW1lW2ldKSArIDE7Ci0gICAgICAgICAgICAo Km5hbWVzKVtpXSA9IChjaGFyKil4bWFsbG9jX2FycmF5KGNoYXIsIG5hbWVf bGVuKTsKKyAgICAgICAgICAgICgqbmFtZXMpW2ldID0geG1hbGxvY19hcnJh eShjaGFyLCBuYW1lX2xlbiArIDEpOwogICAgICAgICAgICAgaWYgKCAhKCpu YW1lcylbaV0gKQogICAgICAgICAgICAgICAgIGdvdG8gZXJyOwotICAgICAg ICAgICAgc3RybGNweSgoKm5hbWVzKVtpXSwgcG9saWN5ZGIucF9ib29sX3Zh bF90b19uYW1lW2ldLCBuYW1lX2xlbik7Ci0gICAgICAgICAgICAoKm5hbWVz KVtpXVtuYW1lX2xlbiAtIDFdID0gMDsKKyAgICAgICAgICAgIHN0cmxjcHko KCpuYW1lcylbaV0sIHBvbGljeWRiLnBfYm9vbF92YWxfdG9fbmFtZVtpXSwg bmFtZV9sZW4gKyAxKTsKICAgICAgICAgfQorICAgICAgICBpZiAoIG1heHN0 ciAmJiBuYW1lX2xlbiA+ICptYXhzdHIgKQorICAgICAgICAgICAgKm1heHN0 ciA9IG5hbWVfbGVuOwogICAgIH0KICAgICByYyA9IDA7CiBvdXQ6CkBAIC0y MDA2LDcgKzIwMDksNyBAQCBzdGF0aWMgaW50IHNlY3VyaXR5X3ByZXNlcnZl X2Jvb2xzKHN0cnVjCiAgICAgc3RydWN0IGNvbmRfYm9vbF9kYXR1bSAqYm9v bGRhdHVtOwogICAgIHN0cnVjdCBjb25kX25vZGUgKmN1cjsKIAotICAgIHJj ID0gc2VjdXJpdHlfZ2V0X2Jvb2xzKCZuYm9vbHMsICZibmFtZXMsICZidmFs dWVzKTsKKyAgICByYyA9IHNlY3VyaXR5X2dldF9ib29scygmbmJvb2xzLCAm Ym5hbWVzLCAmYnZhbHVlcywgTlVMTCk7CiAgICAgaWYgKCByYyApCiAgICAg ICAgIGdvdG8gb3V0OwogICAgIGZvciAoIGkgPSAwOyBpIDwgbmJvb2xzOyBp KysgKQo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Feb 10 11:27:49 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 10 Feb 2014 11:27:49 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WCp0U-0007f5-60; Mon, 10 Feb 2014 11:26:34 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WCp0S-0007el-Id; Mon, 10 Feb 2014 11:26:32 +0000 Received: from [85.158.137.68:36912] by server-16.bemta-3.messagelabs.com id AA/24-29917-767B8F25; Mon, 10 Feb 2014 11:26:31 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-2.tower-31.messagelabs.com!1392031589!798079!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 28639 invoked from network); 10 Feb 2014 11:26:30 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-2.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 10 Feb 2014 11:26:30 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WCp0K-000265-Jz; Mon, 10 Feb 2014 11:26:24 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WCp0J-0004NW-OI; Mon, 10 Feb 2014 11:26:24 +0000 Date: Mon, 10 Feb 2014 11:26:23 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 85 (CVE-2014-1895) - Off-by-one error in FLASK_AVC_CACHESTAT hypercall X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-1895 / XSA-85 version 3 Off-by-one error in FLASK_AVC_CACHESTAT hypercall UPDATES IN VERSION 3 ==================== CVE assigned. ISSUE DESCRIPTION ================= The FLASK_AVC_CACHESTAT hypercall, which provides access to per-cpu statistics on the Flask security policy, incorrectly validates the CPU for which statistics are being requested. IMPACT ====== An attacker can cause the hypervisor to read past the end of an array. This may result in either a host crash, leading to a denial of service, or access to a small and static region of hypervisor memory, leading to an information leak. VULNERABLE SYSTEMS ================== Xen version 4.2 and later are vulnerable to this issue when built with XSM/Flask support. XSM support is disabled by default and is enabled by building with XSM_ENABLE=y. Only systems with the maximum supported number of physical CPUs are vulnerable. Systems with a greater number of physical CPUs will only make use of the maximum supported number and are therefore vulnerable. By default the following maximums apply: * x86_32: 128 (only until Xen 4.2.x) * x86_64: 256 These defaults can be overridden at build time via max_phys_cpus=N. The vulnerable hypercall is exposed to all domains. MITIGATION ========== Rebuilding Xen with more supported physical CPUs can avoid the vulnerability; provided that the supported number is strictly greater than the actual number of CPUs on any host on which the hypervisor is to run. If XSM is compiled in, but not actually in use, compiling it out (with XSM_ENABLE=n) will avoid the vulnerability. CREDITS ======= This issue was discovered by Matthew Daley. RESOLUTION ========== Applying the attached patch resolves this issue. xsa85.patch xen-unstable, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa85*.patch 20571024e6815eeb40d2f92a3d70ae699047cffafb5431ec74b652e0843a5315 xsa85.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS+LcqAAoJEIP+FMlX6CvZPk8H/iA8bLP81SKPT6IUlaw8RjzU ZECj3ord+tLAcjvu93RmI5WVANNscwNdxhBIVQApzFOqMC5LGho5HHXgvi2WuRo4 zc3b4djT0PN6tTMAhJZU9WwZxIQx+60VSDpIJbVGyLrEjGHxS/l/liM3cOuj5FZs ZpT3cQ47yHskkgCXGhdR4keAaXEA9qBtQ6EbraMWt/ynjXmZ2UGQyRB+md3IaG38 FOhzVIVvsGJ0ZrxhByrBrNYN04Fdnqx707dNIg5fYflqzuTJkuMiL4dLlBJBMeiP aVEIAW1TD3ObiXNbC3/AjrXdgttA5e1JIHGJb9LV0RO1rhjuyZGLiLNp+Omx3KI= =wpcu -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa85.patch" Content-Disposition: attachment; filename="xsa85.patch" Content-Transfer-Encoding: base64 RnJvbSA1OTNiYzhjNjNkNTgyZWMwZmMyYjNhMzUzMzYxMDZjZjljM2E4YjM0 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBNYXR0aGV3IERhbGV5 IDxtYXR0ZEBidWdmdXp6LmNvbT4KRGF0ZTogU3VuLCAxMiBKYW4gMjAxNCAx NDoyOTozMiArMTMwMApTdWJqZWN0OiBbUEFUQ0hdIHhzbS9mbGFzazogY29y cmVjdCBvZmYtYnktb25lIGluCiBmbGFza19zZWN1cml0eV9hdmNfY2FjaGVz dGF0cyBjcHUgaWQgY2hlY2sKClRoaXMgaXMgWFNBLTg1CgpTaWduZWQtb2Zm LWJ5OiBNYXR0aGV3IERhbGV5IDxtYXR0ZEBidWdmdXp6LmNvbT4KUmV2aWV3 ZWQtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3 ZWQtYnk6IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+ Ci0tLQogeGVuL3hzbS9mbGFzay9mbGFza19vcC5jIHwgMiArLQogMSBmaWxl IGNoYW5nZWQsIDEgaW5zZXJ0aW9uKCspLCAxIGRlbGV0aW9uKC0pCgpkaWZm IC0tZ2l0IGEveGVuL3hzbS9mbGFzay9mbGFza19vcC5jIGIveGVuL3hzbS9m bGFzay9mbGFza19vcC5jCmluZGV4IDQ0MjZhYjkuLjIyODc4ZjUgMTAwNjQ0 Ci0tLSBhL3hlbi94c20vZmxhc2svZmxhc2tfb3AuYworKysgYi94ZW4veHNt L2ZsYXNrL2ZsYXNrX29wLmMKQEAgLTQ1Nyw3ICs0NTcsNyBAQCBzdGF0aWMg aW50IGZsYXNrX3NlY3VyaXR5X2F2Y19jYWNoZXN0YXRzKHN0cnVjdCB4ZW5f Zmxhc2tfY2FjaGVfc3RhdHMgKmFyZykKIHsKICAgICBzdHJ1Y3QgYXZjX2Nh Y2hlX3N0YXRzICpzdDsKIAotICAgIGlmICggYXJnLT5jcHUgPiBucl9jcHVf aWRzICkKKyAgICBpZiAoIGFyZy0+Y3B1ID49IG5yX2NwdV9pZHMgKQogICAg ICAgICByZXR1cm4gLUVOT0VOVDsKICAgICBpZiAoICFjcHVfb25saW5lKGFy Zy0+Y3B1KSApCiAgICAgICAgIHJldHVybiAtRU5PRU5UOwotLSAKMS44LjUu MgoK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Feb 10 11:27:49 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 10 Feb 2014 11:27:49 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WCp0l-0007k8-Q3; Mon, 10 Feb 2014 11:26:51 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WCp0k-0007jL-5z; Mon, 10 Feb 2014 11:26:50 +0000 Received: from [85.158.143.35:36616] by server-1.bemta-4.messagelabs.com id 89/97-31661-977B8F25; Mon, 10 Feb 2014 11:26:49 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-16.tower-21.messagelabs.com!1392031607!4487956!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 26827 invoked from network); 10 Feb 2014 11:26:48 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-16.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 10 Feb 2014 11:26:48 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WCp0e-00026M-1r; Mon, 10 Feb 2014 11:26:44 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WCp0d-0004Oa-VA; Mon, 10 Feb 2014 11:26:44 +0000 Date: Mon, 10 Feb 2014 11:26:43 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 86 (CVE-2014-1896) - libvchan failure handling malicious ring indexes X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-1896 / XSA-86 version 3 libvchan failure handling malicious ring indexes UPDATES IN VERSION 3 ==================== CVE assigned. ISSUE DESCRIPTION ================= libvchan (a library for inter-domain communication) does not correctly handle unusual or malicious contents in the xenstore ring. A malicious guest can exploit this to cause a libvchan-using facility to read or write past the end of the ring. IMPACT ====== libvchan-using facilities are vulnerable to denial of service and perhaps privilege escalation. There are no such services provided in the upstream Xen Project codebase. VULNERABLE SYSTEMS ================== All versions of libvchan are vulnerable. Only installations which use libvchan for communication involving untrusted domains are vulnerable. libvirt, xapi, xend, libxl and xl do not use libvchan. If your installation contains other Xen-related software components it is possible that they use libvchan and might be vulnerable. Xen versions 4.1 and earlier do not contain libvchan. MITIGATION ========== Disabling libvchan-based facilities could be used to mitigate the vulnerability. CREDITS ======= This issue was discovered by Marek Marczykowski-Górecki of Invisible Things Lab. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. After the patch is applied to the Xen tree and built, any software which is statically linked against libvchan will need to be relinked against the new libvchan.a for the fix to take effect. xsa86.patch Xen 4.2.x, 4.3.x, 4.4-RC series, and xen-unstable $ sha256sum xsa86*.patch cd2df017e42717dd2a1b6f2fdd3ad30a38d3c0fbdd9d08b5f56ee0a01cd87b51 xsa86.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS+LcuAAoJEIP+FMlX6CvZBjgH/RdmdarkaX/Bravq46egUtWT OohBLoP+tnkg3w3DSvWlD45dlnwH2ptD/PTxyoH7XMoiajX0h3WRYf8ddu63Nwtl qghb6EDuYF+iLf9nthdYqreVLdKQOJYXCv6c3i6odHRzGadb3cWTIv1xSDZcn+Qw djSk2huXpuRVkpJeX05PNCkBktRe0Shwy0zgTUNC0GjWItma+NIKdvRODkON1Ai9 ilRsmlQXc2BJ7RcJGmvtcHEdIgLMJ8MzRZWspFPTuqRbQ1+XUJUxxQvJBAqIYRQ3 29iS0GxqXZDSWtTlY4xwAEdwtzsqVZx8VMQioxLUSB4fqm1s4XEfQEkH5VwoBs8= =HSDt -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa86.patch" Content-Disposition: attachment; filename="xsa86.patch" Content-Transfer-Encoding: base64 RnJvbSBiNGM0NTI2NDZlZmQzN2I0Y2QwOTk2MjU2ZGQwYWI3YmY2Y2NiN2Y2 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiA9P1VURi04P3E/TWFy ZWs9MjBNYXJjenlrb3dza2ktRz1DMz1CM3JlY2tpPz0KIDxtYXJtYXJla0Bp bnZpc2libGV0aGluZ3NsYWIuY29tPgpEYXRlOiBNb24sIDIwIEphbiAyMDE0 IDE1OjUxOjU2ICswMDAwClN1YmplY3Q6IFtQQVRDSF0gbGlidmNoYW46IEZp eCBoYW5kbGluZyBvZiBpbnZhbGlkIHJpbmcgYnVmZmVyIGluZGljZXMKTUlN RS1WZXJzaW9uOiAxLjAKQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFy c2V0PVVURi04CkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDhiaXQKClRo ZSByZW1vdGUgKGhvc3RpbGUpIHByb2Nlc3MgY2FuIHNldCByaW5nIGJ1ZmZl ciBpbmRpY2VzIHRvIGFueSB2YWx1ZQphdCBhbnkgdGltZS4gSWYgdGhhdCBo YXBwZW5zLCBpdCBpcyBwb3NzaWJsZSB0byBnZXQgImJ1ZmZlciBzcGFjZSIK KGVpdGhlciBmb3Igd3JpdGluZyBkYXRhLCBvciByZWFkeSBmb3IgcmVhZGlu ZykgbmVnYXRpdmUgb3IgZ3JlYXRlcgp0aGFuIGJ1ZmZlciBzaXplLiAgVGhp cyB3aWxsIGVuZCB1cCB3aXRoIGJ1ZmZlciBvdmVyZmxvdyBpbiB0aGUgc2Vj b25kCm1lbWNweSBpbnNpZGUgb2YgZG9fc2VuZC9kb19yZWN2LgoKRml4IHRo aXMgYnkgaW50cm9kdWNpbmcgbmV3IGF2YWlsYWJsZSBieXRlcyBhY2Nlc3Nv ciBmdW5jdGlvbnMKcmF3X2dldF9kYXRhX3JlYWR5IGFuZCByYXdfZ2V0X2J1 ZmZlcl9zcGFjZSB3aGljaCBhcmUgcm9idXN0IGFnYWluc3QKbWFkIHJpbmcg c3RhdGVzLCBhbmQgb25seSByZXR1cm4gc2FuaXRpc2VkIHZhbHVlcy4KClBy b29mIHNrZXRjaCBvZiBjb3JyZWN0bmVzczoKCk5vdyB7cmQsd3J9X3tjb25z LHByb2R9IGFyZSBvbmx5IGV2ZXIgdXNlZCBpbiB0aGUgcmF3IGF2YWlsYWJs ZSBieXRlcwpmdW5jdGlvbnMsIGFuZCBpbiBkb19zZW5kIGFuZCBkb19yZWN2 LgoKVGhlIHJhdyBhdmFpbGFibGUgYnl0ZXMgZnVuY3Rpb25zIGRvIHVuc2ln bmVkIGFyaXRobWV0aWMgb24gdGhlCnJldHVybmVkIHZhbHVlcy4gIElmIHRo ZSByZXN1bHQgaXMgIm5lZ2F0aXZlIiBvciB0b28gYmlnIGl0IHdpbGwgYmUK PnJpbmdfc2l6ZSAoc2luY2Ugd2UgdXNlZCB1bnNpZ25lZCBhcml0aG1ldGlj KS4gIE90aGVyd2lzZSB0aGUgcmVzdWx0CmlzIGEgcG9zaXRpdmUgaW4tcmFu Z2UgdmFsdWUgcmVwcmVzZW50aW5nIGEgcmVhc29uYWJsZSByaW5nIHN0YXRl LCBpbgp3aGljaCBjYXNlIHdlIGNhbiBzYWZlbHkgY29udmVydCBpdCB0byBp bnQgKGFzIHRoZSByZXN0IG9mIHRoZSBjb2RlCmV4cGVjdHMpLgoKZG9fc2Vu ZCBhbmQgZG9fcmVjdiBpbW1lZGlhdGVseSBtYXNrIHRoZSByaW5nIGluZGV4 IHZhbHVlIHdpdGggdGhlCnJpbmcgc2l6ZS4gIFRoZSByZXN1bHQgaXMgYWx3 YXlzIGdvaW5nIHRvIGJlIHBsYXVzaWJsZS4gIElmIHRoZSByaW5nCnN0YXRl IGhhcyBiZWNvbWUgbWFkLCB0aGUgd29yc3QgY2FzZSBpcyB0aGF0IG91ciBi ZWhhdmlvdXIgaXMKaW5jb25zaXN0ZW50IHdpdGggdGhlIHBlZXIncyByaW5n IHBvaW50ZXIuICBJLmUuIHdlIHJlYWQgb3Igd3JpdGUgdG8KYXJndWFibHkt aW5jb3JyZWN0IHBhcnRzIG9mIHRoZSByaW5nIC0gYnV0IGFsd2F5cyBwYXJ0 cyBvZiB0aGUgcmluZy4KQW5kIG9mIGNvdXJzZSBpZiBhIHBlZXIgbWlzb3Bl cmF0ZXMgdGhlIHJpbmcgdGhleSBjYW4gYWNoaWV2ZSB0aGlzCmVmZmVjdCBh bnl3YXkuCgpTbyB0aGUgc2VjdXJpdHkgcHJvYmxlbSBpcyBmaXhlZC4KClRo aXMgaXMgWFNBLTg2LgoKKFRoZSBwYXRjaCBpcyBlc3NlbnRpYWxseSBJYW4g SmFja3NvbidzIHdvcmssIGFsdGhvdWdoIHBhcnRzIG9mIHRoZQpjb21taXQg bWVzc2FnZSBhcmUgYnkgTWFyZWsuKQoKU2lnbmVkLW9mZi1ieTogTWFyZWsg TWFyY3p5a293c2tpLUfDs3JlY2tpIDxtYXJtYXJla0BpbnZpc2libGV0aGlu Z3NsYWIuY29tPgpTaWduZWQtb2ZmLWJ5OiBJYW4gSmFja3NvbiA8aWFuLmph Y2tzb25AZXUuY2l0cml4LmNvbT4KQ2M6IE1hcmVrIE1hcmN6eWtvd3NraS1H w7NyZWNraSA8bWFybWFyZWtAaW52aXNpYmxldGhpbmdzbGFiLmNvbT4KQ2M6 IEpvYW5uYSBSdXRrb3dza2EgPGpvYW5uYUBpbnZpc2libGV0aGluZ3NsYWIu Y29tPgotLS0KIHRvb2xzL2xpYnZjaGFuL2lvLmMgfCAgIDQ3ICsrKysrKysr KysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrLS0tLS0tCiAxIGZp bGUgY2hhbmdlZCwgNDEgaW5zZXJ0aW9ucygrKSwgNiBkZWxldGlvbnMoLSkK CmRpZmYgLS1naXQgYS90b29scy9saWJ2Y2hhbi9pby5jIGIvdG9vbHMvbGli dmNoYW4vaW8uYwppbmRleCAyMzgzMzY0Li44MDRjNjNjIDEwMDY0NAotLS0g YS90b29scy9saWJ2Y2hhbi9pby5jCisrKyBiL3Rvb2xzL2xpYnZjaGFuL2lv LmMKQEAgLTExMSwxMiArMTExLDI2IEBAIHN0YXRpYyBpbmxpbmUgaW50IHNl bmRfbm90aWZ5KHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3RybCwgdWludDhfdCBi aXQpCiAJCXJldHVybiAwOwogfQogCisvKgorICogR2V0IHRoZSBhbW91bnQg b2YgYnVmZmVyIHNwYWNlIGF2YWlsYWJsZSwgYW5kIGRvIG5vdGhpbmcgYWJv dXQKKyAqIG5vdGlmaWNhdGlvbnMuCisgKi8KK3N0YXRpYyBpbmxpbmUgaW50 IHJhd19nZXRfZGF0YV9yZWFkeShzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwp Cit7CisJdWludDMyX3QgcmVhZHkgPSByZF9wcm9kKGN0cmwpIC0gcmRfY29u cyhjdHJsKTsKKwlpZiAocmVhZHkgPj0gcmRfcmluZ19zaXplKGN0cmwpKQor CQkvKiBXZSBoYXZlIG5vIHdheSB0byByZXR1cm4gZXJyb3JzLiAgTG9ja2lu ZyB1cCB0aGUgcmluZyBpcworCQkgKiBiZXR0ZXIgdGhhbiB0aGUgYWx0ZXJu YXRpdmVzLiAqLworCQlyZXR1cm4gMDsKKwlyZXR1cm4gcmVhZHk7Cit9CisK IC8qKgogICogR2V0IHRoZSBhbW91bnQgb2YgYnVmZmVyIHNwYWNlIGF2YWls YWJsZSBhbmQgZW5hYmxlIG5vdGlmaWNhdGlvbnMgaWYgbmVlZGVkLgogICov CiBzdGF0aWMgaW5saW5lIGludCBmYXN0X2dldF9kYXRhX3JlYWR5KHN0cnVj dCBsaWJ4ZW52Y2hhbiAqY3RybCwgc2l6ZV90IHJlcXVlc3QpCiB7Ci0JaW50 IHJlYWR5ID0gcmRfcHJvZChjdHJsKSAtIHJkX2NvbnMoY3RybCk7CisJaW50 IHJlYWR5ID0gcmF3X2dldF9kYXRhX3JlYWR5KGN0cmwpOwogCWlmIChyZWFk eSA+PSByZXF1ZXN0KQogCQlyZXR1cm4gcmVhZHk7CiAJLyogV2UgcGxhbiB0 byBjb25zdW1lIGFsbCBkYXRhOyBwbGVhc2UgdGVsbCB1cyBpZiB5b3Ugc2Vu ZCBtb3JlICovCkBAIC0xMjYsNyArMTQwLDcgQEAgc3RhdGljIGlubGluZSBp bnQgZmFzdF9nZXRfZGF0YV9yZWFkeShzdHJ1Y3QgbGlieGVudmNoYW4gKmN0 cmwsIHNpemVfdCByZXF1ZXN0KQogCSAqIHdpbGwgbm90IGdldCBub3RpZmll ZCBldmVuIHRob3VnaCB0aGUgYWN0dWFsIGFtb3VudCBvZiBkYXRhIHJlYWR5 IGlzCiAJICogYWJvdmUgcmVxdWVzdC4gUmVyZWFkIHJkX3Byb2QgdG8gY292 ZXIgdGhpcyBjYXNlLgogCSAqLwotCXJldHVybiByZF9wcm9kKGN0cmwpIC0g cmRfY29ucyhjdHJsKTsKKwlyZXR1cm4gcmF3X2dldF9kYXRhX3JlYWR5KGN0 cmwpOwogfQogCiBpbnQgbGlieGVudmNoYW5fZGF0YV9yZWFkeShzdHJ1Y3Qg bGlieGVudmNoYW4gKmN0cmwpCkBAIC0xMzUsNyArMTQ5LDIxIEBAIGludCBs aWJ4ZW52Y2hhbl9kYXRhX3JlYWR5KHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3Ry bCkKIAkgKiB3aGVuIGl0IGNoYW5nZXMKIAkgKi8KIAlyZXF1ZXN0X25vdGlm eShjdHJsLCBWQ0hBTl9OT1RJRllfV1JJVEUpOwotCXJldHVybiByZF9wcm9k KGN0cmwpIC0gcmRfY29ucyhjdHJsKTsKKwlyZXR1cm4gcmF3X2dldF9kYXRh X3JlYWR5KGN0cmwpOworfQorCisvKioKKyAqIEdldCB0aGUgYW1vdW50IG9m IGJ1ZmZlciBzcGFjZSBhdmFpbGFibGUsIGFuZCBkbyBub3RoaW5nCisgKiBh Ym91dCBub3RpZmljYXRpb25zCisgKi8KK3N0YXRpYyBpbmxpbmUgaW50IHJh d19nZXRfYnVmZmVyX3NwYWNlKHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3RybCkK K3sKKwl1aW50MzJfdCByZWFkeSA9IHdyX3Jpbmdfc2l6ZShjdHJsKSAtICh3 cl9wcm9kKGN0cmwpIC0gd3JfY29ucyhjdHJsKSk7CisJaWYgKHJlYWR5ID4g d3JfcmluZ19zaXplKGN0cmwpKQorCQkvKiBXZSBoYXZlIG5vIHdheSB0byBy ZXR1cm4gZXJyb3JzLiAgTG9ja2luZyB1cCB0aGUgcmluZyBpcworCQkgKiBi ZXR0ZXIgdGhhbiB0aGUgYWx0ZXJuYXRpdmVzLiAqLworCQlyZXR1cm4gMDsK KwlyZXR1cm4gcmVhZHk7CiB9CiAKIC8qKgpAQCAtMTQzLDcgKzE3MSw3IEBA IGludCBsaWJ4ZW52Y2hhbl9kYXRhX3JlYWR5KHN0cnVjdCBsaWJ4ZW52Y2hh biAqY3RybCkKICAqLwogc3RhdGljIGlubGluZSBpbnQgZmFzdF9nZXRfYnVm ZmVyX3NwYWNlKHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3RybCwgc2l6ZV90IHJl cXVlc3QpCiB7Ci0JaW50IHJlYWR5ID0gd3JfcmluZ19zaXplKGN0cmwpIC0g KHdyX3Byb2QoY3RybCkgLSB3cl9jb25zKGN0cmwpKTsKKwlpbnQgcmVhZHkg PSByYXdfZ2V0X2J1ZmZlcl9zcGFjZShjdHJsKTsKIAlpZiAocmVhZHkgPj0g cmVxdWVzdCkKIAkJcmV0dXJuIHJlYWR5OwogCS8qIFdlIHBsYW4gdG8gZmls bCB0aGUgYnVmZmVyOyBwbGVhc2UgdGVsbCB1cyB3aGVuIHlvdSd2ZSByZWFk IGl0ICovCkBAIC0xNTMsNyArMTgxLDcgQEAgc3RhdGljIGlubGluZSBpbnQg ZmFzdF9nZXRfYnVmZmVyX3NwYWNlKHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3Ry bCwgc2l6ZV90IHJlcXVlc3QKIAkgKiB3aWxsIG5vdCBnZXQgbm90aWZpZWQg ZXZlbiB0aG91Z2ggdGhlIGFjdHVhbCBhbW91bnQgb2YgYnVmZmVyIHNwYWNl CiAJICogaXMgYWJvdmUgcmVxdWVzdC4gUmVyZWFkIHdyX2NvbnMgdG8gY292 ZXIgdGhpcyBjYXNlLgogCSAqLwotCXJldHVybiB3cl9yaW5nX3NpemUoY3Ry bCkgLSAod3JfcHJvZChjdHJsKSAtIHdyX2NvbnMoY3RybCkpOworCXJldHVy biByYXdfZ2V0X2J1ZmZlcl9zcGFjZShjdHJsKTsKIH0KIAogaW50IGxpYnhl bnZjaGFuX2J1ZmZlcl9zcGFjZShzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwp CkBAIC0xNjIsNyArMTkwLDcgQEAgaW50IGxpYnhlbnZjaGFuX2J1ZmZlcl9z cGFjZShzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwpCiAJICogd2hlbiBpdCBj aGFuZ2VzCiAJICovCiAJcmVxdWVzdF9ub3RpZnkoY3RybCwgVkNIQU5fTk9U SUZZX1JFQUQpOwotCXJldHVybiB3cl9yaW5nX3NpemUoY3RybCkgLSAod3Jf cHJvZChjdHJsKSAtIHdyX2NvbnMoY3RybCkpOworCXJldHVybiByYXdfZ2V0 X2J1ZmZlcl9zcGFjZShjdHJsKTsKIH0KIAogaW50IGxpYnhlbnZjaGFuX3dh aXQoc3RydWN0IGxpYnhlbnZjaGFuICpjdHJsKQpAQCAtMTc2LDYgKzIwNCw4 IEBAIGludCBsaWJ4ZW52Y2hhbl93YWl0KHN0cnVjdCBsaWJ4ZW52Y2hhbiAq Y3RybCkKIAogLyoqCiAgKiByZXR1cm5zIC0xIG9uIGVycm9yLCBvciBzaXpl IG9uIHN1Y2Nlc3MKKyAqCisgKiBjYWxsZXIgbXVzdCBoYXZlIGNoZWNrZWQg dGhhdCBlbm91Z2ggc3BhY2UgaXMgYXZhaWxhYmxlCiAgKi8KIHN0YXRpYyBp bnQgZG9fc2VuZChzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwsIGNvbnN0IHZv aWQgKmRhdGEsIHNpemVfdCBzaXplKQogewpAQCAtMjQ4LDYgKzI3OCwxMSBA QCBpbnQgbGlieGVudmNoYW5fd3JpdGUoc3RydWN0IGxpYnhlbnZjaGFuICpj dHJsLCBjb25zdCB2b2lkICpkYXRhLCBzaXplX3Qgc2l6ZSkKIAl9CiB9CiAK Ky8qKgorICogcmV0dXJucyAtMSBvbiBlcnJvciwgb3Igc2l6ZSBvbiBzdWNj ZXNzCisgKgorICogY2FsbGVyIG11c3QgaGF2ZSBjaGVja2VkIHRoYXQgZW5v dWdoIGRhdGEgaXMgYXZhaWxhYmxlCisgKi8KIHN0YXRpYyBpbnQgZG9fcmVj dihzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwsIHZvaWQgKmRhdGEsIHNpemVf dCBzaXplKQogewogCWludCByZWFsX2lkeCA9IHJkX2NvbnMoY3RybCkgJiAo cmRfcmluZ19zaXplKGN0cmwpIC0gMSk7Ci0tIAoxLjcuMTAuNAoK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Feb 10 11:27:49 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 10 Feb 2014 11:27:49 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WCp0U-0007f5-60; Mon, 10 Feb 2014 11:26:34 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WCp0S-0007el-Id; Mon, 10 Feb 2014 11:26:32 +0000 Received: from [85.158.137.68:36912] by server-16.bemta-3.messagelabs.com id AA/24-29917-767B8F25; Mon, 10 Feb 2014 11:26:31 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-2.tower-31.messagelabs.com!1392031589!798079!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 28639 invoked from network); 10 Feb 2014 11:26:30 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-2.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 10 Feb 2014 11:26:30 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WCp0K-000265-Jz; Mon, 10 Feb 2014 11:26:24 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WCp0J-0004NW-OI; Mon, 10 Feb 2014 11:26:24 +0000 Date: Mon, 10 Feb 2014 11:26:23 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 85 (CVE-2014-1895) - Off-by-one error in FLASK_AVC_CACHESTAT hypercall X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-1895 / XSA-85 version 3 Off-by-one error in FLASK_AVC_CACHESTAT hypercall UPDATES IN VERSION 3 ==================== CVE assigned. ISSUE DESCRIPTION ================= The FLASK_AVC_CACHESTAT hypercall, which provides access to per-cpu statistics on the Flask security policy, incorrectly validates the CPU for which statistics are being requested. IMPACT ====== An attacker can cause the hypervisor to read past the end of an array. This may result in either a host crash, leading to a denial of service, or access to a small and static region of hypervisor memory, leading to an information leak. VULNERABLE SYSTEMS ================== Xen version 4.2 and later are vulnerable to this issue when built with XSM/Flask support. XSM support is disabled by default and is enabled by building with XSM_ENABLE=y. Only systems with the maximum supported number of physical CPUs are vulnerable. Systems with a greater number of physical CPUs will only make use of the maximum supported number and are therefore vulnerable. By default the following maximums apply: * x86_32: 128 (only until Xen 4.2.x) * x86_64: 256 These defaults can be overridden at build time via max_phys_cpus=N. The vulnerable hypercall is exposed to all domains. MITIGATION ========== Rebuilding Xen with more supported physical CPUs can avoid the vulnerability; provided that the supported number is strictly greater than the actual number of CPUs on any host on which the hypervisor is to run. If XSM is compiled in, but not actually in use, compiling it out (with XSM_ENABLE=n) will avoid the vulnerability. CREDITS ======= This issue was discovered by Matthew Daley. RESOLUTION ========== Applying the attached patch resolves this issue. xsa85.patch xen-unstable, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa85*.patch 20571024e6815eeb40d2f92a3d70ae699047cffafb5431ec74b652e0843a5315 xsa85.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS+LcqAAoJEIP+FMlX6CvZPk8H/iA8bLP81SKPT6IUlaw8RjzU ZECj3ord+tLAcjvu93RmI5WVANNscwNdxhBIVQApzFOqMC5LGho5HHXgvi2WuRo4 zc3b4djT0PN6tTMAhJZU9WwZxIQx+60VSDpIJbVGyLrEjGHxS/l/liM3cOuj5FZs ZpT3cQ47yHskkgCXGhdR4keAaXEA9qBtQ6EbraMWt/ynjXmZ2UGQyRB+md3IaG38 FOhzVIVvsGJ0ZrxhByrBrNYN04Fdnqx707dNIg5fYflqzuTJkuMiL4dLlBJBMeiP aVEIAW1TD3ObiXNbC3/AjrXdgttA5e1JIHGJb9LV0RO1rhjuyZGLiLNp+Omx3KI= =wpcu -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa85.patch" Content-Disposition: attachment; filename="xsa85.patch" Content-Transfer-Encoding: base64 RnJvbSA1OTNiYzhjNjNkNTgyZWMwZmMyYjNhMzUzMzYxMDZjZjljM2E4YjM0 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBNYXR0aGV3IERhbGV5 IDxtYXR0ZEBidWdmdXp6LmNvbT4KRGF0ZTogU3VuLCAxMiBKYW4gMjAxNCAx NDoyOTozMiArMTMwMApTdWJqZWN0OiBbUEFUQ0hdIHhzbS9mbGFzazogY29y cmVjdCBvZmYtYnktb25lIGluCiBmbGFza19zZWN1cml0eV9hdmNfY2FjaGVz dGF0cyBjcHUgaWQgY2hlY2sKClRoaXMgaXMgWFNBLTg1CgpTaWduZWQtb2Zm LWJ5OiBNYXR0aGV3IERhbGV5IDxtYXR0ZEBidWdmdXp6LmNvbT4KUmV2aWV3 ZWQtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3 ZWQtYnk6IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+ Ci0tLQogeGVuL3hzbS9mbGFzay9mbGFza19vcC5jIHwgMiArLQogMSBmaWxl IGNoYW5nZWQsIDEgaW5zZXJ0aW9uKCspLCAxIGRlbGV0aW9uKC0pCgpkaWZm IC0tZ2l0IGEveGVuL3hzbS9mbGFzay9mbGFza19vcC5jIGIveGVuL3hzbS9m bGFzay9mbGFza19vcC5jCmluZGV4IDQ0MjZhYjkuLjIyODc4ZjUgMTAwNjQ0 Ci0tLSBhL3hlbi94c20vZmxhc2svZmxhc2tfb3AuYworKysgYi94ZW4veHNt L2ZsYXNrL2ZsYXNrX29wLmMKQEAgLTQ1Nyw3ICs0NTcsNyBAQCBzdGF0aWMg aW50IGZsYXNrX3NlY3VyaXR5X2F2Y19jYWNoZXN0YXRzKHN0cnVjdCB4ZW5f Zmxhc2tfY2FjaGVfc3RhdHMgKmFyZykKIHsKICAgICBzdHJ1Y3QgYXZjX2Nh Y2hlX3N0YXRzICpzdDsKIAotICAgIGlmICggYXJnLT5jcHUgPiBucl9jcHVf aWRzICkKKyAgICBpZiAoIGFyZy0+Y3B1ID49IG5yX2NwdV9pZHMgKQogICAg ICAgICByZXR1cm4gLUVOT0VOVDsKICAgICBpZiAoICFjcHVfb25saW5lKGFy Zy0+Y3B1KSApCiAgICAgICAgIHJldHVybiAtRU5PRU5UOwotLSAKMS44LjUu MgoK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Feb 10 11:27:49 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 10 Feb 2014 11:27:49 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WCp0l-0007k8-Q3; Mon, 10 Feb 2014 11:26:51 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WCp0k-0007jL-5z; Mon, 10 Feb 2014 11:26:50 +0000 Received: from [85.158.143.35:36616] by server-1.bemta-4.messagelabs.com id 89/97-31661-977B8F25; Mon, 10 Feb 2014 11:26:49 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-16.tower-21.messagelabs.com!1392031607!4487956!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 26827 invoked from network); 10 Feb 2014 11:26:48 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-16.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 10 Feb 2014 11:26:48 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WCp0e-00026M-1r; Mon, 10 Feb 2014 11:26:44 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WCp0d-0004Oa-VA; Mon, 10 Feb 2014 11:26:44 +0000 Date: Mon, 10 Feb 2014 11:26:43 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 86 (CVE-2014-1896) - libvchan failure handling malicious ring indexes X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-1896 / XSA-86 version 3 libvchan failure handling malicious ring indexes UPDATES IN VERSION 3 ==================== CVE assigned. ISSUE DESCRIPTION ================= libvchan (a library for inter-domain communication) does not correctly handle unusual or malicious contents in the xenstore ring. A malicious guest can exploit this to cause a libvchan-using facility to read or write past the end of the ring. IMPACT ====== libvchan-using facilities are vulnerable to denial of service and perhaps privilege escalation. There are no such services provided in the upstream Xen Project codebase. VULNERABLE SYSTEMS ================== All versions of libvchan are vulnerable. Only installations which use libvchan for communication involving untrusted domains are vulnerable. libvirt, xapi, xend, libxl and xl do not use libvchan. If your installation contains other Xen-related software components it is possible that they use libvchan and might be vulnerable. Xen versions 4.1 and earlier do not contain libvchan. MITIGATION ========== Disabling libvchan-based facilities could be used to mitigate the vulnerability. CREDITS ======= This issue was discovered by Marek Marczykowski-Górecki of Invisible Things Lab. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. After the patch is applied to the Xen tree and built, any software which is statically linked against libvchan will need to be relinked against the new libvchan.a for the fix to take effect. xsa86.patch Xen 4.2.x, 4.3.x, 4.4-RC series, and xen-unstable $ sha256sum xsa86*.patch cd2df017e42717dd2a1b6f2fdd3ad30a38d3c0fbdd9d08b5f56ee0a01cd87b51 xsa86.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS+LcuAAoJEIP+FMlX6CvZBjgH/RdmdarkaX/Bravq46egUtWT OohBLoP+tnkg3w3DSvWlD45dlnwH2ptD/PTxyoH7XMoiajX0h3WRYf8ddu63Nwtl qghb6EDuYF+iLf9nthdYqreVLdKQOJYXCv6c3i6odHRzGadb3cWTIv1xSDZcn+Qw djSk2huXpuRVkpJeX05PNCkBktRe0Shwy0zgTUNC0GjWItma+NIKdvRODkON1Ai9 ilRsmlQXc2BJ7RcJGmvtcHEdIgLMJ8MzRZWspFPTuqRbQ1+XUJUxxQvJBAqIYRQ3 29iS0GxqXZDSWtTlY4xwAEdwtzsqVZx8VMQioxLUSB4fqm1s4XEfQEkH5VwoBs8= =HSDt -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa86.patch" Content-Disposition: attachment; filename="xsa86.patch" Content-Transfer-Encoding: base64 RnJvbSBiNGM0NTI2NDZlZmQzN2I0Y2QwOTk2MjU2ZGQwYWI3YmY2Y2NiN2Y2 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiA9P1VURi04P3E/TWFy ZWs9MjBNYXJjenlrb3dza2ktRz1DMz1CM3JlY2tpPz0KIDxtYXJtYXJla0Bp bnZpc2libGV0aGluZ3NsYWIuY29tPgpEYXRlOiBNb24sIDIwIEphbiAyMDE0 IDE1OjUxOjU2ICswMDAwClN1YmplY3Q6IFtQQVRDSF0gbGlidmNoYW46IEZp eCBoYW5kbGluZyBvZiBpbnZhbGlkIHJpbmcgYnVmZmVyIGluZGljZXMKTUlN RS1WZXJzaW9uOiAxLjAKQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFy c2V0PVVURi04CkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDhiaXQKClRo ZSByZW1vdGUgKGhvc3RpbGUpIHByb2Nlc3MgY2FuIHNldCByaW5nIGJ1ZmZl ciBpbmRpY2VzIHRvIGFueSB2YWx1ZQphdCBhbnkgdGltZS4gSWYgdGhhdCBo YXBwZW5zLCBpdCBpcyBwb3NzaWJsZSB0byBnZXQgImJ1ZmZlciBzcGFjZSIK KGVpdGhlciBmb3Igd3JpdGluZyBkYXRhLCBvciByZWFkeSBmb3IgcmVhZGlu ZykgbmVnYXRpdmUgb3IgZ3JlYXRlcgp0aGFuIGJ1ZmZlciBzaXplLiAgVGhp cyB3aWxsIGVuZCB1cCB3aXRoIGJ1ZmZlciBvdmVyZmxvdyBpbiB0aGUgc2Vj b25kCm1lbWNweSBpbnNpZGUgb2YgZG9fc2VuZC9kb19yZWN2LgoKRml4IHRo aXMgYnkgaW50cm9kdWNpbmcgbmV3IGF2YWlsYWJsZSBieXRlcyBhY2Nlc3Nv ciBmdW5jdGlvbnMKcmF3X2dldF9kYXRhX3JlYWR5IGFuZCByYXdfZ2V0X2J1 ZmZlcl9zcGFjZSB3aGljaCBhcmUgcm9idXN0IGFnYWluc3QKbWFkIHJpbmcg c3RhdGVzLCBhbmQgb25seSByZXR1cm4gc2FuaXRpc2VkIHZhbHVlcy4KClBy b29mIHNrZXRjaCBvZiBjb3JyZWN0bmVzczoKCk5vdyB7cmQsd3J9X3tjb25z LHByb2R9IGFyZSBvbmx5IGV2ZXIgdXNlZCBpbiB0aGUgcmF3IGF2YWlsYWJs ZSBieXRlcwpmdW5jdGlvbnMsIGFuZCBpbiBkb19zZW5kIGFuZCBkb19yZWN2 LgoKVGhlIHJhdyBhdmFpbGFibGUgYnl0ZXMgZnVuY3Rpb25zIGRvIHVuc2ln bmVkIGFyaXRobWV0aWMgb24gdGhlCnJldHVybmVkIHZhbHVlcy4gIElmIHRo ZSByZXN1bHQgaXMgIm5lZ2F0aXZlIiBvciB0b28gYmlnIGl0IHdpbGwgYmUK PnJpbmdfc2l6ZSAoc2luY2Ugd2UgdXNlZCB1bnNpZ25lZCBhcml0aG1ldGlj KS4gIE90aGVyd2lzZSB0aGUgcmVzdWx0CmlzIGEgcG9zaXRpdmUgaW4tcmFu Z2UgdmFsdWUgcmVwcmVzZW50aW5nIGEgcmVhc29uYWJsZSByaW5nIHN0YXRl LCBpbgp3aGljaCBjYXNlIHdlIGNhbiBzYWZlbHkgY29udmVydCBpdCB0byBp bnQgKGFzIHRoZSByZXN0IG9mIHRoZSBjb2RlCmV4cGVjdHMpLgoKZG9fc2Vu ZCBhbmQgZG9fcmVjdiBpbW1lZGlhdGVseSBtYXNrIHRoZSByaW5nIGluZGV4 IHZhbHVlIHdpdGggdGhlCnJpbmcgc2l6ZS4gIFRoZSByZXN1bHQgaXMgYWx3 YXlzIGdvaW5nIHRvIGJlIHBsYXVzaWJsZS4gIElmIHRoZSByaW5nCnN0YXRl IGhhcyBiZWNvbWUgbWFkLCB0aGUgd29yc3QgY2FzZSBpcyB0aGF0IG91ciBi ZWhhdmlvdXIgaXMKaW5jb25zaXN0ZW50IHdpdGggdGhlIHBlZXIncyByaW5n IHBvaW50ZXIuICBJLmUuIHdlIHJlYWQgb3Igd3JpdGUgdG8KYXJndWFibHkt aW5jb3JyZWN0IHBhcnRzIG9mIHRoZSByaW5nIC0gYnV0IGFsd2F5cyBwYXJ0 cyBvZiB0aGUgcmluZy4KQW5kIG9mIGNvdXJzZSBpZiBhIHBlZXIgbWlzb3Bl cmF0ZXMgdGhlIHJpbmcgdGhleSBjYW4gYWNoaWV2ZSB0aGlzCmVmZmVjdCBh bnl3YXkuCgpTbyB0aGUgc2VjdXJpdHkgcHJvYmxlbSBpcyBmaXhlZC4KClRo aXMgaXMgWFNBLTg2LgoKKFRoZSBwYXRjaCBpcyBlc3NlbnRpYWxseSBJYW4g SmFja3NvbidzIHdvcmssIGFsdGhvdWdoIHBhcnRzIG9mIHRoZQpjb21taXQg bWVzc2FnZSBhcmUgYnkgTWFyZWsuKQoKU2lnbmVkLW9mZi1ieTogTWFyZWsg TWFyY3p5a293c2tpLUfDs3JlY2tpIDxtYXJtYXJla0BpbnZpc2libGV0aGlu Z3NsYWIuY29tPgpTaWduZWQtb2ZmLWJ5OiBJYW4gSmFja3NvbiA8aWFuLmph Y2tzb25AZXUuY2l0cml4LmNvbT4KQ2M6IE1hcmVrIE1hcmN6eWtvd3NraS1H w7NyZWNraSA8bWFybWFyZWtAaW52aXNpYmxldGhpbmdzbGFiLmNvbT4KQ2M6 IEpvYW5uYSBSdXRrb3dza2EgPGpvYW5uYUBpbnZpc2libGV0aGluZ3NsYWIu Y29tPgotLS0KIHRvb2xzL2xpYnZjaGFuL2lvLmMgfCAgIDQ3ICsrKysrKysr KysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrLS0tLS0tCiAxIGZp bGUgY2hhbmdlZCwgNDEgaW5zZXJ0aW9ucygrKSwgNiBkZWxldGlvbnMoLSkK CmRpZmYgLS1naXQgYS90b29scy9saWJ2Y2hhbi9pby5jIGIvdG9vbHMvbGli dmNoYW4vaW8uYwppbmRleCAyMzgzMzY0Li44MDRjNjNjIDEwMDY0NAotLS0g YS90b29scy9saWJ2Y2hhbi9pby5jCisrKyBiL3Rvb2xzL2xpYnZjaGFuL2lv LmMKQEAgLTExMSwxMiArMTExLDI2IEBAIHN0YXRpYyBpbmxpbmUgaW50IHNl bmRfbm90aWZ5KHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3RybCwgdWludDhfdCBi aXQpCiAJCXJldHVybiAwOwogfQogCisvKgorICogR2V0IHRoZSBhbW91bnQg b2YgYnVmZmVyIHNwYWNlIGF2YWlsYWJsZSwgYW5kIGRvIG5vdGhpbmcgYWJv dXQKKyAqIG5vdGlmaWNhdGlvbnMuCisgKi8KK3N0YXRpYyBpbmxpbmUgaW50 IHJhd19nZXRfZGF0YV9yZWFkeShzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwp Cit7CisJdWludDMyX3QgcmVhZHkgPSByZF9wcm9kKGN0cmwpIC0gcmRfY29u cyhjdHJsKTsKKwlpZiAocmVhZHkgPj0gcmRfcmluZ19zaXplKGN0cmwpKQor CQkvKiBXZSBoYXZlIG5vIHdheSB0byByZXR1cm4gZXJyb3JzLiAgTG9ja2lu ZyB1cCB0aGUgcmluZyBpcworCQkgKiBiZXR0ZXIgdGhhbiB0aGUgYWx0ZXJu YXRpdmVzLiAqLworCQlyZXR1cm4gMDsKKwlyZXR1cm4gcmVhZHk7Cit9CisK IC8qKgogICogR2V0IHRoZSBhbW91bnQgb2YgYnVmZmVyIHNwYWNlIGF2YWls YWJsZSBhbmQgZW5hYmxlIG5vdGlmaWNhdGlvbnMgaWYgbmVlZGVkLgogICov CiBzdGF0aWMgaW5saW5lIGludCBmYXN0X2dldF9kYXRhX3JlYWR5KHN0cnVj dCBsaWJ4ZW52Y2hhbiAqY3RybCwgc2l6ZV90IHJlcXVlc3QpCiB7Ci0JaW50 IHJlYWR5ID0gcmRfcHJvZChjdHJsKSAtIHJkX2NvbnMoY3RybCk7CisJaW50 IHJlYWR5ID0gcmF3X2dldF9kYXRhX3JlYWR5KGN0cmwpOwogCWlmIChyZWFk eSA+PSByZXF1ZXN0KQogCQlyZXR1cm4gcmVhZHk7CiAJLyogV2UgcGxhbiB0 byBjb25zdW1lIGFsbCBkYXRhOyBwbGVhc2UgdGVsbCB1cyBpZiB5b3Ugc2Vu ZCBtb3JlICovCkBAIC0xMjYsNyArMTQwLDcgQEAgc3RhdGljIGlubGluZSBp bnQgZmFzdF9nZXRfZGF0YV9yZWFkeShzdHJ1Y3QgbGlieGVudmNoYW4gKmN0 cmwsIHNpemVfdCByZXF1ZXN0KQogCSAqIHdpbGwgbm90IGdldCBub3RpZmll ZCBldmVuIHRob3VnaCB0aGUgYWN0dWFsIGFtb3VudCBvZiBkYXRhIHJlYWR5 IGlzCiAJICogYWJvdmUgcmVxdWVzdC4gUmVyZWFkIHJkX3Byb2QgdG8gY292 ZXIgdGhpcyBjYXNlLgogCSAqLwotCXJldHVybiByZF9wcm9kKGN0cmwpIC0g cmRfY29ucyhjdHJsKTsKKwlyZXR1cm4gcmF3X2dldF9kYXRhX3JlYWR5KGN0 cmwpOwogfQogCiBpbnQgbGlieGVudmNoYW5fZGF0YV9yZWFkeShzdHJ1Y3Qg bGlieGVudmNoYW4gKmN0cmwpCkBAIC0xMzUsNyArMTQ5LDIxIEBAIGludCBs aWJ4ZW52Y2hhbl9kYXRhX3JlYWR5KHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3Ry bCkKIAkgKiB3aGVuIGl0IGNoYW5nZXMKIAkgKi8KIAlyZXF1ZXN0X25vdGlm eShjdHJsLCBWQ0hBTl9OT1RJRllfV1JJVEUpOwotCXJldHVybiByZF9wcm9k KGN0cmwpIC0gcmRfY29ucyhjdHJsKTsKKwlyZXR1cm4gcmF3X2dldF9kYXRh X3JlYWR5KGN0cmwpOworfQorCisvKioKKyAqIEdldCB0aGUgYW1vdW50IG9m IGJ1ZmZlciBzcGFjZSBhdmFpbGFibGUsIGFuZCBkbyBub3RoaW5nCisgKiBh Ym91dCBub3RpZmljYXRpb25zCisgKi8KK3N0YXRpYyBpbmxpbmUgaW50IHJh d19nZXRfYnVmZmVyX3NwYWNlKHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3RybCkK K3sKKwl1aW50MzJfdCByZWFkeSA9IHdyX3Jpbmdfc2l6ZShjdHJsKSAtICh3 cl9wcm9kKGN0cmwpIC0gd3JfY29ucyhjdHJsKSk7CisJaWYgKHJlYWR5ID4g d3JfcmluZ19zaXplKGN0cmwpKQorCQkvKiBXZSBoYXZlIG5vIHdheSB0byBy ZXR1cm4gZXJyb3JzLiAgTG9ja2luZyB1cCB0aGUgcmluZyBpcworCQkgKiBi ZXR0ZXIgdGhhbiB0aGUgYWx0ZXJuYXRpdmVzLiAqLworCQlyZXR1cm4gMDsK KwlyZXR1cm4gcmVhZHk7CiB9CiAKIC8qKgpAQCAtMTQzLDcgKzE3MSw3IEBA IGludCBsaWJ4ZW52Y2hhbl9kYXRhX3JlYWR5KHN0cnVjdCBsaWJ4ZW52Y2hh biAqY3RybCkKICAqLwogc3RhdGljIGlubGluZSBpbnQgZmFzdF9nZXRfYnVm ZmVyX3NwYWNlKHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3RybCwgc2l6ZV90IHJl cXVlc3QpCiB7Ci0JaW50IHJlYWR5ID0gd3JfcmluZ19zaXplKGN0cmwpIC0g KHdyX3Byb2QoY3RybCkgLSB3cl9jb25zKGN0cmwpKTsKKwlpbnQgcmVhZHkg PSByYXdfZ2V0X2J1ZmZlcl9zcGFjZShjdHJsKTsKIAlpZiAocmVhZHkgPj0g cmVxdWVzdCkKIAkJcmV0dXJuIHJlYWR5OwogCS8qIFdlIHBsYW4gdG8gZmls bCB0aGUgYnVmZmVyOyBwbGVhc2UgdGVsbCB1cyB3aGVuIHlvdSd2ZSByZWFk IGl0ICovCkBAIC0xNTMsNyArMTgxLDcgQEAgc3RhdGljIGlubGluZSBpbnQg ZmFzdF9nZXRfYnVmZmVyX3NwYWNlKHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3Ry bCwgc2l6ZV90IHJlcXVlc3QKIAkgKiB3aWxsIG5vdCBnZXQgbm90aWZpZWQg ZXZlbiB0aG91Z2ggdGhlIGFjdHVhbCBhbW91bnQgb2YgYnVmZmVyIHNwYWNl CiAJICogaXMgYWJvdmUgcmVxdWVzdC4gUmVyZWFkIHdyX2NvbnMgdG8gY292 ZXIgdGhpcyBjYXNlLgogCSAqLwotCXJldHVybiB3cl9yaW5nX3NpemUoY3Ry bCkgLSAod3JfcHJvZChjdHJsKSAtIHdyX2NvbnMoY3RybCkpOworCXJldHVy biByYXdfZ2V0X2J1ZmZlcl9zcGFjZShjdHJsKTsKIH0KIAogaW50IGxpYnhl bnZjaGFuX2J1ZmZlcl9zcGFjZShzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwp CkBAIC0xNjIsNyArMTkwLDcgQEAgaW50IGxpYnhlbnZjaGFuX2J1ZmZlcl9z cGFjZShzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwpCiAJICogd2hlbiBpdCBj aGFuZ2VzCiAJICovCiAJcmVxdWVzdF9ub3RpZnkoY3RybCwgVkNIQU5fTk9U SUZZX1JFQUQpOwotCXJldHVybiB3cl9yaW5nX3NpemUoY3RybCkgLSAod3Jf cHJvZChjdHJsKSAtIHdyX2NvbnMoY3RybCkpOworCXJldHVybiByYXdfZ2V0 X2J1ZmZlcl9zcGFjZShjdHJsKTsKIH0KIAogaW50IGxpYnhlbnZjaGFuX3dh aXQoc3RydWN0IGxpYnhlbnZjaGFuICpjdHJsKQpAQCAtMTc2LDYgKzIwNCw4 IEBAIGludCBsaWJ4ZW52Y2hhbl93YWl0KHN0cnVjdCBsaWJ4ZW52Y2hhbiAq Y3RybCkKIAogLyoqCiAgKiByZXR1cm5zIC0xIG9uIGVycm9yLCBvciBzaXpl IG9uIHN1Y2Nlc3MKKyAqCisgKiBjYWxsZXIgbXVzdCBoYXZlIGNoZWNrZWQg dGhhdCBlbm91Z2ggc3BhY2UgaXMgYXZhaWxhYmxlCiAgKi8KIHN0YXRpYyBp bnQgZG9fc2VuZChzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwsIGNvbnN0IHZv aWQgKmRhdGEsIHNpemVfdCBzaXplKQogewpAQCAtMjQ4LDYgKzI3OCwxMSBA QCBpbnQgbGlieGVudmNoYW5fd3JpdGUoc3RydWN0IGxpYnhlbnZjaGFuICpj dHJsLCBjb25zdCB2b2lkICpkYXRhLCBzaXplX3Qgc2l6ZSkKIAl9CiB9CiAK Ky8qKgorICogcmV0dXJucyAtMSBvbiBlcnJvciwgb3Igc2l6ZSBvbiBzdWNj ZXNzCisgKgorICogY2FsbGVyIG11c3QgaGF2ZSBjaGVja2VkIHRoYXQgZW5v dWdoIGRhdGEgaXMgYXZhaWxhYmxlCisgKi8KIHN0YXRpYyBpbnQgZG9fcmVj dihzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwsIHZvaWQgKmRhdGEsIHNpemVf dCBzaXplKQogewogCWludCByZWFsX2lkeCA9IHJkX2NvbnMoY3RybCkgJiAo cmRfcmluZ19zaXplKGN0cmwpIC0gMSk7Ci0tIAoxLjcuMTAuNAoK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Feb 10 11:30:57 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 10 Feb 2014 11:30:57 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WCp3Q-0000C5-J9; Mon, 10 Feb 2014 11:29:37 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WCp3N-0000B6-In; Mon, 10 Feb 2014 11:29:33 +0000 Received: from [193.109.254.147:17754] by server-3.bemta-14.messagelabs.com id A5/98-00432-C18B8F25; Mon, 10 Feb 2014 11:29:32 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-2.tower-27.messagelabs.com!1392031770!3201751!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 18772 invoked from network); 10 Feb 2014 11:29:31 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-2.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 10 Feb 2014 11:29:31 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WCp3H-00028Y-Ew; Mon, 10 Feb 2014 11:29:27 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WCp3H-0004it-7u; Mon, 10 Feb 2014 11:29:27 +0000 Date: Mon, 10 Feb 2014 11:29:27 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 84 (CVE-2014-1891, CVE-2014-1892, CVE-2014-1893, CVE-2014-1894) - integer overflow in several XSM/Flask hypercalls X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894 / XSA-84 version 3 integer overflow in several XSM/Flask hypercalls UPDATES IN VERSION 3 ==================== CVE numbers have been assigned. ISSUE DESCRIPTION ================= The FLASK_{GET,SET}BOOL, FLASK_USER and FLASK_CONTEXT_TO_SID suboperations of the flask hypercall are vulnerable to an integer overflow on the input size. The hypercalls attempt to allocate a buffer which is 1 larger than this size and is therefore vulnerable to integer overflow and an attempt to allocate then access a zero byte buffer. (CVE-2014-1891) Xen 3.3 through 4.1, while not affected by the above overflow, have a different overflow issue on FLASK_{GET,SET}BOOL (CVE-2014-1893) and expose unreasonably large memory allocation to aribitrary guests (CVE-2014-1892). Xen 3.2 (and presumably earlier) exhibit both problems with the overflow issue being present for more than just the suboperations listed above. (CVE-2014-1894 for the subops not covered above.) The FLASK_GETBOOL op is available to all domains. The FLASK_SETBOOL op is only available to domains which are granted access via the Flask policy. However the permissions check is performed only after running the vulnerable code and the vulnerability via this subop is exposed to all domains. The FLASK_USER and FLASK_CONTEXT_TO_SID ops are only available to domains which are granted access via the Flask policy. IMPACT ====== Attempting to access the result of a zero byte allocation results in a processor fault leading to a denial of service. VULNERABLE SYSTEMS ================== All Xen versions back to at least 3.2 are vulnerable to this issue when built with XSM/Flask support. XSM support is disabled by default and is enabled by building with XSM_ENABLE=y. We have not checked earlier versions of Xen, but it is likely that they are vulnerable to this or related vulnerabilities. All Xen versions built with XSM_ENABLE=y are vulnerable. MITIGATION ========== There is no useful mitigation available in installations where XSM support is actually in use. In other systems, compiling it out (with XSM_ENABLE=n) will avoid the vulnerability. CREDITS ======= This issue was discovered by Matthew Daley. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa84-unstable-4.3.patch xen-unstable,Xen 4.3.x xsa84-4.2.patch Xen 4.2.x xsa84-4.1.patch Xen 4.1.x $ sha256sum xsa84*.patch e33dd94499959363ad01bebefda9733683c49fd42a9641cf2d7edcd87f853d55 xsa84-4.1.patch 433f3c8a202482c51a48dc0e9e47ac8751d1c0d0759b7bcd22804e1856279a89 xsa84-4.2.patch 64ae433eb606c5446184c08e6fceb9f660ed9a9c28ec112c8cc529251b3b49fb xsa84-unstable-4.3.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS+LgGAAoJEIP+FMlX6CvZH1MH/00JKMYdEyaSA3oVGRTeV3Wk /ZgZl0dTuEBYLWTh/sE8txPGVb7jOvc4pzuhZ8Z0rvh4J10EKjqIUutSs0QR6m3U +3H+C/eHW98oselKT1csUoIZuf+3oTkZeryVeTyUi7g04xoYHpljT/u+gku8Twuz G8D3ckchHx5Zi40u0hQWAIOyJxwlpXD74mv2hnHa7X30anpLgGhsBxGLoghJSJwd x+i82krxbs0Ac7zKQBeVpPhVHE7QHR5Em1BqkxxtT8c93aujeD0Lkdw2H2ki1uOc +XOEwl/kT9TqiiHy+D+wZwY08xwijC4MZrxvVW35M6DupAG/4i9mv/ICs1GGfK8= =GrAi -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa84-4.1.patch" Content-Disposition: attachment; filename="xsa84-4.1.patch" Content-Transfer-Encoding: base64 UmVmZXJlbmNlczogYm5jIzg2MDE2MyBYU0EtODQKCmZsYXNrOiByZXN0cmlj dCBhbGxvY2F0aW9ucyBkb25lIGJ5IGh5cGVyY2FsbCBpbnRlcmZhY2UKCk90 aGVyIHRoYW4gaW4gNC4yIGFuZCBuZXdlciwgd2UncmUgbm90IGhhdmluZyBh biBvdmVyZmxvdyBpc3N1ZSBoZXJlLApidXQgdW5jb250cm9sbGVkIGV4cG9z dXJlIG9mIHRoZSBvcGVyYXRpb25zIG9wZW5zIHRoZSBob3N0IHRvIGJlIGRy aXZlbgpvdXQgb2YgbWVtb3J5IGJ5IGFuIGFyYml0cmFyeSBndWVzdC4gU2lu Y2UgYWxsIG9wZXJhdGlvbnMgb3RoZXIgdGhhbgpGTEFTS19MT0FEIHNpbXBs eSBkZWFsIHdpdGggQVNDSUkgc3RyaW5ncywgbGltaXRpbmcgdGhlIGFsbG9j YXRpb25zCihhbmQgaW5jb21pbmcgYnVmZmVyIHNpemVzKSB0byBhIHBhZ2Ug d29ydGggb2YgbWVtb3J5IHNlZW1zIGxpa2UgdGhlCmJlc3QgdGhpbmcgd2Ug Y2FuIGRvLgoKQ29uc2VxdWVudGx5LCBpbiBvcmRlciB0byBub3QgZXhwb3Nl IHRoZSBsYXJnZXIgYWxsb2NhdGlvbiB0byBhcmJpdHJhcnkKZ3Vlc3RzLCB0 aGUgcGVybWlzc2lvbiBjaGVjayBmb3IgRkxBU0tfTE9BRCBuZWVkcyB0byBi ZSBwdWxsZWQgYWhlYWQgb2YKdGhlIGFsbG9jYXRpb24gKGFuZCBpdCdzIHBl cmhhcHMgd29ydGggbm90aW5nIHRoYXQgLSBhZmFpY3QgLSBpdCB3YXMKcG9p bnRsZXNzbHkgZG9uZSB3aXRoIHRoZSBzZWxfc2VtIHNwaW4gbG9jayBoZWxk KS4KCk5vdGUgdGhhdCB0aGlzIGJyZWFrcyBGTEFTS19BVkNfQ0FDSEVTVEFU UyBvbiBzeXN0ZW1zIHdpdGggc3VmZmljaWVudGx5Cm1hbnkgQ1BVcyAoYXMg cmVxdWlyaW5nIGEgYnVmZmVyIGJpZ2dlciB0aGFuIFBBR0VfU0laRSB0aGVy ZSkuIE5vCmF0dGVtcHQgaXMgbWFkZSB0byBhZGRyZXNzIHRoaXMgaGVyZSwg YXMgaXQgd291bGQgbmVlZGxlc3NseSBjb21wbGljYXRlCnRoaXMgZml4IHdp dGggcmF0aGVyIGxpdHRsZSBnYWluLgoKVGhpcyBpcyBYU0EtODQuCgpSZXBv cnRlZC1ieTogTWF0dGhldyBEYWxleSA8bWF0dGRAYnVnZnV6ei5jb20+ClNp Z25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4K ClRoZSBpbmRleCBvZiBib29sZWFuIHZhcmlhYmxlcyBpbiBGTEFTS197R0VU LFNFVH1CT09MIHdhcyBub3QgYWx3YXlzCmNoZWNrZWQgYWdhaW5zdCB0aGUg Ym91bmRzIG9mIHRoZSBhcnJheS4KClJlcG9ydGVkLWJ5OiBKb2huIE1jRGVy bW90dCA8am9obi5tY2Rlcm1vdHRAbnJsLm5hdnkubWlsPgpTaWduZWQtb2Zm LWJ5OiBEYW5pZWwgRGUgR3JhYWYgPGRnZGVncmFAdHljaG8ubnNhLmdvdj4K Ci0tLSBhL3hlbi94c20vZmxhc2svZmxhc2tfb3AuYworKysgYi94ZW4veHNt L2ZsYXNrL2ZsYXNrX29wLmMKQEAgLTU3Myw3ICs1NzMsNyBAQCBzdGF0aWMg aW50IGZsYXNrX3NlY3VyaXR5X3NldGF2Y190aHJlc2hvCiBzdGF0aWMgaW50 IGZsYXNrX3NlY3VyaXR5X3NldF9ib29sKGNoYXIgKmJ1ZiwgdWludDMyX3Qg Y291bnQpCiB7CiAgICAgaW50IGxlbmd0aCA9IC1FRkFVTFQ7Ci0gICAgaW50 IGksIG5ld192YWx1ZTsKKyAgICB1bnNpZ25lZCBpbnQgaSwgbmV3X3ZhbHVl OwogCiAgICAgc3Bpbl9sb2NrKCZzZWxfc2VtKTsKIApAQCAtNTg1LDYgKzU4 NSw5IEBAIHN0YXRpYyBpbnQgZmxhc2tfc2VjdXJpdHlfc2V0X2Jvb2woY2hh ciAKICAgICBpZiAoIHNzY2FuZihidWYsICIlZCAlZCIsICZpLCAmbmV3X3Zh bHVlKSAhPSAyICkKICAgICAgICAgZ290byBvdXQ7CiAKKyAgICBpZiAoIGkg Pj0gYm9vbF9udW0gKQorICAgICAgICBnb3RvIG91dDsKKwogICAgIGlmICgg bmV3X3ZhbHVlICkKICAgICB7CiAgICAgICAgIG5ld192YWx1ZSA9IDE7CkBA IC03MzQsMTAgKzczNyw2IEBAIHN0YXRpYyBpbnQgZmxhc2tfc2VjdXJpdHlf bG9hZChjaGFyICpidWYKIAogICAgIHNwaW5fbG9jaygmc2VsX3NlbSk7CiAK LSAgICBsZW5ndGggPSBkb21haW5faGFzX3NlY3VyaXR5KGN1cnJlbnQtPmRv bWFpbiwgU0VDVVJJVFlfX0xPQURfUE9MSUNZKTsKLSAgICBpZiAoIGxlbmd0 aCApCi0gICAgICAgIGdvdG8gb3V0OwotCiAgICAgbGVuZ3RoID0gc2VjdXJp dHlfbG9hZF9wb2xpY3koYnVmLCBjb3VudCk7CiAgICAgaWYgKCBsZW5ndGgg KQogICAgICAgICBnb3RvIG91dDsKQEAgLTg1Myw3ICs4NTIsMTUgQEAgbG9u ZyBkb19mbGFza19vcChYRU5fR1VFU1RfSEFORExFKHhzbV9vcAogICAgIGlm ICggb3AtPmNtZCA+IEZMQVNLX0xBU1QpCiAgICAgICAgIHJldHVybiAtRUlO VkFMOwogCi0gICAgaWYgKCBvcC0+c2l6ZSA+IE1BWF9QT0xJQ1lfU0laRSAp CisgICAgaWYgKCBvcC0+Y21kID09IEZMQVNLX0xPQUQgKQorICAgIHsKKyAg ICAgICAgcmMgPSBkb21haW5faGFzX3NlY3VyaXR5KGN1cnJlbnQtPmRvbWFp biwgU0VDVVJJVFlfX0xPQURfUE9MSUNZKTsKKyAgICAgICAgaWYgKCByYyAp CisgICAgICAgICAgICByZXR1cm4gcmM7CisgICAgICAgIGlmICggb3AtPnNp emUgPiBNQVhfUE9MSUNZX1NJWkUgKQorICAgICAgICAgICAgcmV0dXJuIC1F SU5WQUw7CisgICAgfQorICAgIGVsc2UgaWYgKCBvcC0+c2l6ZSA+PSBQQUdF X1NJWkUgKQogICAgICAgICByZXR1cm4gLUVJTlZBTDsKIAogICAgIGlmICgg KG9wLT5idWYgPT0gTlVMTCAmJiBvcC0+c2l6ZSAhPSAwKSB8fCAKLS0tIGEv eGVuL3hzbS9mbGFzay9zcy9zZXJ2aWNlcy5jCisrKyBiL3hlbi94c20vZmxh c2svc3Mvc2VydmljZXMuYwpAQCAtMTk5MSw3ICsxOTkxLDcgQEAgaW50IHNl Y3VyaXR5X2dldF9ib29sX3ZhbHVlKGludCBib29sKQogICAgIFBPTElDWV9S RExPQ0s7CiAKICAgICBsZW4gPSBwb2xpY3lkYi5wX2Jvb2xzLm5wcmltOwot ICAgIGlmICggYm9vbCA+PSBsZW4gKQorICAgIGlmICggYm9vbCA+PSBsZW4g fHwgYm9vbCA8IDAgKQogICAgIHsKICAgICAgICAgcmMgPSAtRUZBVUxUOwog ICAgICAgICBnb3RvIG91dDsK --=separator Content-Type: application/octet-stream; name="xsa84-4.2.patch" Content-Disposition: attachment; filename="xsa84-4.2.patch" Content-Transfer-Encoding: base64 Zmxhc2s6IGZpeCByZWFkaW5nIHN0cmluZ3MgZnJvbSBndWVzdCBtZW1vcnkK ClNpbmNlIHRoZSBzdHJpbmcgc2l6ZSBpcyBiZWluZyBzcGVjaWZpZWQgYnkg dGhlIGd1ZXN0LCB3ZSBtdXN0IHJhbmdlCmNoZWNrIGl0IHByb3Blcmx5IGJl Zm9yZSBkb2luZyBhbGxvY2F0aW9ucyBiYXNlZCBvbiBpdC4gV2hpbGUgZm9y IHRoZQp0d28gY2FzZXMgdGhhdCBhcmUgZXhwb3NlZCBvbmx5IHRvIHRydXN0 ZWQgZ3Vlc3RzICh2aWEgcG9saWN5CnJlc3RyaWN0aW9uKSB0aGlzIGp1c3Qg dXNlcyBhbiBhcmJpdHJhcnkgdXBwZXIgbGltaXQgKFBBR0VfU0laRSksIGZv cgp0aGUgRkxBU0tfW0dTXUVUQk9PTCBjYXNlICh3aGljaCBhbnkgZ3Vlc3Qg Y2FuIHVzZSkgdGhlIHVwcGVyIGxpbWl0CmdldHMgZW5mb3JjZWQgYmFzZWQg b24gdGhlIGxvbmdlc3QgbmFtZSBhY3Jvc3MgYWxsIGJvb2xlYW4gc2V0dGlu Z3MuCgpUaGlzIGlzIFhTQS04NC4KClJlcG9ydGVkLWJ5OiBNYXR0aGV3IERh bGV5IDxtYXR0ZEBidWdmdXp6LmNvbT4KU2lnbmVkLW9mZi1ieTogSmFuIEJl dWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpBY2tlZC1ieTogRGFuaWVsIERl IEdyYWFmIDxkZ2RlZ3JhQHR5Y2hvLm5zYS5nb3Y+CgotLS0gYS94ZW4veHNt L2ZsYXNrL2ZsYXNrX29wLmMKKysrIGIveGVuL3hzbS9mbGFzay9mbGFza19v cC5jCkBAIC01Myw2ICs1Myw3IEBAIHN0YXRpYyBERUZJTkVfU1BJTkxPQ0so c2VsX3NlbSk7CiAvKiBnbG9iYWwgZGF0YSBmb3IgYm9vbGVhbnMgKi8KIHN0 YXRpYyBpbnQgYm9vbF9udW0gPSAwOwogc3RhdGljIGludCAqYm9vbF9wZW5k aW5nX3ZhbHVlcyA9IE5VTEw7CitzdGF0aWMgc2l6ZV90IGJvb2xfbWF4c3Ry Owogc3RhdGljIGludCBmbGFza19zZWN1cml0eV9tYWtlX2Jvb2xzKHZvaWQp OwogCiBleHRlcm4gaW50IHNzX2luaXRpYWxpemVkOwpAQCAtNzEsOSArNzIs MTUgQEAgc3RhdGljIGludCBkb21haW5faGFzX3NlY3VyaXR5KHN0cnVjdCBk bwogICAgICAgICAgICAgICAgICAgICAgICAgcGVybXMsIE5VTEwpOwogfQog Ci1zdGF0aWMgaW50IGZsYXNrX2NvcHlpbl9zdHJpbmcoWEVOX0dVRVNUX0hB TkRMRShjaGFyKSB1X2J1ZiwgY2hhciAqKmJ1ZiwgdWludDMyX3Qgc2l6ZSkK K3N0YXRpYyBpbnQgZmxhc2tfY29weWluX3N0cmluZyhYRU5fR1VFU1RfSEFO RExFKGNoYXIpIHVfYnVmLCBjaGFyICoqYnVmLAorICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIHNpemVfdCBzaXplLCBzaXplX3QgbWF4X3NpemUp CiB7Ci0gICAgY2hhciAqdG1wID0geG1hbGxvY19ieXRlcyhzaXplICsgMSk7 CisgICAgY2hhciAqdG1wOworCisgICAgaWYgKCBzaXplID4gbWF4X3NpemUg KQorICAgICAgICByZXR1cm4gLUVOT0VOVDsKKworICAgIHRtcCA9IHhtYWxs b2NfYXJyYXkoY2hhciwgc2l6ZSArIDEpOwogICAgIGlmICggIXRtcCApCiAg ICAgICAgIHJldHVybiAtRU5PTUVNOwogCkBAIC05OSw3ICsxMDYsNyBAQCBz dGF0aWMgaW50IGZsYXNrX3NlY3VyaXR5X3VzZXIoc3RydWN0IHhlCiAgICAg aWYgKCBydiApCiAgICAgICAgIHJldHVybiBydjsKIAotICAgIHJ2ID0gZmxh c2tfY29weWluX3N0cmluZyhhcmctPnUudXNlciwgJnVzZXIsIGFyZy0+c2l6 ZSk7CisgICAgcnYgPSBmbGFza19jb3B5aW5fc3RyaW5nKGFyZy0+dS51c2Vy LCAmdXNlciwgYXJnLT5zaXplLCBQQUdFX1NJWkUpOwogICAgIGlmICggcnYg KQogICAgICAgICByZXR1cm4gcnY7CiAKQEAgLTIxMCw3ICsyMTcsNyBAQCBz dGF0aWMgaW50IGZsYXNrX3NlY3VyaXR5X2NvbnRleHQoc3RydWN0CiAgICAg aWYgKCBydiApCiAgICAgICAgIHJldHVybiBydjsKIAotICAgIHJ2ID0gZmxh c2tfY29weWluX3N0cmluZyhhcmctPmNvbnRleHQsICZidWYsIGFyZy0+c2l6 ZSk7CisgICAgcnYgPSBmbGFza19jb3B5aW5fc3RyaW5nKGFyZy0+Y29udGV4 dCwgJmJ1ZiwgYXJnLT5zaXplLCBQQUdFX1NJWkUpOwogICAgIGlmICggcnYg KQogICAgICAgICByZXR1cm4gcnY7CiAKQEAgLTMwMyw3ICszMTAsNyBAQCBz dGF0aWMgaW50IGZsYXNrX3NlY3VyaXR5X3Jlc29sdmVfYm9vbChzCiAgICAg aWYgKCBhcmctPmJvb2xfaWQgIT0gLTEgKQogICAgICAgICByZXR1cm4gMDsK IAotICAgIHJ2ID0gZmxhc2tfY29weWluX3N0cmluZyhhcmctPm5hbWUsICZu YW1lLCBhcmctPnNpemUpOworICAgIHJ2ID0gZmxhc2tfY29weWluX3N0cmlu ZyhhcmctPm5hbWUsICZuYW1lLCBhcmctPnNpemUsIGJvb2xfbWF4c3RyKTsK ICAgICBpZiAoIHJ2ICkKICAgICAgICAgcmV0dXJuIHJ2OwogCkBAIC0zMzQs NyArMzQxLDcgQEAgc3RhdGljIGludCBmbGFza19zZWN1cml0eV9zZXRfYm9v bChzdHJ1YwogICAgICAgICBpbnQgbnVtOwogICAgICAgICBpbnQgKnZhbHVl czsKIAotICAgICAgICBydiA9IHNlY3VyaXR5X2dldF9ib29scygmbnVtLCBO VUxMLCAmdmFsdWVzKTsKKyAgICAgICAgcnYgPSBzZWN1cml0eV9nZXRfYm9v bHMoJm51bSwgTlVMTCwgJnZhbHVlcywgTlVMTCk7CiAgICAgICAgIGlmICgg cnYgIT0gMCApCiAgICAgICAgICAgICBnb3RvIG91dDsKIApAQCAtNDQwLDcg KzQ0Nyw3IEBAIHN0YXRpYyBpbnQgZmxhc2tfc2VjdXJpdHlfbWFrZV9ib29s cyh2b2kKICAgICAKICAgICB4ZnJlZShib29sX3BlbmRpbmdfdmFsdWVzKTsK ICAgICAKLSAgICByZXQgPSBzZWN1cml0eV9nZXRfYm9vbHMoJm51bSwgTlVM TCwgJnZhbHVlcyk7CisgICAgcmV0ID0gc2VjdXJpdHlfZ2V0X2Jvb2xzKCZu dW0sIE5VTEwsICZ2YWx1ZXMsICZib29sX21heHN0cik7CiAgICAgaWYgKCBy ZXQgIT0gMCApCiAgICAgICAgIGdvdG8gb3V0OwogCi0tLSBhL3hlbi94c20v Zmxhc2svaW5jbHVkZS9jb25kaXRpb25hbC5oCisrKyBiL3hlbi94c20vZmxh c2svaW5jbHVkZS9jb25kaXRpb25hbC5oCkBAIC0xMyw3ICsxMyw5IEBACiAj aWZuZGVmIF9GTEFTS19DT05ESVRJT05BTF9IXwogI2RlZmluZSBfRkxBU0tf Q09ORElUSU9OQUxfSF8KIAotaW50IHNlY3VyaXR5X2dldF9ib29scyhpbnQg KmxlbiwgY2hhciAqKipuYW1lcywgaW50ICoqdmFsdWVzKTsKKyNpbmNsdWRl IDx4ZW4vdHlwZXMuaD4KKworaW50IHNlY3VyaXR5X2dldF9ib29scyhpbnQg KmxlbiwgY2hhciAqKipuYW1lcywgaW50ICoqdmFsdWVzLCBzaXplX3QgKm1h eHN0cik7CiAKIGludCBzZWN1cml0eV9zZXRfYm9vbHMoaW50IGxlbiwgaW50 ICp2YWx1ZXMpOwogCi0tLSBhL3hlbi94c20vZmxhc2svc3Mvc2VydmljZXMu YworKysgYi94ZW4veHNtL2ZsYXNrL3NzL3NlcnZpY2VzLmMKQEAgLTE5MDAs NyArMTkwMCw3IEBAIGludCBzZWN1cml0eV9maW5kX2Jvb2woY29uc3QgY2hh ciAqbmFtZSkKICAgICByZXR1cm4gcnY7CiB9CiAKLWludCBzZWN1cml0eV9n ZXRfYm9vbHMoaW50ICpsZW4sIGNoYXIgKioqbmFtZXMsIGludCAqKnZhbHVl cykKK2ludCBzZWN1cml0eV9nZXRfYm9vbHMoaW50ICpsZW4sIGNoYXIgKioq bmFtZXMsIGludCAqKnZhbHVlcywgc2l6ZV90ICptYXhzdHIpCiB7CiAgICAg aW50IGksIHJjID0gLUVOT01FTTsKIApAQCAtMTkwOCw2ICsxOTA4LDggQEAg aW50IHNlY3VyaXR5X2dldF9ib29scyhpbnQgKmxlbiwgY2hhciAqKgogICAg IGlmICggbmFtZXMgKQogICAgICAgICAqbmFtZXMgPSBOVUxMOwogICAgICp2 YWx1ZXMgPSBOVUxMOworICAgIGlmICggbWF4c3RyICkKKyAgICAgICAgKm1h eHN0ciA9IDA7CiAKICAgICAqbGVuID0gcG9saWN5ZGIucF9ib29scy5ucHJp bTsKICAgICBpZiAoICEqbGVuICkKQEAgLTE5MjksMTYgKzE5MzEsMTcgQEAg aW50IHNlY3VyaXR5X2dldF9ib29scyhpbnQgKmxlbiwgY2hhciAqKgogCiAg ICAgZm9yICggaSA9IDA7IGkgPCAqbGVuOyBpKysgKQogICAgIHsKLSAgICAg ICAgc2l6ZV90IG5hbWVfbGVuOworICAgICAgICBzaXplX3QgbmFtZV9sZW4g PSBzdHJsZW4ocG9saWN5ZGIucF9ib29sX3ZhbF90b19uYW1lW2ldKTsKKwog ICAgICAgICAoKnZhbHVlcylbaV0gPSBwb2xpY3lkYi5ib29sX3ZhbF90b19z dHJ1Y3RbaV0tPnN0YXRlOwogICAgICAgICBpZiAoIG5hbWVzICkgewotICAg ICAgICAgICAgbmFtZV9sZW4gPSBzdHJsZW4ocG9saWN5ZGIucF9ib29sX3Zh bF90b19uYW1lW2ldKSArIDE7Ci0gICAgICAgICAgICAoKm5hbWVzKVtpXSA9 IChjaGFyKil4bWFsbG9jX2FycmF5KGNoYXIsIG5hbWVfbGVuKTsKKyAgICAg ICAgICAgICgqbmFtZXMpW2ldID0geG1hbGxvY19hcnJheShjaGFyLCBuYW1l X2xlbiArIDEpOwogICAgICAgICAgICAgaWYgKCAhKCpuYW1lcylbaV0gKQog ICAgICAgICAgICAgICAgIGdvdG8gZXJyOwotICAgICAgICAgICAgc3RybGNw eSgoKm5hbWVzKVtpXSwgcG9saWN5ZGIucF9ib29sX3ZhbF90b19uYW1lW2ld LCBuYW1lX2xlbik7Ci0gICAgICAgICAgICAoKm5hbWVzKVtpXVtuYW1lX2xl biAtIDFdID0gMDsKKyAgICAgICAgICAgIHN0cmxjcHkoKCpuYW1lcylbaV0s IHBvbGljeWRiLnBfYm9vbF92YWxfdG9fbmFtZVtpXSwgbmFtZV9sZW4gKyAx KTsKICAgICAgICAgfQorICAgICAgICBpZiAoIG1heHN0ciAmJiBuYW1lX2xl biA+ICptYXhzdHIgKQorICAgICAgICAgICAgKm1heHN0ciA9IG5hbWVfbGVu OwogICAgIH0KICAgICByYyA9IDA7CiBvdXQ6CkBAIC0yMDU2LDcgKzIwNTks NyBAQCBzdGF0aWMgaW50IHNlY3VyaXR5X3ByZXNlcnZlX2Jvb2xzKHN0cnVj CiAgICAgc3RydWN0IGNvbmRfYm9vbF9kYXR1bSAqYm9vbGRhdHVtOwogICAg IHN0cnVjdCBjb25kX25vZGUgKmN1cjsKIAotICAgIHJjID0gc2VjdXJpdHlf Z2V0X2Jvb2xzKCZuYm9vbHMsICZibmFtZXMsICZidmFsdWVzKTsKKyAgICBy YyA9IHNlY3VyaXR5X2dldF9ib29scygmbmJvb2xzLCAmYm5hbWVzLCAmYnZh bHVlcywgTlVMTCk7CiAgICAgaWYgKCByYyApCiAgICAgICAgIGdvdG8gb3V0 OwogICAgIGZvciAoIGkgPSAwOyBpIDwgbmJvb2xzOyBpKysgKQo= --=separator Content-Type: application/octet-stream; name="xsa84-unstable-4.3.patch" Content-Disposition: attachment; filename="xsa84-unstable-4.3.patch" Content-Transfer-Encoding: base64 Zmxhc2s6IGZpeCByZWFkaW5nIHN0cmluZ3MgZnJvbSBndWVzdCBtZW1vcnkK ClNpbmNlIHRoZSBzdHJpbmcgc2l6ZSBpcyBiZWluZyBzcGVjaWZpZWQgYnkg dGhlIGd1ZXN0LCB3ZSBtdXN0IHJhbmdlCmNoZWNrIGl0IHByb3Blcmx5IGJl Zm9yZSBkb2luZyBhbGxvY2F0aW9ucyBiYXNlZCBvbiBpdC4gV2hpbGUgZm9y IHRoZQp0d28gY2FzZXMgdGhhdCBhcmUgZXhwb3NlZCBvbmx5IHRvIHRydXN0 ZWQgZ3Vlc3RzICh2aWEgcG9saWN5CnJlc3RyaWN0aW9uKSB0aGlzIGp1c3Qg dXNlcyBhbiBhcmJpdHJhcnkgdXBwZXIgbGltaXQgKFBBR0VfU0laRSksIGZv cgp0aGUgRkxBU0tfW0dTXUVUQk9PTCBjYXNlICh3aGljaCBhbnkgZ3Vlc3Qg Y2FuIHVzZSkgdGhlIHVwcGVyIGxpbWl0CmdldHMgZW5mb3JjZWQgYmFzZWQg b24gdGhlIGxvbmdlc3QgbmFtZSBhY3Jvc3MgYWxsIGJvb2xlYW4gc2V0dGlu Z3MuCgpUaGlzIGlzIFhTQS04NC4KClJlcG9ydGVkLWJ5OiBNYXR0aGV3IERh bGV5IDxtYXR0ZEBidWdmdXp6LmNvbT4KU2lnbmVkLW9mZi1ieTogSmFuIEJl dWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpBY2tlZC1ieTogRGFuaWVsIERl IEdyYWFmIDxkZ2RlZ3JhQHR5Y2hvLm5zYS5nb3Y+CgotLS0gYS94ZW4veHNt L2ZsYXNrL2ZsYXNrX29wLmMKKysrIGIveGVuL3hzbS9mbGFzay9mbGFza19v cC5jCkBAIC01Myw2ICs1Myw3IEBAIHN0YXRpYyBERUZJTkVfU1BJTkxPQ0so c2VsX3NlbSk7CiAvKiBnbG9iYWwgZGF0YSBmb3IgYm9vbGVhbnMgKi8KIHN0 YXRpYyBpbnQgYm9vbF9udW0gPSAwOwogc3RhdGljIGludCAqYm9vbF9wZW5k aW5nX3ZhbHVlcyA9IE5VTEw7CitzdGF0aWMgc2l6ZV90IGJvb2xfbWF4c3Ry Owogc3RhdGljIGludCBmbGFza19zZWN1cml0eV9tYWtlX2Jvb2xzKHZvaWQp OwogCiBleHRlcm4gaW50IHNzX2luaXRpYWxpemVkOwpAQCAtNzEsOSArNzIs MTUgQEAgc3RhdGljIGludCBkb21haW5faGFzX3NlY3VyaXR5KHN0cnVjdCBk bwogICAgICAgICAgICAgICAgICAgICAgICAgcGVybXMsIE5VTEwpOwogfQog Ci1zdGF0aWMgaW50IGZsYXNrX2NvcHlpbl9zdHJpbmcoWEVOX0dVRVNUX0hB TkRMRV9QQVJBTShjaGFyKSB1X2J1ZiwgY2hhciAqKmJ1ZiwgdWludDMyX3Qg c2l6ZSkKK3N0YXRpYyBpbnQgZmxhc2tfY29weWluX3N0cmluZyhYRU5fR1VF U1RfSEFORExFX1BBUkFNKGNoYXIpIHVfYnVmLCBjaGFyICoqYnVmLAorICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNpemVfdCBzaXplLCBzaXpl X3QgbWF4X3NpemUpCiB7Ci0gICAgY2hhciAqdG1wID0geG1hbGxvY19ieXRl cyhzaXplICsgMSk7CisgICAgY2hhciAqdG1wOworCisgICAgaWYgKCBzaXpl ID4gbWF4X3NpemUgKQorICAgICAgICByZXR1cm4gLUVOT0VOVDsKKworICAg IHRtcCA9IHhtYWxsb2NfYXJyYXkoY2hhciwgc2l6ZSArIDEpOwogICAgIGlm ICggIXRtcCApCiAgICAgICAgIHJldHVybiAtRU5PTUVNOwogCkBAIC05OSw3 ICsxMDYsNyBAQCBzdGF0aWMgaW50IGZsYXNrX3NlY3VyaXR5X3VzZXIoc3Ry dWN0IHhlCiAgICAgaWYgKCBydiApCiAgICAgICAgIHJldHVybiBydjsKIAot ICAgIHJ2ID0gZmxhc2tfY29weWluX3N0cmluZyhhcmctPnUudXNlciwgJnVz ZXIsIGFyZy0+c2l6ZSk7CisgICAgcnYgPSBmbGFza19jb3B5aW5fc3RyaW5n KGFyZy0+dS51c2VyLCAmdXNlciwgYXJnLT5zaXplLCBQQUdFX1NJWkUpOwog ICAgIGlmICggcnYgKQogICAgICAgICByZXR1cm4gcnY7CiAKQEAgLTIxMCw3 ICsyMTcsNyBAQCBzdGF0aWMgaW50IGZsYXNrX3NlY3VyaXR5X2NvbnRleHQo c3RydWN0CiAgICAgaWYgKCBydiApCiAgICAgICAgIHJldHVybiBydjsKIAot ICAgIHJ2ID0gZmxhc2tfY29weWluX3N0cmluZyhhcmctPmNvbnRleHQsICZi dWYsIGFyZy0+c2l6ZSk7CisgICAgcnYgPSBmbGFza19jb3B5aW5fc3RyaW5n KGFyZy0+Y29udGV4dCwgJmJ1ZiwgYXJnLT5zaXplLCBQQUdFX1NJWkUpOwog ICAgIGlmICggcnYgKQogICAgICAgICByZXR1cm4gcnY7CiAKQEAgLTMwMyw3 ICszMTAsNyBAQCBzdGF0aWMgaW50IGZsYXNrX3NlY3VyaXR5X3Jlc29sdmVf Ym9vbChzCiAgICAgaWYgKCBhcmctPmJvb2xfaWQgIT0gLTEgKQogICAgICAg ICByZXR1cm4gMDsKIAotICAgIHJ2ID0gZmxhc2tfY29weWluX3N0cmluZyhh cmctPm5hbWUsICZuYW1lLCBhcmctPnNpemUpOworICAgIHJ2ID0gZmxhc2tf Y29weWluX3N0cmluZyhhcmctPm5hbWUsICZuYW1lLCBhcmctPnNpemUsIGJv b2xfbWF4c3RyKTsKICAgICBpZiAoIHJ2ICkKICAgICAgICAgcmV0dXJuIHJ2 OwogCkBAIC0zMzQsNyArMzQxLDcgQEAgc3RhdGljIGludCBmbGFza19zZWN1 cml0eV9zZXRfYm9vbChzdHJ1YwogICAgICAgICBpbnQgbnVtOwogICAgICAg ICBpbnQgKnZhbHVlczsKIAotICAgICAgICBydiA9IHNlY3VyaXR5X2dldF9i b29scygmbnVtLCBOVUxMLCAmdmFsdWVzKTsKKyAgICAgICAgcnYgPSBzZWN1 cml0eV9nZXRfYm9vbHMoJm51bSwgTlVMTCwgJnZhbHVlcywgTlVMTCk7CiAg ICAgICAgIGlmICggcnYgIT0gMCApCiAgICAgICAgICAgICBnb3RvIG91dDsK IApAQCAtNDQwLDcgKzQ0Nyw3IEBAIHN0YXRpYyBpbnQgZmxhc2tfc2VjdXJp dHlfbWFrZV9ib29scyh2b2kKICAgICAKICAgICB4ZnJlZShib29sX3BlbmRp bmdfdmFsdWVzKTsKICAgICAKLSAgICByZXQgPSBzZWN1cml0eV9nZXRfYm9v bHMoJm51bSwgTlVMTCwgJnZhbHVlcyk7CisgICAgcmV0ID0gc2VjdXJpdHlf Z2V0X2Jvb2xzKCZudW0sIE5VTEwsICZ2YWx1ZXMsICZib29sX21heHN0cik7 CiAgICAgaWYgKCByZXQgIT0gMCApCiAgICAgICAgIGdvdG8gb3V0OwogCi0t LSBhL3hlbi94c20vZmxhc2svaW5jbHVkZS9jb25kaXRpb25hbC5oCisrKyBi L3hlbi94c20vZmxhc2svaW5jbHVkZS9jb25kaXRpb25hbC5oCkBAIC0xMyw3 ICsxMyw5IEBACiAjaWZuZGVmIF9GTEFTS19DT05ESVRJT05BTF9IXwogI2Rl ZmluZSBfRkxBU0tfQ09ORElUSU9OQUxfSF8KIAotaW50IHNlY3VyaXR5X2dl dF9ib29scyhpbnQgKmxlbiwgY2hhciAqKipuYW1lcywgaW50ICoqdmFsdWVz KTsKKyNpbmNsdWRlIDx4ZW4vdHlwZXMuaD4KKworaW50IHNlY3VyaXR5X2dl dF9ib29scyhpbnQgKmxlbiwgY2hhciAqKipuYW1lcywgaW50ICoqdmFsdWVz LCBzaXplX3QgKm1heHN0cik7CiAKIGludCBzZWN1cml0eV9zZXRfYm9vbHMo aW50IGxlbiwgaW50ICp2YWx1ZXMpOwogCi0tLSBhL3hlbi94c20vZmxhc2sv c3Mvc2VydmljZXMuYworKysgYi94ZW4veHNtL2ZsYXNrL3NzL3NlcnZpY2Vz LmMKQEAgLTE4NTAsNyArMTg1MCw3IEBAIGludCBzZWN1cml0eV9maW5kX2Jv b2woY29uc3QgY2hhciAqbmFtZSkKICAgICByZXR1cm4gcnY7CiB9CiAKLWlu dCBzZWN1cml0eV9nZXRfYm9vbHMoaW50ICpsZW4sIGNoYXIgKioqbmFtZXMs IGludCAqKnZhbHVlcykKK2ludCBzZWN1cml0eV9nZXRfYm9vbHMoaW50ICps ZW4sIGNoYXIgKioqbmFtZXMsIGludCAqKnZhbHVlcywgc2l6ZV90ICptYXhz dHIpCiB7CiAgICAgaW50IGksIHJjID0gLUVOT01FTTsKIApAQCAtMTg1OCw2 ICsxODU4LDggQEAgaW50IHNlY3VyaXR5X2dldF9ib29scyhpbnQgKmxlbiwg Y2hhciAqKgogICAgIGlmICggbmFtZXMgKQogICAgICAgICAqbmFtZXMgPSBO VUxMOwogICAgICp2YWx1ZXMgPSBOVUxMOworICAgIGlmICggbWF4c3RyICkK KyAgICAgICAgKm1heHN0ciA9IDA7CiAKICAgICAqbGVuID0gcG9saWN5ZGIu cF9ib29scy5ucHJpbTsKICAgICBpZiAoICEqbGVuICkKQEAgLTE4NzksMTYg KzE4ODEsMTcgQEAgaW50IHNlY3VyaXR5X2dldF9ib29scyhpbnQgKmxlbiwg Y2hhciAqKgogCiAgICAgZm9yICggaSA9IDA7IGkgPCAqbGVuOyBpKysgKQog ICAgIHsKLSAgICAgICAgc2l6ZV90IG5hbWVfbGVuOworICAgICAgICBzaXpl X3QgbmFtZV9sZW4gPSBzdHJsZW4ocG9saWN5ZGIucF9ib29sX3ZhbF90b19u YW1lW2ldKTsKKwogICAgICAgICAoKnZhbHVlcylbaV0gPSBwb2xpY3lkYi5i b29sX3ZhbF90b19zdHJ1Y3RbaV0tPnN0YXRlOwogICAgICAgICBpZiAoIG5h bWVzICkgewotICAgICAgICAgICAgbmFtZV9sZW4gPSBzdHJsZW4ocG9saWN5 ZGIucF9ib29sX3ZhbF90b19uYW1lW2ldKSArIDE7Ci0gICAgICAgICAgICAo Km5hbWVzKVtpXSA9IChjaGFyKil4bWFsbG9jX2FycmF5KGNoYXIsIG5hbWVf bGVuKTsKKyAgICAgICAgICAgICgqbmFtZXMpW2ldID0geG1hbGxvY19hcnJh eShjaGFyLCBuYW1lX2xlbiArIDEpOwogICAgICAgICAgICAgaWYgKCAhKCpu YW1lcylbaV0gKQogICAgICAgICAgICAgICAgIGdvdG8gZXJyOwotICAgICAg ICAgICAgc3RybGNweSgoKm5hbWVzKVtpXSwgcG9saWN5ZGIucF9ib29sX3Zh bF90b19uYW1lW2ldLCBuYW1lX2xlbik7Ci0gICAgICAgICAgICAoKm5hbWVz KVtpXVtuYW1lX2xlbiAtIDFdID0gMDsKKyAgICAgICAgICAgIHN0cmxjcHko KCpuYW1lcylbaV0sIHBvbGljeWRiLnBfYm9vbF92YWxfdG9fbmFtZVtpXSwg bmFtZV9sZW4gKyAxKTsKICAgICAgICAgfQorICAgICAgICBpZiAoIG1heHN0 ciAmJiBuYW1lX2xlbiA+ICptYXhzdHIgKQorICAgICAgICAgICAgKm1heHN0 ciA9IG5hbWVfbGVuOwogICAgIH0KICAgICByYyA9IDA7CiBvdXQ6CkBAIC0y MDA2LDcgKzIwMDksNyBAQCBzdGF0aWMgaW50IHNlY3VyaXR5X3ByZXNlcnZl X2Jvb2xzKHN0cnVjCiAgICAgc3RydWN0IGNvbmRfYm9vbF9kYXR1bSAqYm9v bGRhdHVtOwogICAgIHN0cnVjdCBjb25kX25vZGUgKmN1cjsKIAotICAgIHJj ID0gc2VjdXJpdHlfZ2V0X2Jvb2xzKCZuYm9vbHMsICZibmFtZXMsICZidmFs dWVzKTsKKyAgICByYyA9IHNlY3VyaXR5X2dldF9ib29scygmbmJvb2xzLCAm Ym5hbWVzLCAmYnZhbHVlcywgTlVMTCk7CiAgICAgaWYgKCByYyApCiAgICAg ICAgIGdvdG8gb3V0OwogICAgIGZvciAoIGkgPSAwOyBpIDwgbmJvb2xzOyBp KysgKQo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Feb 10 11:30:57 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 10 Feb 2014 11:30:57 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WCp3Q-0000C5-J9; Mon, 10 Feb 2014 11:29:37 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WCp3N-0000B6-In; Mon, 10 Feb 2014 11:29:33 +0000 Received: from [193.109.254.147:17754] by server-3.bemta-14.messagelabs.com id A5/98-00432-C18B8F25; Mon, 10 Feb 2014 11:29:32 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-2.tower-27.messagelabs.com!1392031770!3201751!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 18772 invoked from network); 10 Feb 2014 11:29:31 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-2.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 10 Feb 2014 11:29:31 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WCp3H-00028Y-Ew; Mon, 10 Feb 2014 11:29:27 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WCp3H-0004it-7u; Mon, 10 Feb 2014 11:29:27 +0000 Date: Mon, 10 Feb 2014 11:29:27 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 84 (CVE-2014-1891, CVE-2014-1892, CVE-2014-1893, CVE-2014-1894) - integer overflow in several XSM/Flask hypercalls X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894 / XSA-84 version 3 integer overflow in several XSM/Flask hypercalls UPDATES IN VERSION 3 ==================== CVE numbers have been assigned. ISSUE DESCRIPTION ================= The FLASK_{GET,SET}BOOL, FLASK_USER and FLASK_CONTEXT_TO_SID suboperations of the flask hypercall are vulnerable to an integer overflow on the input size. The hypercalls attempt to allocate a buffer which is 1 larger than this size and is therefore vulnerable to integer overflow and an attempt to allocate then access a zero byte buffer. (CVE-2014-1891) Xen 3.3 through 4.1, while not affected by the above overflow, have a different overflow issue on FLASK_{GET,SET}BOOL (CVE-2014-1893) and expose unreasonably large memory allocation to aribitrary guests (CVE-2014-1892). Xen 3.2 (and presumably earlier) exhibit both problems with the overflow issue being present for more than just the suboperations listed above. (CVE-2014-1894 for the subops not covered above.) The FLASK_GETBOOL op is available to all domains. The FLASK_SETBOOL op is only available to domains which are granted access via the Flask policy. However the permissions check is performed only after running the vulnerable code and the vulnerability via this subop is exposed to all domains. The FLASK_USER and FLASK_CONTEXT_TO_SID ops are only available to domains which are granted access via the Flask policy. IMPACT ====== Attempting to access the result of a zero byte allocation results in a processor fault leading to a denial of service. VULNERABLE SYSTEMS ================== All Xen versions back to at least 3.2 are vulnerable to this issue when built with XSM/Flask support. XSM support is disabled by default and is enabled by building with XSM_ENABLE=y. We have not checked earlier versions of Xen, but it is likely that they are vulnerable to this or related vulnerabilities. All Xen versions built with XSM_ENABLE=y are vulnerable. MITIGATION ========== There is no useful mitigation available in installations where XSM support is actually in use. In other systems, compiling it out (with XSM_ENABLE=n) will avoid the vulnerability. CREDITS ======= This issue was discovered by Matthew Daley. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa84-unstable-4.3.patch xen-unstable,Xen 4.3.x xsa84-4.2.patch Xen 4.2.x xsa84-4.1.patch Xen 4.1.x $ sha256sum xsa84*.patch e33dd94499959363ad01bebefda9733683c49fd42a9641cf2d7edcd87f853d55 xsa84-4.1.patch 433f3c8a202482c51a48dc0e9e47ac8751d1c0d0759b7bcd22804e1856279a89 xsa84-4.2.patch 64ae433eb606c5446184c08e6fceb9f660ed9a9c28ec112c8cc529251b3b49fb xsa84-unstable-4.3.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS+LgGAAoJEIP+FMlX6CvZH1MH/00JKMYdEyaSA3oVGRTeV3Wk /ZgZl0dTuEBYLWTh/sE8txPGVb7jOvc4pzuhZ8Z0rvh4J10EKjqIUutSs0QR6m3U +3H+C/eHW98oselKT1csUoIZuf+3oTkZeryVeTyUi7g04xoYHpljT/u+gku8Twuz G8D3ckchHx5Zi40u0hQWAIOyJxwlpXD74mv2hnHa7X30anpLgGhsBxGLoghJSJwd x+i82krxbs0Ac7zKQBeVpPhVHE7QHR5Em1BqkxxtT8c93aujeD0Lkdw2H2ki1uOc +XOEwl/kT9TqiiHy+D+wZwY08xwijC4MZrxvVW35M6DupAG/4i9mv/ICs1GGfK8= =GrAi -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa84-4.1.patch" Content-Disposition: attachment; filename="xsa84-4.1.patch" Content-Transfer-Encoding: base64 UmVmZXJlbmNlczogYm5jIzg2MDE2MyBYU0EtODQKCmZsYXNrOiByZXN0cmlj dCBhbGxvY2F0aW9ucyBkb25lIGJ5IGh5cGVyY2FsbCBpbnRlcmZhY2UKCk90 aGVyIHRoYW4gaW4gNC4yIGFuZCBuZXdlciwgd2UncmUgbm90IGhhdmluZyBh biBvdmVyZmxvdyBpc3N1ZSBoZXJlLApidXQgdW5jb250cm9sbGVkIGV4cG9z dXJlIG9mIHRoZSBvcGVyYXRpb25zIG9wZW5zIHRoZSBob3N0IHRvIGJlIGRy aXZlbgpvdXQgb2YgbWVtb3J5IGJ5IGFuIGFyYml0cmFyeSBndWVzdC4gU2lu Y2UgYWxsIG9wZXJhdGlvbnMgb3RoZXIgdGhhbgpGTEFTS19MT0FEIHNpbXBs eSBkZWFsIHdpdGggQVNDSUkgc3RyaW5ncywgbGltaXRpbmcgdGhlIGFsbG9j YXRpb25zCihhbmQgaW5jb21pbmcgYnVmZmVyIHNpemVzKSB0byBhIHBhZ2Ug d29ydGggb2YgbWVtb3J5IHNlZW1zIGxpa2UgdGhlCmJlc3QgdGhpbmcgd2Ug Y2FuIGRvLgoKQ29uc2VxdWVudGx5LCBpbiBvcmRlciB0byBub3QgZXhwb3Nl IHRoZSBsYXJnZXIgYWxsb2NhdGlvbiB0byBhcmJpdHJhcnkKZ3Vlc3RzLCB0 aGUgcGVybWlzc2lvbiBjaGVjayBmb3IgRkxBU0tfTE9BRCBuZWVkcyB0byBi ZSBwdWxsZWQgYWhlYWQgb2YKdGhlIGFsbG9jYXRpb24gKGFuZCBpdCdzIHBl cmhhcHMgd29ydGggbm90aW5nIHRoYXQgLSBhZmFpY3QgLSBpdCB3YXMKcG9p bnRsZXNzbHkgZG9uZSB3aXRoIHRoZSBzZWxfc2VtIHNwaW4gbG9jayBoZWxk KS4KCk5vdGUgdGhhdCB0aGlzIGJyZWFrcyBGTEFTS19BVkNfQ0FDSEVTVEFU UyBvbiBzeXN0ZW1zIHdpdGggc3VmZmljaWVudGx5Cm1hbnkgQ1BVcyAoYXMg cmVxdWlyaW5nIGEgYnVmZmVyIGJpZ2dlciB0aGFuIFBBR0VfU0laRSB0aGVy ZSkuIE5vCmF0dGVtcHQgaXMgbWFkZSB0byBhZGRyZXNzIHRoaXMgaGVyZSwg YXMgaXQgd291bGQgbmVlZGxlc3NseSBjb21wbGljYXRlCnRoaXMgZml4IHdp dGggcmF0aGVyIGxpdHRsZSBnYWluLgoKVGhpcyBpcyBYU0EtODQuCgpSZXBv cnRlZC1ieTogTWF0dGhldyBEYWxleSA8bWF0dGRAYnVnZnV6ei5jb20+ClNp Z25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4K ClRoZSBpbmRleCBvZiBib29sZWFuIHZhcmlhYmxlcyBpbiBGTEFTS197R0VU LFNFVH1CT09MIHdhcyBub3QgYWx3YXlzCmNoZWNrZWQgYWdhaW5zdCB0aGUg Ym91bmRzIG9mIHRoZSBhcnJheS4KClJlcG9ydGVkLWJ5OiBKb2huIE1jRGVy bW90dCA8am9obi5tY2Rlcm1vdHRAbnJsLm5hdnkubWlsPgpTaWduZWQtb2Zm LWJ5OiBEYW5pZWwgRGUgR3JhYWYgPGRnZGVncmFAdHljaG8ubnNhLmdvdj4K Ci0tLSBhL3hlbi94c20vZmxhc2svZmxhc2tfb3AuYworKysgYi94ZW4veHNt L2ZsYXNrL2ZsYXNrX29wLmMKQEAgLTU3Myw3ICs1NzMsNyBAQCBzdGF0aWMg aW50IGZsYXNrX3NlY3VyaXR5X3NldGF2Y190aHJlc2hvCiBzdGF0aWMgaW50 IGZsYXNrX3NlY3VyaXR5X3NldF9ib29sKGNoYXIgKmJ1ZiwgdWludDMyX3Qg Y291bnQpCiB7CiAgICAgaW50IGxlbmd0aCA9IC1FRkFVTFQ7Ci0gICAgaW50 IGksIG5ld192YWx1ZTsKKyAgICB1bnNpZ25lZCBpbnQgaSwgbmV3X3ZhbHVl OwogCiAgICAgc3Bpbl9sb2NrKCZzZWxfc2VtKTsKIApAQCAtNTg1LDYgKzU4 NSw5IEBAIHN0YXRpYyBpbnQgZmxhc2tfc2VjdXJpdHlfc2V0X2Jvb2woY2hh ciAKICAgICBpZiAoIHNzY2FuZihidWYsICIlZCAlZCIsICZpLCAmbmV3X3Zh bHVlKSAhPSAyICkKICAgICAgICAgZ290byBvdXQ7CiAKKyAgICBpZiAoIGkg Pj0gYm9vbF9udW0gKQorICAgICAgICBnb3RvIG91dDsKKwogICAgIGlmICgg bmV3X3ZhbHVlICkKICAgICB7CiAgICAgICAgIG5ld192YWx1ZSA9IDE7CkBA IC03MzQsMTAgKzczNyw2IEBAIHN0YXRpYyBpbnQgZmxhc2tfc2VjdXJpdHlf bG9hZChjaGFyICpidWYKIAogICAgIHNwaW5fbG9jaygmc2VsX3NlbSk7CiAK LSAgICBsZW5ndGggPSBkb21haW5faGFzX3NlY3VyaXR5KGN1cnJlbnQtPmRv bWFpbiwgU0VDVVJJVFlfX0xPQURfUE9MSUNZKTsKLSAgICBpZiAoIGxlbmd0 aCApCi0gICAgICAgIGdvdG8gb3V0OwotCiAgICAgbGVuZ3RoID0gc2VjdXJp dHlfbG9hZF9wb2xpY3koYnVmLCBjb3VudCk7CiAgICAgaWYgKCBsZW5ndGgg KQogICAgICAgICBnb3RvIG91dDsKQEAgLTg1Myw3ICs4NTIsMTUgQEAgbG9u ZyBkb19mbGFza19vcChYRU5fR1VFU1RfSEFORExFKHhzbV9vcAogICAgIGlm ICggb3AtPmNtZCA+IEZMQVNLX0xBU1QpCiAgICAgICAgIHJldHVybiAtRUlO VkFMOwogCi0gICAgaWYgKCBvcC0+c2l6ZSA+IE1BWF9QT0xJQ1lfU0laRSAp CisgICAgaWYgKCBvcC0+Y21kID09IEZMQVNLX0xPQUQgKQorICAgIHsKKyAg ICAgICAgcmMgPSBkb21haW5faGFzX3NlY3VyaXR5KGN1cnJlbnQtPmRvbWFp biwgU0VDVVJJVFlfX0xPQURfUE9MSUNZKTsKKyAgICAgICAgaWYgKCByYyAp CisgICAgICAgICAgICByZXR1cm4gcmM7CisgICAgICAgIGlmICggb3AtPnNp emUgPiBNQVhfUE9MSUNZX1NJWkUgKQorICAgICAgICAgICAgcmV0dXJuIC1F SU5WQUw7CisgICAgfQorICAgIGVsc2UgaWYgKCBvcC0+c2l6ZSA+PSBQQUdF X1NJWkUgKQogICAgICAgICByZXR1cm4gLUVJTlZBTDsKIAogICAgIGlmICgg KG9wLT5idWYgPT0gTlVMTCAmJiBvcC0+c2l6ZSAhPSAwKSB8fCAKLS0tIGEv eGVuL3hzbS9mbGFzay9zcy9zZXJ2aWNlcy5jCisrKyBiL3hlbi94c20vZmxh c2svc3Mvc2VydmljZXMuYwpAQCAtMTk5MSw3ICsxOTkxLDcgQEAgaW50IHNl Y3VyaXR5X2dldF9ib29sX3ZhbHVlKGludCBib29sKQogICAgIFBPTElDWV9S RExPQ0s7CiAKICAgICBsZW4gPSBwb2xpY3lkYi5wX2Jvb2xzLm5wcmltOwot ICAgIGlmICggYm9vbCA+PSBsZW4gKQorICAgIGlmICggYm9vbCA+PSBsZW4g fHwgYm9vbCA8IDAgKQogICAgIHsKICAgICAgICAgcmMgPSAtRUZBVUxUOwog ICAgICAgICBnb3RvIG91dDsK --=separator Content-Type: application/octet-stream; name="xsa84-4.2.patch" Content-Disposition: attachment; filename="xsa84-4.2.patch" Content-Transfer-Encoding: base64 Zmxhc2s6IGZpeCByZWFkaW5nIHN0cmluZ3MgZnJvbSBndWVzdCBtZW1vcnkK ClNpbmNlIHRoZSBzdHJpbmcgc2l6ZSBpcyBiZWluZyBzcGVjaWZpZWQgYnkg dGhlIGd1ZXN0LCB3ZSBtdXN0IHJhbmdlCmNoZWNrIGl0IHByb3Blcmx5IGJl Zm9yZSBkb2luZyBhbGxvY2F0aW9ucyBiYXNlZCBvbiBpdC4gV2hpbGUgZm9y IHRoZQp0d28gY2FzZXMgdGhhdCBhcmUgZXhwb3NlZCBvbmx5IHRvIHRydXN0 ZWQgZ3Vlc3RzICh2aWEgcG9saWN5CnJlc3RyaWN0aW9uKSB0aGlzIGp1c3Qg dXNlcyBhbiBhcmJpdHJhcnkgdXBwZXIgbGltaXQgKFBBR0VfU0laRSksIGZv cgp0aGUgRkxBU0tfW0dTXUVUQk9PTCBjYXNlICh3aGljaCBhbnkgZ3Vlc3Qg Y2FuIHVzZSkgdGhlIHVwcGVyIGxpbWl0CmdldHMgZW5mb3JjZWQgYmFzZWQg b24gdGhlIGxvbmdlc3QgbmFtZSBhY3Jvc3MgYWxsIGJvb2xlYW4gc2V0dGlu Z3MuCgpUaGlzIGlzIFhTQS04NC4KClJlcG9ydGVkLWJ5OiBNYXR0aGV3IERh bGV5IDxtYXR0ZEBidWdmdXp6LmNvbT4KU2lnbmVkLW9mZi1ieTogSmFuIEJl dWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpBY2tlZC1ieTogRGFuaWVsIERl IEdyYWFmIDxkZ2RlZ3JhQHR5Y2hvLm5zYS5nb3Y+CgotLS0gYS94ZW4veHNt L2ZsYXNrL2ZsYXNrX29wLmMKKysrIGIveGVuL3hzbS9mbGFzay9mbGFza19v cC5jCkBAIC01Myw2ICs1Myw3IEBAIHN0YXRpYyBERUZJTkVfU1BJTkxPQ0so c2VsX3NlbSk7CiAvKiBnbG9iYWwgZGF0YSBmb3IgYm9vbGVhbnMgKi8KIHN0 YXRpYyBpbnQgYm9vbF9udW0gPSAwOwogc3RhdGljIGludCAqYm9vbF9wZW5k aW5nX3ZhbHVlcyA9IE5VTEw7CitzdGF0aWMgc2l6ZV90IGJvb2xfbWF4c3Ry Owogc3RhdGljIGludCBmbGFza19zZWN1cml0eV9tYWtlX2Jvb2xzKHZvaWQp OwogCiBleHRlcm4gaW50IHNzX2luaXRpYWxpemVkOwpAQCAtNzEsOSArNzIs MTUgQEAgc3RhdGljIGludCBkb21haW5faGFzX3NlY3VyaXR5KHN0cnVjdCBk bwogICAgICAgICAgICAgICAgICAgICAgICAgcGVybXMsIE5VTEwpOwogfQog Ci1zdGF0aWMgaW50IGZsYXNrX2NvcHlpbl9zdHJpbmcoWEVOX0dVRVNUX0hB TkRMRShjaGFyKSB1X2J1ZiwgY2hhciAqKmJ1ZiwgdWludDMyX3Qgc2l6ZSkK K3N0YXRpYyBpbnQgZmxhc2tfY29weWluX3N0cmluZyhYRU5fR1VFU1RfSEFO RExFKGNoYXIpIHVfYnVmLCBjaGFyICoqYnVmLAorICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIHNpemVfdCBzaXplLCBzaXplX3QgbWF4X3NpemUp CiB7Ci0gICAgY2hhciAqdG1wID0geG1hbGxvY19ieXRlcyhzaXplICsgMSk7 CisgICAgY2hhciAqdG1wOworCisgICAgaWYgKCBzaXplID4gbWF4X3NpemUg KQorICAgICAgICByZXR1cm4gLUVOT0VOVDsKKworICAgIHRtcCA9IHhtYWxs b2NfYXJyYXkoY2hhciwgc2l6ZSArIDEpOwogICAgIGlmICggIXRtcCApCiAg ICAgICAgIHJldHVybiAtRU5PTUVNOwogCkBAIC05OSw3ICsxMDYsNyBAQCBz dGF0aWMgaW50IGZsYXNrX3NlY3VyaXR5X3VzZXIoc3RydWN0IHhlCiAgICAg aWYgKCBydiApCiAgICAgICAgIHJldHVybiBydjsKIAotICAgIHJ2ID0gZmxh c2tfY29weWluX3N0cmluZyhhcmctPnUudXNlciwgJnVzZXIsIGFyZy0+c2l6 ZSk7CisgICAgcnYgPSBmbGFza19jb3B5aW5fc3RyaW5nKGFyZy0+dS51c2Vy LCAmdXNlciwgYXJnLT5zaXplLCBQQUdFX1NJWkUpOwogICAgIGlmICggcnYg KQogICAgICAgICByZXR1cm4gcnY7CiAKQEAgLTIxMCw3ICsyMTcsNyBAQCBz dGF0aWMgaW50IGZsYXNrX3NlY3VyaXR5X2NvbnRleHQoc3RydWN0CiAgICAg aWYgKCBydiApCiAgICAgICAgIHJldHVybiBydjsKIAotICAgIHJ2ID0gZmxh c2tfY29weWluX3N0cmluZyhhcmctPmNvbnRleHQsICZidWYsIGFyZy0+c2l6 ZSk7CisgICAgcnYgPSBmbGFza19jb3B5aW5fc3RyaW5nKGFyZy0+Y29udGV4 dCwgJmJ1ZiwgYXJnLT5zaXplLCBQQUdFX1NJWkUpOwogICAgIGlmICggcnYg KQogICAgICAgICByZXR1cm4gcnY7CiAKQEAgLTMwMyw3ICszMTAsNyBAQCBz dGF0aWMgaW50IGZsYXNrX3NlY3VyaXR5X3Jlc29sdmVfYm9vbChzCiAgICAg aWYgKCBhcmctPmJvb2xfaWQgIT0gLTEgKQogICAgICAgICByZXR1cm4gMDsK IAotICAgIHJ2ID0gZmxhc2tfY29weWluX3N0cmluZyhhcmctPm5hbWUsICZu YW1lLCBhcmctPnNpemUpOworICAgIHJ2ID0gZmxhc2tfY29weWluX3N0cmlu ZyhhcmctPm5hbWUsICZuYW1lLCBhcmctPnNpemUsIGJvb2xfbWF4c3RyKTsK ICAgICBpZiAoIHJ2ICkKICAgICAgICAgcmV0dXJuIHJ2OwogCkBAIC0zMzQs NyArMzQxLDcgQEAgc3RhdGljIGludCBmbGFza19zZWN1cml0eV9zZXRfYm9v bChzdHJ1YwogICAgICAgICBpbnQgbnVtOwogICAgICAgICBpbnQgKnZhbHVl czsKIAotICAgICAgICBydiA9IHNlY3VyaXR5X2dldF9ib29scygmbnVtLCBO VUxMLCAmdmFsdWVzKTsKKyAgICAgICAgcnYgPSBzZWN1cml0eV9nZXRfYm9v bHMoJm51bSwgTlVMTCwgJnZhbHVlcywgTlVMTCk7CiAgICAgICAgIGlmICgg cnYgIT0gMCApCiAgICAgICAgICAgICBnb3RvIG91dDsKIApAQCAtNDQwLDcg KzQ0Nyw3IEBAIHN0YXRpYyBpbnQgZmxhc2tfc2VjdXJpdHlfbWFrZV9ib29s cyh2b2kKICAgICAKICAgICB4ZnJlZShib29sX3BlbmRpbmdfdmFsdWVzKTsK ICAgICAKLSAgICByZXQgPSBzZWN1cml0eV9nZXRfYm9vbHMoJm51bSwgTlVM TCwgJnZhbHVlcyk7CisgICAgcmV0ID0gc2VjdXJpdHlfZ2V0X2Jvb2xzKCZu dW0sIE5VTEwsICZ2YWx1ZXMsICZib29sX21heHN0cik7CiAgICAgaWYgKCBy ZXQgIT0gMCApCiAgICAgICAgIGdvdG8gb3V0OwogCi0tLSBhL3hlbi94c20v Zmxhc2svaW5jbHVkZS9jb25kaXRpb25hbC5oCisrKyBiL3hlbi94c20vZmxh c2svaW5jbHVkZS9jb25kaXRpb25hbC5oCkBAIC0xMyw3ICsxMyw5IEBACiAj aWZuZGVmIF9GTEFTS19DT05ESVRJT05BTF9IXwogI2RlZmluZSBfRkxBU0tf Q09ORElUSU9OQUxfSF8KIAotaW50IHNlY3VyaXR5X2dldF9ib29scyhpbnQg KmxlbiwgY2hhciAqKipuYW1lcywgaW50ICoqdmFsdWVzKTsKKyNpbmNsdWRl IDx4ZW4vdHlwZXMuaD4KKworaW50IHNlY3VyaXR5X2dldF9ib29scyhpbnQg KmxlbiwgY2hhciAqKipuYW1lcywgaW50ICoqdmFsdWVzLCBzaXplX3QgKm1h eHN0cik7CiAKIGludCBzZWN1cml0eV9zZXRfYm9vbHMoaW50IGxlbiwgaW50 ICp2YWx1ZXMpOwogCi0tLSBhL3hlbi94c20vZmxhc2svc3Mvc2VydmljZXMu YworKysgYi94ZW4veHNtL2ZsYXNrL3NzL3NlcnZpY2VzLmMKQEAgLTE5MDAs NyArMTkwMCw3IEBAIGludCBzZWN1cml0eV9maW5kX2Jvb2woY29uc3QgY2hh ciAqbmFtZSkKICAgICByZXR1cm4gcnY7CiB9CiAKLWludCBzZWN1cml0eV9n ZXRfYm9vbHMoaW50ICpsZW4sIGNoYXIgKioqbmFtZXMsIGludCAqKnZhbHVl cykKK2ludCBzZWN1cml0eV9nZXRfYm9vbHMoaW50ICpsZW4sIGNoYXIgKioq bmFtZXMsIGludCAqKnZhbHVlcywgc2l6ZV90ICptYXhzdHIpCiB7CiAgICAg aW50IGksIHJjID0gLUVOT01FTTsKIApAQCAtMTkwOCw2ICsxOTA4LDggQEAg aW50IHNlY3VyaXR5X2dldF9ib29scyhpbnQgKmxlbiwgY2hhciAqKgogICAg IGlmICggbmFtZXMgKQogICAgICAgICAqbmFtZXMgPSBOVUxMOwogICAgICp2 YWx1ZXMgPSBOVUxMOworICAgIGlmICggbWF4c3RyICkKKyAgICAgICAgKm1h eHN0ciA9IDA7CiAKICAgICAqbGVuID0gcG9saWN5ZGIucF9ib29scy5ucHJp bTsKICAgICBpZiAoICEqbGVuICkKQEAgLTE5MjksMTYgKzE5MzEsMTcgQEAg aW50IHNlY3VyaXR5X2dldF9ib29scyhpbnQgKmxlbiwgY2hhciAqKgogCiAg ICAgZm9yICggaSA9IDA7IGkgPCAqbGVuOyBpKysgKQogICAgIHsKLSAgICAg ICAgc2l6ZV90IG5hbWVfbGVuOworICAgICAgICBzaXplX3QgbmFtZV9sZW4g PSBzdHJsZW4ocG9saWN5ZGIucF9ib29sX3ZhbF90b19uYW1lW2ldKTsKKwog ICAgICAgICAoKnZhbHVlcylbaV0gPSBwb2xpY3lkYi5ib29sX3ZhbF90b19z dHJ1Y3RbaV0tPnN0YXRlOwogICAgICAgICBpZiAoIG5hbWVzICkgewotICAg ICAgICAgICAgbmFtZV9sZW4gPSBzdHJsZW4ocG9saWN5ZGIucF9ib29sX3Zh bF90b19uYW1lW2ldKSArIDE7Ci0gICAgICAgICAgICAoKm5hbWVzKVtpXSA9 IChjaGFyKil4bWFsbG9jX2FycmF5KGNoYXIsIG5hbWVfbGVuKTsKKyAgICAg ICAgICAgICgqbmFtZXMpW2ldID0geG1hbGxvY19hcnJheShjaGFyLCBuYW1l X2xlbiArIDEpOwogICAgICAgICAgICAgaWYgKCAhKCpuYW1lcylbaV0gKQog ICAgICAgICAgICAgICAgIGdvdG8gZXJyOwotICAgICAgICAgICAgc3RybGNw eSgoKm5hbWVzKVtpXSwgcG9saWN5ZGIucF9ib29sX3ZhbF90b19uYW1lW2ld LCBuYW1lX2xlbik7Ci0gICAgICAgICAgICAoKm5hbWVzKVtpXVtuYW1lX2xl biAtIDFdID0gMDsKKyAgICAgICAgICAgIHN0cmxjcHkoKCpuYW1lcylbaV0s IHBvbGljeWRiLnBfYm9vbF92YWxfdG9fbmFtZVtpXSwgbmFtZV9sZW4gKyAx KTsKICAgICAgICAgfQorICAgICAgICBpZiAoIG1heHN0ciAmJiBuYW1lX2xl biA+ICptYXhzdHIgKQorICAgICAgICAgICAgKm1heHN0ciA9IG5hbWVfbGVu OwogICAgIH0KICAgICByYyA9IDA7CiBvdXQ6CkBAIC0yMDU2LDcgKzIwNTks NyBAQCBzdGF0aWMgaW50IHNlY3VyaXR5X3ByZXNlcnZlX2Jvb2xzKHN0cnVj CiAgICAgc3RydWN0IGNvbmRfYm9vbF9kYXR1bSAqYm9vbGRhdHVtOwogICAg IHN0cnVjdCBjb25kX25vZGUgKmN1cjsKIAotICAgIHJjID0gc2VjdXJpdHlf Z2V0X2Jvb2xzKCZuYm9vbHMsICZibmFtZXMsICZidmFsdWVzKTsKKyAgICBy YyA9IHNlY3VyaXR5X2dldF9ib29scygmbmJvb2xzLCAmYm5hbWVzLCAmYnZh bHVlcywgTlVMTCk7CiAgICAgaWYgKCByYyApCiAgICAgICAgIGdvdG8gb3V0 OwogICAgIGZvciAoIGkgPSAwOyBpIDwgbmJvb2xzOyBpKysgKQo= --=separator Content-Type: application/octet-stream; name="xsa84-unstable-4.3.patch" Content-Disposition: attachment; filename="xsa84-unstable-4.3.patch" Content-Transfer-Encoding: base64 Zmxhc2s6IGZpeCByZWFkaW5nIHN0cmluZ3MgZnJvbSBndWVzdCBtZW1vcnkK ClNpbmNlIHRoZSBzdHJpbmcgc2l6ZSBpcyBiZWluZyBzcGVjaWZpZWQgYnkg dGhlIGd1ZXN0LCB3ZSBtdXN0IHJhbmdlCmNoZWNrIGl0IHByb3Blcmx5IGJl Zm9yZSBkb2luZyBhbGxvY2F0aW9ucyBiYXNlZCBvbiBpdC4gV2hpbGUgZm9y IHRoZQp0d28gY2FzZXMgdGhhdCBhcmUgZXhwb3NlZCBvbmx5IHRvIHRydXN0 ZWQgZ3Vlc3RzICh2aWEgcG9saWN5CnJlc3RyaWN0aW9uKSB0aGlzIGp1c3Qg dXNlcyBhbiBhcmJpdHJhcnkgdXBwZXIgbGltaXQgKFBBR0VfU0laRSksIGZv cgp0aGUgRkxBU0tfW0dTXUVUQk9PTCBjYXNlICh3aGljaCBhbnkgZ3Vlc3Qg Y2FuIHVzZSkgdGhlIHVwcGVyIGxpbWl0CmdldHMgZW5mb3JjZWQgYmFzZWQg b24gdGhlIGxvbmdlc3QgbmFtZSBhY3Jvc3MgYWxsIGJvb2xlYW4gc2V0dGlu Z3MuCgpUaGlzIGlzIFhTQS04NC4KClJlcG9ydGVkLWJ5OiBNYXR0aGV3IERh bGV5IDxtYXR0ZEBidWdmdXp6LmNvbT4KU2lnbmVkLW9mZi1ieTogSmFuIEJl dWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpBY2tlZC1ieTogRGFuaWVsIERl IEdyYWFmIDxkZ2RlZ3JhQHR5Y2hvLm5zYS5nb3Y+CgotLS0gYS94ZW4veHNt L2ZsYXNrL2ZsYXNrX29wLmMKKysrIGIveGVuL3hzbS9mbGFzay9mbGFza19v cC5jCkBAIC01Myw2ICs1Myw3IEBAIHN0YXRpYyBERUZJTkVfU1BJTkxPQ0so c2VsX3NlbSk7CiAvKiBnbG9iYWwgZGF0YSBmb3IgYm9vbGVhbnMgKi8KIHN0 YXRpYyBpbnQgYm9vbF9udW0gPSAwOwogc3RhdGljIGludCAqYm9vbF9wZW5k aW5nX3ZhbHVlcyA9IE5VTEw7CitzdGF0aWMgc2l6ZV90IGJvb2xfbWF4c3Ry Owogc3RhdGljIGludCBmbGFza19zZWN1cml0eV9tYWtlX2Jvb2xzKHZvaWQp OwogCiBleHRlcm4gaW50IHNzX2luaXRpYWxpemVkOwpAQCAtNzEsOSArNzIs MTUgQEAgc3RhdGljIGludCBkb21haW5faGFzX3NlY3VyaXR5KHN0cnVjdCBk bwogICAgICAgICAgICAgICAgICAgICAgICAgcGVybXMsIE5VTEwpOwogfQog Ci1zdGF0aWMgaW50IGZsYXNrX2NvcHlpbl9zdHJpbmcoWEVOX0dVRVNUX0hB TkRMRV9QQVJBTShjaGFyKSB1X2J1ZiwgY2hhciAqKmJ1ZiwgdWludDMyX3Qg c2l6ZSkKK3N0YXRpYyBpbnQgZmxhc2tfY29weWluX3N0cmluZyhYRU5fR1VF U1RfSEFORExFX1BBUkFNKGNoYXIpIHVfYnVmLCBjaGFyICoqYnVmLAorICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNpemVfdCBzaXplLCBzaXpl X3QgbWF4X3NpemUpCiB7Ci0gICAgY2hhciAqdG1wID0geG1hbGxvY19ieXRl cyhzaXplICsgMSk7CisgICAgY2hhciAqdG1wOworCisgICAgaWYgKCBzaXpl ID4gbWF4X3NpemUgKQorICAgICAgICByZXR1cm4gLUVOT0VOVDsKKworICAg IHRtcCA9IHhtYWxsb2NfYXJyYXkoY2hhciwgc2l6ZSArIDEpOwogICAgIGlm ICggIXRtcCApCiAgICAgICAgIHJldHVybiAtRU5PTUVNOwogCkBAIC05OSw3 ICsxMDYsNyBAQCBzdGF0aWMgaW50IGZsYXNrX3NlY3VyaXR5X3VzZXIoc3Ry dWN0IHhlCiAgICAgaWYgKCBydiApCiAgICAgICAgIHJldHVybiBydjsKIAot ICAgIHJ2ID0gZmxhc2tfY29weWluX3N0cmluZyhhcmctPnUudXNlciwgJnVz ZXIsIGFyZy0+c2l6ZSk7CisgICAgcnYgPSBmbGFza19jb3B5aW5fc3RyaW5n KGFyZy0+dS51c2VyLCAmdXNlciwgYXJnLT5zaXplLCBQQUdFX1NJWkUpOwog ICAgIGlmICggcnYgKQogICAgICAgICByZXR1cm4gcnY7CiAKQEAgLTIxMCw3 ICsyMTcsNyBAQCBzdGF0aWMgaW50IGZsYXNrX3NlY3VyaXR5X2NvbnRleHQo c3RydWN0CiAgICAgaWYgKCBydiApCiAgICAgICAgIHJldHVybiBydjsKIAot ICAgIHJ2ID0gZmxhc2tfY29weWluX3N0cmluZyhhcmctPmNvbnRleHQsICZi dWYsIGFyZy0+c2l6ZSk7CisgICAgcnYgPSBmbGFza19jb3B5aW5fc3RyaW5n KGFyZy0+Y29udGV4dCwgJmJ1ZiwgYXJnLT5zaXplLCBQQUdFX1NJWkUpOwog ICAgIGlmICggcnYgKQogICAgICAgICByZXR1cm4gcnY7CiAKQEAgLTMwMyw3 ICszMTAsNyBAQCBzdGF0aWMgaW50IGZsYXNrX3NlY3VyaXR5X3Jlc29sdmVf Ym9vbChzCiAgICAgaWYgKCBhcmctPmJvb2xfaWQgIT0gLTEgKQogICAgICAg ICByZXR1cm4gMDsKIAotICAgIHJ2ID0gZmxhc2tfY29weWluX3N0cmluZyhh cmctPm5hbWUsICZuYW1lLCBhcmctPnNpemUpOworICAgIHJ2ID0gZmxhc2tf Y29weWluX3N0cmluZyhhcmctPm5hbWUsICZuYW1lLCBhcmctPnNpemUsIGJv b2xfbWF4c3RyKTsKICAgICBpZiAoIHJ2ICkKICAgICAgICAgcmV0dXJuIHJ2 OwogCkBAIC0zMzQsNyArMzQxLDcgQEAgc3RhdGljIGludCBmbGFza19zZWN1 cml0eV9zZXRfYm9vbChzdHJ1YwogICAgICAgICBpbnQgbnVtOwogICAgICAg ICBpbnQgKnZhbHVlczsKIAotICAgICAgICBydiA9IHNlY3VyaXR5X2dldF9i b29scygmbnVtLCBOVUxMLCAmdmFsdWVzKTsKKyAgICAgICAgcnYgPSBzZWN1 cml0eV9nZXRfYm9vbHMoJm51bSwgTlVMTCwgJnZhbHVlcywgTlVMTCk7CiAg ICAgICAgIGlmICggcnYgIT0gMCApCiAgICAgICAgICAgICBnb3RvIG91dDsK IApAQCAtNDQwLDcgKzQ0Nyw3IEBAIHN0YXRpYyBpbnQgZmxhc2tfc2VjdXJp dHlfbWFrZV9ib29scyh2b2kKICAgICAKICAgICB4ZnJlZShib29sX3BlbmRp bmdfdmFsdWVzKTsKICAgICAKLSAgICByZXQgPSBzZWN1cml0eV9nZXRfYm9v bHMoJm51bSwgTlVMTCwgJnZhbHVlcyk7CisgICAgcmV0ID0gc2VjdXJpdHlf Z2V0X2Jvb2xzKCZudW0sIE5VTEwsICZ2YWx1ZXMsICZib29sX21heHN0cik7 CiAgICAgaWYgKCByZXQgIT0gMCApCiAgICAgICAgIGdvdG8gb3V0OwogCi0t LSBhL3hlbi94c20vZmxhc2svaW5jbHVkZS9jb25kaXRpb25hbC5oCisrKyBi L3hlbi94c20vZmxhc2svaW5jbHVkZS9jb25kaXRpb25hbC5oCkBAIC0xMyw3 ICsxMyw5IEBACiAjaWZuZGVmIF9GTEFTS19DT05ESVRJT05BTF9IXwogI2Rl ZmluZSBfRkxBU0tfQ09ORElUSU9OQUxfSF8KIAotaW50IHNlY3VyaXR5X2dl dF9ib29scyhpbnQgKmxlbiwgY2hhciAqKipuYW1lcywgaW50ICoqdmFsdWVz KTsKKyNpbmNsdWRlIDx4ZW4vdHlwZXMuaD4KKworaW50IHNlY3VyaXR5X2dl dF9ib29scyhpbnQgKmxlbiwgY2hhciAqKipuYW1lcywgaW50ICoqdmFsdWVz LCBzaXplX3QgKm1heHN0cik7CiAKIGludCBzZWN1cml0eV9zZXRfYm9vbHMo aW50IGxlbiwgaW50ICp2YWx1ZXMpOwogCi0tLSBhL3hlbi94c20vZmxhc2sv c3Mvc2VydmljZXMuYworKysgYi94ZW4veHNtL2ZsYXNrL3NzL3NlcnZpY2Vz LmMKQEAgLTE4NTAsNyArMTg1MCw3IEBAIGludCBzZWN1cml0eV9maW5kX2Jv b2woY29uc3QgY2hhciAqbmFtZSkKICAgICByZXR1cm4gcnY7CiB9CiAKLWlu dCBzZWN1cml0eV9nZXRfYm9vbHMoaW50ICpsZW4sIGNoYXIgKioqbmFtZXMs IGludCAqKnZhbHVlcykKK2ludCBzZWN1cml0eV9nZXRfYm9vbHMoaW50ICps ZW4sIGNoYXIgKioqbmFtZXMsIGludCAqKnZhbHVlcywgc2l6ZV90ICptYXhz dHIpCiB7CiAgICAgaW50IGksIHJjID0gLUVOT01FTTsKIApAQCAtMTg1OCw2 ICsxODU4LDggQEAgaW50IHNlY3VyaXR5X2dldF9ib29scyhpbnQgKmxlbiwg Y2hhciAqKgogICAgIGlmICggbmFtZXMgKQogICAgICAgICAqbmFtZXMgPSBO VUxMOwogICAgICp2YWx1ZXMgPSBOVUxMOworICAgIGlmICggbWF4c3RyICkK KyAgICAgICAgKm1heHN0ciA9IDA7CiAKICAgICAqbGVuID0gcG9saWN5ZGIu cF9ib29scy5ucHJpbTsKICAgICBpZiAoICEqbGVuICkKQEAgLTE4NzksMTYg KzE4ODEsMTcgQEAgaW50IHNlY3VyaXR5X2dldF9ib29scyhpbnQgKmxlbiwg Y2hhciAqKgogCiAgICAgZm9yICggaSA9IDA7IGkgPCAqbGVuOyBpKysgKQog ICAgIHsKLSAgICAgICAgc2l6ZV90IG5hbWVfbGVuOworICAgICAgICBzaXpl X3QgbmFtZV9sZW4gPSBzdHJsZW4ocG9saWN5ZGIucF9ib29sX3ZhbF90b19u YW1lW2ldKTsKKwogICAgICAgICAoKnZhbHVlcylbaV0gPSBwb2xpY3lkYi5i b29sX3ZhbF90b19zdHJ1Y3RbaV0tPnN0YXRlOwogICAgICAgICBpZiAoIG5h bWVzICkgewotICAgICAgICAgICAgbmFtZV9sZW4gPSBzdHJsZW4ocG9saWN5 ZGIucF9ib29sX3ZhbF90b19uYW1lW2ldKSArIDE7Ci0gICAgICAgICAgICAo Km5hbWVzKVtpXSA9IChjaGFyKil4bWFsbG9jX2FycmF5KGNoYXIsIG5hbWVf bGVuKTsKKyAgICAgICAgICAgICgqbmFtZXMpW2ldID0geG1hbGxvY19hcnJh eShjaGFyLCBuYW1lX2xlbiArIDEpOwogICAgICAgICAgICAgaWYgKCAhKCpu YW1lcylbaV0gKQogICAgICAgICAgICAgICAgIGdvdG8gZXJyOwotICAgICAg ICAgICAgc3RybGNweSgoKm5hbWVzKVtpXSwgcG9saWN5ZGIucF9ib29sX3Zh bF90b19uYW1lW2ldLCBuYW1lX2xlbik7Ci0gICAgICAgICAgICAoKm5hbWVz KVtpXVtuYW1lX2xlbiAtIDFdID0gMDsKKyAgICAgICAgICAgIHN0cmxjcHko KCpuYW1lcylbaV0sIHBvbGljeWRiLnBfYm9vbF92YWxfdG9fbmFtZVtpXSwg bmFtZV9sZW4gKyAxKTsKICAgICAgICAgfQorICAgICAgICBpZiAoIG1heHN0 ciAmJiBuYW1lX2xlbiA+ICptYXhzdHIgKQorICAgICAgICAgICAgKm1heHN0 ciA9IG5hbWVfbGVuOwogICAgIH0KICAgICByYyA9IDA7CiBvdXQ6CkBAIC0y MDA2LDcgKzIwMDksNyBAQCBzdGF0aWMgaW50IHNlY3VyaXR5X3ByZXNlcnZl X2Jvb2xzKHN0cnVjCiAgICAgc3RydWN0IGNvbmRfYm9vbF9kYXR1bSAqYm9v bGRhdHVtOwogICAgIHN0cnVjdCBjb25kX25vZGUgKmN1cjsKIAotICAgIHJj ID0gc2VjdXJpdHlfZ2V0X2Jvb2xzKCZuYm9vbHMsICZibmFtZXMsICZidmFs dWVzKTsKKyAgICByYyA9IHNlY3VyaXR5X2dldF9ib29scygmbmJvb2xzLCAm Ym5hbWVzLCAmYnZhbHVlcywgTlVMTCk7CiAgICAgaWYgKCByYyApCiAgICAg ICAgIGdvdG8gb3V0OwogICAgIGZvciAoIGkgPSAwOyBpIDwgbmJvb2xzOyBp KysgKQo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Feb 12 14:42:19 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 12 Feb 2014 14:42:19 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WDazo-0002Ak-08; Wed, 12 Feb 2014 14:41:04 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WDazk-0002AJ-HC; Wed, 12 Feb 2014 14:41:00 +0000 Received: from [85.158.143.35:35140] by server-3.bemta-4.messagelabs.com id 77/7D-11539-BF78BF25; Wed, 12 Feb 2014 14:40:59 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-3.tower-21.messagelabs.com!1392216057!5134789!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 11883 invoked from network); 12 Feb 2014 14:40:58 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-3.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 12 Feb 2014 14:40:58 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WDazd-0005Vh-54; Wed, 12 Feb 2014 14:40:53 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WDazc-0002Lp-Nh; Wed, 12 Feb 2014 14:40:53 +0000 Date: Wed, 12 Feb 2014 14:40:52 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 88 - use-after-free in xc_cpupool_getinfo() under memory pressure X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-88 version 2 use-after-free in xc_cpupool_getinfo() under memory pressure UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= If xc_cpumap_alloc() fails then xc_cpupool_getinfo() will free and incorrectly return the then-free pointer to the result structure. IMPACT ====== An attacker may be able to cause a multi-threaded toolstack using this function to race against itself leading to heap corruption and a potential DoS. Depending on the malloc implementation, privilege escalation cannot be ruled out. VULNERABLE SYSTEMS ================== The flaw is present in Xen 4.1 onwards. Only multithreaded toolstacks are vulnerable. Only systems where management functions (such as domain creation) are exposed to untrusted users are vulnerable. xl is not multithreaded, so is not vulnerable. However, multithreaded toolstacks using libxl as a library are vulnerable. xend is vulnerable. MITIGATION ========== Not allowing untrusted users access to toolstack functionality will avoid this issue. CREDITS ======= This issue was discovered by Coverity Scan and diagnosed by Andrew Cooper. RESOLUTION ========== Applying the attached patch resolves this issue. xsa88.patch xen-unstable, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x $ sha256sum xsa88*.patch 7a73ca9db19a9ffe6e8cd259fa71dc1299738f26fa024303f4ab38931db75f14 xsa88.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS+4fOAAoJEIP+FMlX6CvZfUUH/2wyYKHOkEaEmcjUbuyUM3CT 8V9VgW4dhq/sk9p5SqR0xGB6N+f2XytCAFXI3kNmYjrs+jGK5cQgLjxMOwMKrpwm PsHCAZnGNzYMy48JtEUieEfwZqH/jNci7qJWNVdPoKnULOEd9X0hTri7vg1CoDI2 DUBeLvmC5mCFBej4pcDGX++XsdL90EnGa0RfrrVfIVf16EfBjgr8KzLKXd1uBueC yWKg5z24+HoRqFp3n3+Q9T6GN+npOj/78mrlXJ7onKepONAmLqg0J6g/1hHuc4hY pwUnbSf0452FKTFs7KUodXoJNNX1i3IuOch9pBcKlrbT6K/g/qwMZ/Pl2Ir8a20= =vA6e -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa88.patch" Content-Disposition: attachment; filename="xsa88.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KRGF0ZTogV2VkLCAyMiBKYW4gMjAxNCAxNzo0NzoyMSArMDAwMApTdWJq ZWN0OiBsaWJ4YzogRml4IG91dC1vZi1tZW1vcnkgZXJyb3IgaGFuZGxpbmcg aW4geGNfY3B1cG9vbF9nZXRpbmZvKCkKCkF2b2lkIGZyZWVpbmcgaW5mbyB0 aGVuIHJldHVybmluZyBpdCB0byB0aGUgY2FsbGVyLgoKVGhpcyBpcyBYU0Et ODguCgpDb3Zlcml0eS1JRDogMTA1NjE5MgpTaWduZWQtb2ZmLWJ5OiBBbmRy ZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpSZXZpZXdl ZC1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgotLS0KIHRv b2xzL2xpYnhjL3hjX2NwdXBvb2wuYyB8ICAgIDEgKwogMSBmaWxlIGNoYW5n ZWQsIDEgaW5zZXJ0aW9uKCspCgpkaWZmIC0tZ2l0IGEvdG9vbHMvbGlieGMv eGNfY3B1cG9vbC5jIGIvdG9vbHMvbGlieGMveGNfY3B1cG9vbC5jCmluZGV4 IGM4YzJhMzMuLjYzOTNjZmIgMTAwNjQ0Ci0tLSBhL3Rvb2xzL2xpYnhjL3hj X2NwdXBvb2wuYworKysgYi90b29scy9saWJ4Yy94Y19jcHVwb29sLmMKQEAg LTEwNCw2ICsxMDQsNyBAQCB4Y19jcHVwb29saW5mb190ICp4Y19jcHVwb29s X2dldGluZm8oeGNfaW50ZXJmYWNlICp4Y2gsCiAgICAgaW5mby0+Y3B1bWFw ID0geGNfY3B1bWFwX2FsbG9jKHhjaCk7CiAgICAgaWYgKCFpbmZvLT5jcHVt YXApIHsKICAgICAgICAgZnJlZShpbmZvKTsKKyAgICAgICAgaW5mbyA9IE5V TEw7CiAgICAgICAgIGdvdG8gb3V0OwogICAgIH0KICAgICBpbmZvLT5jcHVw b29sX2lkID0gc3lzY3RsLnUuY3B1cG9vbF9vcC5jcHVwb29sX2lkOwo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Feb 12 14:42:19 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 12 Feb 2014 14:42:19 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WDazo-0002Ak-08; Wed, 12 Feb 2014 14:41:04 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WDazk-0002AJ-HC; Wed, 12 Feb 2014 14:41:00 +0000 Received: from [85.158.143.35:35140] by server-3.bemta-4.messagelabs.com id 77/7D-11539-BF78BF25; Wed, 12 Feb 2014 14:40:59 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-3.tower-21.messagelabs.com!1392216057!5134789!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 11883 invoked from network); 12 Feb 2014 14:40:58 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-3.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 12 Feb 2014 14:40:58 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WDazd-0005Vh-54; Wed, 12 Feb 2014 14:40:53 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WDazc-0002Lp-Nh; Wed, 12 Feb 2014 14:40:53 +0000 Date: Wed, 12 Feb 2014 14:40:52 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 88 - use-after-free in xc_cpupool_getinfo() under memory pressure X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-88 version 2 use-after-free in xc_cpupool_getinfo() under memory pressure UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= If xc_cpumap_alloc() fails then xc_cpupool_getinfo() will free and incorrectly return the then-free pointer to the result structure. IMPACT ====== An attacker may be able to cause a multi-threaded toolstack using this function to race against itself leading to heap corruption and a potential DoS. Depending on the malloc implementation, privilege escalation cannot be ruled out. VULNERABLE SYSTEMS ================== The flaw is present in Xen 4.1 onwards. Only multithreaded toolstacks are vulnerable. Only systems where management functions (such as domain creation) are exposed to untrusted users are vulnerable. xl is not multithreaded, so is not vulnerable. However, multithreaded toolstacks using libxl as a library are vulnerable. xend is vulnerable. MITIGATION ========== Not allowing untrusted users access to toolstack functionality will avoid this issue. CREDITS ======= This issue was discovered by Coverity Scan and diagnosed by Andrew Cooper. RESOLUTION ========== Applying the attached patch resolves this issue. xsa88.patch xen-unstable, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x $ sha256sum xsa88*.patch 7a73ca9db19a9ffe6e8cd259fa71dc1299738f26fa024303f4ab38931db75f14 xsa88.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS+4fOAAoJEIP+FMlX6CvZfUUH/2wyYKHOkEaEmcjUbuyUM3CT 8V9VgW4dhq/sk9p5SqR0xGB6N+f2XytCAFXI3kNmYjrs+jGK5cQgLjxMOwMKrpwm PsHCAZnGNzYMy48JtEUieEfwZqH/jNci7qJWNVdPoKnULOEd9X0hTri7vg1CoDI2 DUBeLvmC5mCFBej4pcDGX++XsdL90EnGa0RfrrVfIVf16EfBjgr8KzLKXd1uBueC yWKg5z24+HoRqFp3n3+Q9T6GN+npOj/78mrlXJ7onKepONAmLqg0J6g/1hHuc4hY pwUnbSf0452FKTFs7KUodXoJNNX1i3IuOch9pBcKlrbT6K/g/qwMZ/Pl2Ir8a20= =vA6e -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa88.patch" Content-Disposition: attachment; filename="xsa88.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KRGF0ZTogV2VkLCAyMiBKYW4gMjAxNCAxNzo0NzoyMSArMDAwMApTdWJq ZWN0OiBsaWJ4YzogRml4IG91dC1vZi1tZW1vcnkgZXJyb3IgaGFuZGxpbmcg aW4geGNfY3B1cG9vbF9nZXRpbmZvKCkKCkF2b2lkIGZyZWVpbmcgaW5mbyB0 aGVuIHJldHVybmluZyBpdCB0byB0aGUgY2FsbGVyLgoKVGhpcyBpcyBYU0Et ODguCgpDb3Zlcml0eS1JRDogMTA1NjE5MgpTaWduZWQtb2ZmLWJ5OiBBbmRy ZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpSZXZpZXdl ZC1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgotLS0KIHRv b2xzL2xpYnhjL3hjX2NwdXBvb2wuYyB8ICAgIDEgKwogMSBmaWxlIGNoYW5n ZWQsIDEgaW5zZXJ0aW9uKCspCgpkaWZmIC0tZ2l0IGEvdG9vbHMvbGlieGMv eGNfY3B1cG9vbC5jIGIvdG9vbHMvbGlieGMveGNfY3B1cG9vbC5jCmluZGV4 IGM4YzJhMzMuLjYzOTNjZmIgMTAwNjQ0Ci0tLSBhL3Rvb2xzL2xpYnhjL3hj X2NwdXBvb2wuYworKysgYi90b29scy9saWJ4Yy94Y19jcHVwb29sLmMKQEAg LTEwNCw2ICsxMDQsNyBAQCB4Y19jcHVwb29saW5mb190ICp4Y19jcHVwb29s X2dldGluZm8oeGNfaW50ZXJmYWNlICp4Y2gsCiAgICAgaW5mby0+Y3B1bWFw ID0geGNfY3B1bWFwX2FsbG9jKHhjaCk7CiAgICAgaWYgKCFpbmZvLT5jcHVt YXApIHsKICAgICAgICAgZnJlZShpbmZvKTsKKyAgICAgICAgaW5mbyA9IE5V TEw7CiAgICAgICAgIGdvdG8gb3V0OwogICAgIH0KICAgICBpbmZvLT5jcHVw b29sX2lkID0gc3lzY3RsLnUuY3B1cG9vbF9vcC5jcHVwb29sX2lkOwo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Feb 12 17:06:13 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 12 Feb 2014 17:06:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WDdF5-0001Ld-CH; Wed, 12 Feb 2014 17:04:59 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WDdF3-0001LJ-NB; Wed, 12 Feb 2014 17:04:57 +0000 Received: from [193.109.254.147:22604] by server-13.bemta-14.messagelabs.com id F1/77-01226-8B9ABF25; Wed, 12 Feb 2014 17:04:56 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-8.tower-27.messagelabs.com!1392224695!3881502!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 16699 invoked from network); 12 Feb 2014 17:04:56 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-8.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 12 Feb 2014 17:04:56 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WDdEw-0007GV-W4; Wed, 12 Feb 2014 17:04:50 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WDdEw-00070S-Fk; Wed, 12 Feb 2014 17:04:50 +0000 Date: Wed, 12 Feb 2014 17:04:50 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 88 (CVE-2014-1950) - use-after-free in xc_cpupool_getinfo() under memory pressure X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-1950 / XSA-88 version 3 use-after-free in xc_cpupool_getinfo() under memory pressure UPDATES IN VERSION 3 ==================== CVE assigned. ISSUE DESCRIPTION ================= If xc_cpumap_alloc() fails then xc_cpupool_getinfo() will free and incorrectly return the then-free pointer to the result structure. IMPACT ====== An attacker may be able to cause a multi-threaded toolstack using this function to race against itself leading to heap corruption and a potential DoS. Depending on the malloc implementation, privilege escalation cannot be ruled out. VULNERABLE SYSTEMS ================== The flaw is present in Xen 4.1 onwards. Only multithreaded toolstacks are vulnerable. Only systems where management functions (such as domain creation) are exposed to untrusted users are vulnerable. xl is not multithreaded, so is not vulnerable. However, multithreaded toolstacks using libxl as a library are vulnerable. xend is vulnerable. MITIGATION ========== Not allowing untrusted users access to toolstack functionality will avoid this issue. CREDITS ======= This issue was discovered by Coverity Scan and diagnosed by Andrew Cooper. RESOLUTION ========== Applying the attached patch resolves this issue. xsa88.patch xen-unstable, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x $ sha256sum xsa88*.patch 7a73ca9db19a9ffe6e8cd259fa71dc1299738f26fa024303f4ab38931db75f14 xsa88.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS+6mbAAoJEIP+FMlX6CvZjhAH/j9PI7N93lhkTiVZiD3noh9e czgskoQ1ge1zHSzYVXvLZvVEaEVCSMQpql37gSAeWl7rfjdFxv6xQQ3OIla2Xyqm xfoaQhP8ZMbBX6RAWRWC99wCB8ki67VA3ZqHEqNPz72FxnaT9Y0bQ0Wg4cVcq69q hNtidmtRfX8yD5o/ACpiuCHL0miD9GxZGjGVy1EAjMxKgfDR8fBkI2hoHe4v6V4v XzeiXW7/xyLtXausFsTdUI/gTO+2UCWlaBPS5eobCnXFP+agmJfhTAzHU9gNQajv AATAlka1y9WMWnLBvp+UMDqJ2w5XhwwVQAW17mAyipLi0vco6gcp1F80UTKmtVc= =1It2 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa88.patch" Content-Disposition: attachment; filename="xsa88.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KRGF0ZTogV2VkLCAyMiBKYW4gMjAxNCAxNzo0NzoyMSArMDAwMApTdWJq ZWN0OiBsaWJ4YzogRml4IG91dC1vZi1tZW1vcnkgZXJyb3IgaGFuZGxpbmcg aW4geGNfY3B1cG9vbF9nZXRpbmZvKCkKCkF2b2lkIGZyZWVpbmcgaW5mbyB0 aGVuIHJldHVybmluZyBpdCB0byB0aGUgY2FsbGVyLgoKVGhpcyBpcyBYU0Et ODguCgpDb3Zlcml0eS1JRDogMTA1NjE5MgpTaWduZWQtb2ZmLWJ5OiBBbmRy ZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpSZXZpZXdl ZC1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgotLS0KIHRv b2xzL2xpYnhjL3hjX2NwdXBvb2wuYyB8ICAgIDEgKwogMSBmaWxlIGNoYW5n ZWQsIDEgaW5zZXJ0aW9uKCspCgpkaWZmIC0tZ2l0IGEvdG9vbHMvbGlieGMv eGNfY3B1cG9vbC5jIGIvdG9vbHMvbGlieGMveGNfY3B1cG9vbC5jCmluZGV4 IGM4YzJhMzMuLjYzOTNjZmIgMTAwNjQ0Ci0tLSBhL3Rvb2xzL2xpYnhjL3hj X2NwdXBvb2wuYworKysgYi90b29scy9saWJ4Yy94Y19jcHVwb29sLmMKQEAg LTEwNCw2ICsxMDQsNyBAQCB4Y19jcHVwb29saW5mb190ICp4Y19jcHVwb29s X2dldGluZm8oeGNfaW50ZXJmYWNlICp4Y2gsCiAgICAgaW5mby0+Y3B1bWFw ID0geGNfY3B1bWFwX2FsbG9jKHhjaCk7CiAgICAgaWYgKCFpbmZvLT5jcHVt YXApIHsKICAgICAgICAgZnJlZShpbmZvKTsKKyAgICAgICAgaW5mbyA9IE5V TEw7CiAgICAgICAgIGdvdG8gb3V0OwogICAgIH0KICAgICBpbmZvLT5jcHVw b29sX2lkID0gc3lzY3RsLnUuY3B1cG9vbF9vcC5jcHVwb29sX2lkOwo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Feb 12 17:06:13 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 12 Feb 2014 17:06:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WDdF5-0001Ld-CH; Wed, 12 Feb 2014 17:04:59 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WDdF3-0001LJ-NB; Wed, 12 Feb 2014 17:04:57 +0000 Received: from [193.109.254.147:22604] by server-13.bemta-14.messagelabs.com id F1/77-01226-8B9ABF25; Wed, 12 Feb 2014 17:04:56 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-8.tower-27.messagelabs.com!1392224695!3881502!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 16699 invoked from network); 12 Feb 2014 17:04:56 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-8.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 12 Feb 2014 17:04:56 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WDdEw-0007GV-W4; Wed, 12 Feb 2014 17:04:50 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WDdEw-00070S-Fk; Wed, 12 Feb 2014 17:04:50 +0000 Date: Wed, 12 Feb 2014 17:04:50 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 88 (CVE-2014-1950) - use-after-free in xc_cpupool_getinfo() under memory pressure X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-1950 / XSA-88 version 3 use-after-free in xc_cpupool_getinfo() under memory pressure UPDATES IN VERSION 3 ==================== CVE assigned. ISSUE DESCRIPTION ================= If xc_cpumap_alloc() fails then xc_cpupool_getinfo() will free and incorrectly return the then-free pointer to the result structure. IMPACT ====== An attacker may be able to cause a multi-threaded toolstack using this function to race against itself leading to heap corruption and a potential DoS. Depending on the malloc implementation, privilege escalation cannot be ruled out. VULNERABLE SYSTEMS ================== The flaw is present in Xen 4.1 onwards. Only multithreaded toolstacks are vulnerable. Only systems where management functions (such as domain creation) are exposed to untrusted users are vulnerable. xl is not multithreaded, so is not vulnerable. However, multithreaded toolstacks using libxl as a library are vulnerable. xend is vulnerable. MITIGATION ========== Not allowing untrusted users access to toolstack functionality will avoid this issue. CREDITS ======= This issue was discovered by Coverity Scan and diagnosed by Andrew Cooper. RESOLUTION ========== Applying the attached patch resolves this issue. xsa88.patch xen-unstable, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x $ sha256sum xsa88*.patch 7a73ca9db19a9ffe6e8cd259fa71dc1299738f26fa024303f4ab38931db75f14 xsa88.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS+6mbAAoJEIP+FMlX6CvZjhAH/j9PI7N93lhkTiVZiD3noh9e czgskoQ1ge1zHSzYVXvLZvVEaEVCSMQpql37gSAeWl7rfjdFxv6xQQ3OIla2Xyqm xfoaQhP8ZMbBX6RAWRWC99wCB8ki67VA3ZqHEqNPz72FxnaT9Y0bQ0Wg4cVcq69q hNtidmtRfX8yD5o/ACpiuCHL0miD9GxZGjGVy1EAjMxKgfDR8fBkI2hoHe4v6V4v XzeiXW7/xyLtXausFsTdUI/gTO+2UCWlaBPS5eobCnXFP+agmJfhTAzHU9gNQajv AATAlka1y9WMWnLBvp+UMDqJ2w5XhwwVQAW17mAyipLi0vco6gcp1F80UTKmtVc= =1It2 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa88.patch" Content-Disposition: attachment; filename="xsa88.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KRGF0ZTogV2VkLCAyMiBKYW4gMjAxNCAxNzo0NzoyMSArMDAwMApTdWJq ZWN0OiBsaWJ4YzogRml4IG91dC1vZi1tZW1vcnkgZXJyb3IgaGFuZGxpbmcg aW4geGNfY3B1cG9vbF9nZXRpbmZvKCkKCkF2b2lkIGZyZWVpbmcgaW5mbyB0 aGVuIHJldHVybmluZyBpdCB0byB0aGUgY2FsbGVyLgoKVGhpcyBpcyBYU0Et ODguCgpDb3Zlcml0eS1JRDogMTA1NjE5MgpTaWduZWQtb2ZmLWJ5OiBBbmRy ZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpSZXZpZXdl ZC1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgotLS0KIHRv b2xzL2xpYnhjL3hjX2NwdXBvb2wuYyB8ICAgIDEgKwogMSBmaWxlIGNoYW5n ZWQsIDEgaW5zZXJ0aW9uKCspCgpkaWZmIC0tZ2l0IGEvdG9vbHMvbGlieGMv eGNfY3B1cG9vbC5jIGIvdG9vbHMvbGlieGMveGNfY3B1cG9vbC5jCmluZGV4 IGM4YzJhMzMuLjYzOTNjZmIgMTAwNjQ0Ci0tLSBhL3Rvb2xzL2xpYnhjL3hj X2NwdXBvb2wuYworKysgYi90b29scy9saWJ4Yy94Y19jcHVwb29sLmMKQEAg LTEwNCw2ICsxMDQsNyBAQCB4Y19jcHVwb29saW5mb190ICp4Y19jcHVwb29s X2dldGluZm8oeGNfaW50ZXJmYWNlICp4Y2gsCiAgICAgaW5mby0+Y3B1bWFw ID0geGNfY3B1bWFwX2FsbG9jKHhjaCk7CiAgICAgaWYgKCFpbmZvLT5jcHVt YXApIHsKICAgICAgICAgZnJlZShpbmZvKTsKKyAgICAgICAgaW5mbyA9IE5V TEw7CiAgICAgICAgIGdvdG8gb3V0OwogICAgIH0KICAgICBpbmZvLT5jcHVw b29sX2lkID0gc3lzY3RsLnUuY3B1cG9vbF9vcC5jcHVwb29sX2lkOwo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Feb 19 16:56:44 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 19 Feb 2014 16:56:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WGAQo-0001WU-Ps; Wed, 19 Feb 2014 16:55:34 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WGAQn-0001Vm-7d; Wed, 19 Feb 2014 16:55:33 +0000 Received: from [193.109.254.147:36768] by server-13.bemta-14.messagelabs.com id D4/E1-01226-402E4035; Wed, 19 Feb 2014 16:55:32 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-9.tower-27.messagelabs.com!1392828929!1483478!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 4719 invoked from network); 19 Feb 2014 16:55:30 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-9.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 19 Feb 2014 16:55:30 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WGAQe-000792-Eh; Wed, 19 Feb 2014 16:55:24 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WGAQe-0003PS-Bl; Wed, 19 Feb 2014 16:55:24 +0000 Date: Wed, 19 Feb 2014 16:55:24 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 82 (CVE-2013-6885) - Guest triggerable AMD CPU erratum may cause host hang X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-6885 / XSA-82 version 4 Guest triggerable AMD CPU erratum may cause host hang UPDATES IN VERSION 4 ==================== The original fix for 4.2.x and 4.1.x was found to deal with 64-bit hypervisors only. Incremental patches to also address 32-bit ones are now being provided in addition. ISSUE DESCRIPTION ================= AMD CPU erratum 793 "Specific Combination of Writes to Write Combined Memory Types and Locked Instructions May Cause Core Hang" describes a situation under which a CPU core may hang. IMPACT ====== A malicious guest administrator can mount a denial of service attack affecting the whole system. VULNERABLE SYSTEMS ================== The vulnerability is applicable only to family 16h model 00h-0fh AMD CPUs. Such CPUs running Xen versions 3.3 onwards are vulnerable. We have not checked earlier versions of Xen. HVM guests can always exploit the vulnerability if it is present. PV guests can exploit the vulnerability only if they have been granted access to physical device(s). Non-AMD CPUs are not vulnerable. CREDITS ======= This issue's security impact was discovered by Jan Beulich. MITIGATION ========== This issue can be avoided by neither running HVM guests, nor assigning PCI devices to PV guests. RESOLUTION ========== The attached xsa82.patch contains a software workaround which resolves this issue for 64-bit hypervisors. To also resolve the issue on 32-bit hypervisors (Xen 4.2.x and 4.1.x only), the respective attached xsa82-4.?-32bit.patch needs to be applied on top. Alternatively, the recommended workaround can be implemented in firmware, so a suitable firmware update will resolve the issue. If you require a firmware update please consult your vendor. xsa82.patch Xen 4.1.x, Xen 4.2.x, Xen 4.3.x, xen-unstable xsa82-4.1-32bit.patch Xen 4.1.x xsa82-4.2-32bit.patch Xen 4.2.x $ sha256sum xsa82*.patch b0fb0289e1da965bc038993e07af4ba78cb746ed8f1a1865f5fec9de7299faa7 xsa82-4.1-32bit.patch 18f2ba14131975b45688e3c5f4c0a85bd78cf089c3d83ae81f86e149b8c538d6 xsa82-4.2-32bit.patch 0a58f3564ca91fd2668c202446c607fdb1ec8643e558a3921046d43675f58c08 xsa82.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTBOHNAAoJEIP+FMlX6CvZ6TIIAMS1oTljW2yAB9daiY5P0UBf u4X+NTUUUO6DiKLakBFjmS01oB7pApSCHmnqUqgFXlbo8KJsz3qtCLWe+IHH0Kex 8ofL/pDedcHm7bSkXCcncz8xVCqPbPrgVV+bwDXHru65/jxf0XDvPRT9af4N2eGY wlngDFDaWLuozjOqp2mtaOSiqbUc2r43BOalMl6om2BFbF8BEBpPBkcLRxUvsQX0 noZMbknQ36mb0/+dC+pHCUfcUuLquaGNx+I+UF4HXSUdxhVniCD8hzmDxRR9i5Dn S/g9z72LDF0cISL2K4B/iwRiCjOozHqbNimSAWuWTgj3dAWu8dClI3SQyFpOgxY= =ie9o -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa82-4.1-32bit.patch" Content-Disposition: attachment; filename="xsa82-4.1-32bit.patch" Content-Transfer-Encoding: base64 eDg2L0FNRDogd29yayBhcm91bmQgZXJyYXR1bSA3OTMgZm9yIDMyLWJpdAoK VGhlIG9yaWdpbmFsIGNoYW5nZSB3ZW50IGludG8gYSA2NC1iaXQgb25seSBj b2RlIHNlY3Rpb24sIHRodXMgbGVhdmluZwp0aGUgaXNzdWUgdW5maXhlZCBv biAzMi1iaXQuIFJlLW9yZGVyIGNvZGUgdG8gYWRkcmVzcyB0aGlzLgoKU2ln bmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpB Y2tlZC1ieTogSWFuIENhbXBiZWxsIDxJYW4uQ2FtcGJlbGxAY2l0cml4LmNv bT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9jcHUvYW1kLmMKKysrIGIveGVuL2Fy Y2gveDg2L2NwdS9hbWQuYwpAQCAtNjQ5LDYgKzY0OSwxOCBAQCBzdGF0aWMg dm9pZCBfX2RldmluaXQgaW5pdF9hbWQoc3RydWN0IGNwCiAJCSAgICAgICAi KioqIFBhc3MgXCJhbGxvd191bnNhZmVcIiBpZiB5b3UncmUgdHJ1c3Rpbmci CiAJCSAgICAgICAiIGFsbCB5b3VyIChQVikgZ3Vlc3Qga2VybmVscy4gKioq XG4iKTsKIAorCS8qIEFNRCBDUFVzIGRvIG5vdCBzdXBwb3J0IFNZU0VOVEVS IG91dHNpZGUgb2YgbGVnYWN5IG1vZGUuICovCisJY2xlYXJfYml0KFg4Nl9G RUFUVVJFX1NFUCwgYy0+eDg2X2NhcGFiaWxpdHkpOworCisJaWYgKGMtPng4 NiA9PSAweDEwKSB7CisJCS8qIGRvIHRoaXMgZm9yIGJvb3QgY3B1ICovCisJ CWlmIChjID09ICZib290X2NwdV9kYXRhKQorCQkJY2hlY2tfZW5hYmxlX2Ft ZF9tbWNvbmZfZG1pKCk7CisKKwkJZmFtMTBoX2NoZWNrX2VuYWJsZV9tbWNm ZygpOworCX0KKyNlbmRpZgorCiAJaWYgKGMtPng4NiA9PSAweDE2ICYmIGMt Png4Nl9tb2RlbCA8PSAweGYpIHsKIAkJcmRtc3JsKE1TUl9BTUQ2NF9MU19D RkcsIHZhbHVlKTsKIAkJaWYgKCEodmFsdWUgJiAoMSA8PCAxNSkpKSB7CkBA IC02NjMsMTggKzY3NSw2IEBAIHN0YXRpYyB2b2lkIF9fZGV2aW5pdCBpbml0 X2FtZChzdHJ1Y3QgY3AKIAkJfQogCX0KIAotCS8qIEFNRCBDUFVzIGRvIG5v dCBzdXBwb3J0IFNZU0VOVEVSIG91dHNpZGUgb2YgbGVnYWN5IG1vZGUuICov Ci0JY2xlYXJfYml0KFg4Nl9GRUFUVVJFX1NFUCwgYy0+eDg2X2NhcGFiaWxp dHkpOwotCi0JaWYgKGMtPng4NiA9PSAweDEwKSB7Ci0JCS8qIGRvIHRoaXMg Zm9yIGJvb3QgY3B1ICovCi0JCWlmIChjID09ICZib290X2NwdV9kYXRhKQot CQkJY2hlY2tfZW5hYmxlX2FtZF9tbWNvbmZfZG1pKCk7Ci0KLQkJZmFtMTBo X2NoZWNrX2VuYWJsZV9tbWNmZygpOwotCX0KLSNlbmRpZgotCiAJaWYgKGMt Png4NiA9PSAweDEwKSB7CiAJCS8qCiAJCSAqIE9uIGZhbWlseSAxMGggQklP UyBtYXkgbm90IGhhdmUgcHJvcGVybHkgZW5hYmxlZCBXQysK --=separator Content-Type: application/octet-stream; name="xsa82-4.2-32bit.patch" Content-Disposition: attachment; filename="xsa82-4.2-32bit.patch" Content-Transfer-Encoding: base64 eDg2L0FNRDogd29yayBhcm91bmQgZXJyYXR1bSA3OTMgZm9yIDMyLWJpdAoK VGhlIG9yaWdpbmFsIGNoYW5nZSB3ZW50IGludG8gYSA2NC1iaXQgb25seSBj b2RlIHNlY3Rpb24sIHRodXMgbGVhdmluZwp0aGUgaXNzdWUgdW5maXhlZCBv biAzMi1iaXQuIFJlLW9yZGVyIGNvZGUgdG8gYWRkcmVzcyB0aGlzLgoKU2ln bmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpB Y2tlZC1ieTogSWFuIENhbXBiZWxsIDxJYW4uQ2FtcGJlbGxAY2l0cml4LmNv bT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9jcHUvYW1kLmMKKysrIGIveGVuL2Fy Y2gveDg2L2NwdS9hbWQuYwpAQCAtNTIyLDYgKzUyMiwxOCBAQCBzdGF0aWMg dm9pZCBfX2RldmluaXQgaW5pdF9hbWQoc3RydWN0IGNwCiAJCSAgICAgICAi KioqIFBhc3MgXCJhbGxvd191bnNhZmVcIiBpZiB5b3UncmUgdHJ1c3Rpbmci CiAJCSAgICAgICAiIGFsbCB5b3VyIChQVikgZ3Vlc3Qga2VybmVscy4gKioq XG4iKTsKIAorCS8qIEFNRCBDUFVzIGRvIG5vdCBzdXBwb3J0IFNZU0VOVEVS IG91dHNpZGUgb2YgbGVnYWN5IG1vZGUuICovCisJY2xlYXJfYml0KFg4Nl9G RUFUVVJFX1NFUCwgYy0+eDg2X2NhcGFiaWxpdHkpOworCisJaWYgKGMtPng4 NiA9PSAweDEwKSB7CisJCS8qIGRvIHRoaXMgZm9yIGJvb3QgY3B1ICovCisJ CWlmIChjID09ICZib290X2NwdV9kYXRhKQorCQkJY2hlY2tfZW5hYmxlX2Ft ZF9tbWNvbmZfZG1pKCk7CisKKwkJZmFtMTBoX2NoZWNrX2VuYWJsZV9tbWNm ZygpOworCX0KKyNlbmRpZgorCiAJaWYgKGMtPng4NiA9PSAweDE2ICYmIGMt Png4Nl9tb2RlbCA8PSAweGYpIHsKIAkJaWYgKGMgPT0gJmJvb3RfY3B1X2Rh dGEpIHsKIAkJCWwgPSBwY2lfY29uZl9yZWFkMzIoMCwgMCwgMHgxOCwgMHgz LCAweDU4KTsKQEAgLTU1NSwxOCArNTY3LDYgQEAgc3RhdGljIHZvaWQgX19k ZXZpbml0IGluaXRfYW1kKHN0cnVjdCBjcAogCQl9CiAJfQogCi0JLyogQU1E IENQVXMgZG8gbm90IHN1cHBvcnQgU1lTRU5URVIgb3V0c2lkZSBvZiBsZWdh Y3kgbW9kZS4gKi8KLQljbGVhcl9iaXQoWDg2X0ZFQVRVUkVfU0VQLCBjLT54 ODZfY2FwYWJpbGl0eSk7Ci0KLQlpZiAoYy0+eDg2ID09IDB4MTApIHsKLQkJ LyogZG8gdGhpcyBmb3IgYm9vdCBjcHUgKi8KLQkJaWYgKGMgPT0gJmJvb3Rf Y3B1X2RhdGEpCi0JCQljaGVja19lbmFibGVfYW1kX21tY29uZl9kbWkoKTsK LQotCQlmYW0xMGhfY2hlY2tfZW5hYmxlX21tY2ZnKCk7Ci0JfQotI2VuZGlm Ci0KIAlpZiAoYy0+eDg2ID09IDB4MTApIHsKIAkJLyoKIAkJICogT24gZmFt aWx5IDEwaCBCSU9TIG1heSBub3QgaGF2ZSBwcm9wZXJseSBlbmFibGVkIFdD Kwo= --=separator Content-Type: application/octet-stream; name="xsa82.patch" Content-Disposition: attachment; filename="xsa82.patch" Content-Transfer-Encoding: base64 eDg2L0FNRDogd29yayBhcm91bmQgZXJyYXR1bSA3OTMKClRoZSByZWNvbW1l bmRhdGlvbiBpcyB0byBzZXQgYSBiaXQgaW4gYW4gTVNSIC0gZG8gdGhpcyBp ZiB0aGUgZmlybXdhcmUKZGlkbid0LCBjb25zaWRlcmluZyB0aGF0IG90aGVy d2lzZSB3ZSBleHBvc2Ugb3Vyc2VsdmVzIHRvIGEgZ3Vlc3QKaW5kdWNlZCBE b1MuCgpUaGlzIGlzIENWRS0yMDEzLTY4ODUgLyBYU0EtODIuCgpTaWduZWQt b2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CkFja2Vk LWJ5OiBTdXJhdmVlIFN1dGhpa3VscGFuaXQgPHN1cmF2ZWUuc3V0aGlrdWxw YW5pdEBhbWQuY29tPgoKLS0tIGEveGVuL2FyY2gveDg2L2NwdS9hbWQuYwor KysgYi94ZW4vYXJjaC94ODYvY3B1L2FtZC5jCkBAIC00NzYsNiArNDc2LDIw IEBAIHN0YXRpYyB2b2lkIF9fZGV2aW5pdCBpbml0X2FtZChzdHJ1Y3QgY3AK IAkJICAgICAgICIqKiogUGFzcyBcImFsbG93X3Vuc2FmZVwiIGlmIHlvdSdy ZSB0cnVzdGluZyIKIAkJICAgICAgICIgYWxsIHlvdXIgKFBWKSBndWVzdCBr ZXJuZWxzLiAqKipcbiIpOwogCisJaWYgKGMtPng4NiA9PSAweDE2ICYmIGMt Png4Nl9tb2RlbCA8PSAweGYpIHsKKwkJcmRtc3JsKE1TUl9BTUQ2NF9MU19D RkcsIHZhbHVlKTsKKwkJaWYgKCEodmFsdWUgJiAoMSA8PCAxNSkpKSB7CisJ CQlzdGF0aWMgYm9vbF90IHdhcm5lZDsKKworCQkJaWYgKGMgPT0gJmJvb3Rf Y3B1X2RhdGEgfHwgb3B0X2NwdV9pbmZvIHx8CisJCQkgICAgIXRlc3RfYW5k X3NldF9ib29sKHdhcm5lZCkpCisJCQkJcHJpbnRrKEtFUk5fV0FSTklORwor CQkJCSAgICAgICAiQ1BVJXU6IEFwcGx5aW5nIHdvcmthcm91bmQgZm9yIGVy cmF0dW0gNzkzXG4iLAorCQkJCSAgICAgICBzbXBfcHJvY2Vzc29yX2lkKCkp OworCQkJd3Jtc3JsKE1TUl9BTUQ2NF9MU19DRkcsIHZhbHVlIHwgKDEgPDwg MTUpKTsKKwkJfQorCX0KKwogCS8qIEFNRCBDUFVzIGRvIG5vdCBzdXBwb3J0 IFNZU0VOVEVSIG91dHNpZGUgb2YgbGVnYWN5IG1vZGUuICovCiAJY2xlYXJf Yml0KFg4Nl9GRUFUVVJFX1NFUCwgYy0+eDg2X2NhcGFiaWxpdHkpOwogCi0t LSBhL3hlbi9pbmNsdWRlL2FzbS14ODYvbXNyLWluZGV4LmgKKysrIGIveGVu L2luY2x1ZGUvYXNtLXg4Ni9tc3ItaW5kZXguaApAQCAtMjEzLDYgKzIxMyw3 IEBACiAKIC8qIEFNRDY0IE1TUnMgKi8KICNkZWZpbmUgTVNSX0FNRDY0X05C X0NGRwkJMHhjMDAxMDAxZgorI2RlZmluZSBNU1JfQU1ENjRfTFNfQ0ZHCQkw eGMwMDExMDIwCiAjZGVmaW5lIE1TUl9BTUQ2NF9JQ19DRkcJCTB4YzAwMTEw MjEKICNkZWZpbmUgTVNSX0FNRDY0X0RDX0NGRwkJMHhjMDAxMTAyMgogI2Rl ZmluZSBBTUQ2NF9OQl9DRkdfQ0Y4X0VYVF9FTkFCTEVfQklUCTQ2Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Feb 19 16:56:44 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 19 Feb 2014 16:56:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WGAQo-0001WU-Ps; Wed, 19 Feb 2014 16:55:34 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WGAQn-0001Vm-7d; Wed, 19 Feb 2014 16:55:33 +0000 Received: from [193.109.254.147:36768] by server-13.bemta-14.messagelabs.com id D4/E1-01226-402E4035; Wed, 19 Feb 2014 16:55:32 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-9.tower-27.messagelabs.com!1392828929!1483478!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 4719 invoked from network); 19 Feb 2014 16:55:30 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-9.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 19 Feb 2014 16:55:30 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WGAQe-000792-Eh; Wed, 19 Feb 2014 16:55:24 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WGAQe-0003PS-Bl; Wed, 19 Feb 2014 16:55:24 +0000 Date: Wed, 19 Feb 2014 16:55:24 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 82 (CVE-2013-6885) - Guest triggerable AMD CPU erratum may cause host hang X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-6885 / XSA-82 version 4 Guest triggerable AMD CPU erratum may cause host hang UPDATES IN VERSION 4 ==================== The original fix for 4.2.x and 4.1.x was found to deal with 64-bit hypervisors only. Incremental patches to also address 32-bit ones are now being provided in addition. ISSUE DESCRIPTION ================= AMD CPU erratum 793 "Specific Combination of Writes to Write Combined Memory Types and Locked Instructions May Cause Core Hang" describes a situation under which a CPU core may hang. IMPACT ====== A malicious guest administrator can mount a denial of service attack affecting the whole system. VULNERABLE SYSTEMS ================== The vulnerability is applicable only to family 16h model 00h-0fh AMD CPUs. Such CPUs running Xen versions 3.3 onwards are vulnerable. We have not checked earlier versions of Xen. HVM guests can always exploit the vulnerability if it is present. PV guests can exploit the vulnerability only if they have been granted access to physical device(s). Non-AMD CPUs are not vulnerable. CREDITS ======= This issue's security impact was discovered by Jan Beulich. MITIGATION ========== This issue can be avoided by neither running HVM guests, nor assigning PCI devices to PV guests. RESOLUTION ========== The attached xsa82.patch contains a software workaround which resolves this issue for 64-bit hypervisors. To also resolve the issue on 32-bit hypervisors (Xen 4.2.x and 4.1.x only), the respective attached xsa82-4.?-32bit.patch needs to be applied on top. Alternatively, the recommended workaround can be implemented in firmware, so a suitable firmware update will resolve the issue. If you require a firmware update please consult your vendor. xsa82.patch Xen 4.1.x, Xen 4.2.x, Xen 4.3.x, xen-unstable xsa82-4.1-32bit.patch Xen 4.1.x xsa82-4.2-32bit.patch Xen 4.2.x $ sha256sum xsa82*.patch b0fb0289e1da965bc038993e07af4ba78cb746ed8f1a1865f5fec9de7299faa7 xsa82-4.1-32bit.patch 18f2ba14131975b45688e3c5f4c0a85bd78cf089c3d83ae81f86e149b8c538d6 xsa82-4.2-32bit.patch 0a58f3564ca91fd2668c202446c607fdb1ec8643e558a3921046d43675f58c08 xsa82.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTBOHNAAoJEIP+FMlX6CvZ6TIIAMS1oTljW2yAB9daiY5P0UBf u4X+NTUUUO6DiKLakBFjmS01oB7pApSCHmnqUqgFXlbo8KJsz3qtCLWe+IHH0Kex 8ofL/pDedcHm7bSkXCcncz8xVCqPbPrgVV+bwDXHru65/jxf0XDvPRT9af4N2eGY wlngDFDaWLuozjOqp2mtaOSiqbUc2r43BOalMl6om2BFbF8BEBpPBkcLRxUvsQX0 noZMbknQ36mb0/+dC+pHCUfcUuLquaGNx+I+UF4HXSUdxhVniCD8hzmDxRR9i5Dn S/g9z72LDF0cISL2K4B/iwRiCjOozHqbNimSAWuWTgj3dAWu8dClI3SQyFpOgxY= =ie9o -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa82-4.1-32bit.patch" Content-Disposition: attachment; filename="xsa82-4.1-32bit.patch" Content-Transfer-Encoding: base64 eDg2L0FNRDogd29yayBhcm91bmQgZXJyYXR1bSA3OTMgZm9yIDMyLWJpdAoK VGhlIG9yaWdpbmFsIGNoYW5nZSB3ZW50IGludG8gYSA2NC1iaXQgb25seSBj b2RlIHNlY3Rpb24sIHRodXMgbGVhdmluZwp0aGUgaXNzdWUgdW5maXhlZCBv biAzMi1iaXQuIFJlLW9yZGVyIGNvZGUgdG8gYWRkcmVzcyB0aGlzLgoKU2ln bmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpB Y2tlZC1ieTogSWFuIENhbXBiZWxsIDxJYW4uQ2FtcGJlbGxAY2l0cml4LmNv bT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9jcHUvYW1kLmMKKysrIGIveGVuL2Fy Y2gveDg2L2NwdS9hbWQuYwpAQCAtNjQ5LDYgKzY0OSwxOCBAQCBzdGF0aWMg dm9pZCBfX2RldmluaXQgaW5pdF9hbWQoc3RydWN0IGNwCiAJCSAgICAgICAi KioqIFBhc3MgXCJhbGxvd191bnNhZmVcIiBpZiB5b3UncmUgdHJ1c3Rpbmci CiAJCSAgICAgICAiIGFsbCB5b3VyIChQVikgZ3Vlc3Qga2VybmVscy4gKioq XG4iKTsKIAorCS8qIEFNRCBDUFVzIGRvIG5vdCBzdXBwb3J0IFNZU0VOVEVS IG91dHNpZGUgb2YgbGVnYWN5IG1vZGUuICovCisJY2xlYXJfYml0KFg4Nl9G RUFUVVJFX1NFUCwgYy0+eDg2X2NhcGFiaWxpdHkpOworCisJaWYgKGMtPng4 NiA9PSAweDEwKSB7CisJCS8qIGRvIHRoaXMgZm9yIGJvb3QgY3B1ICovCisJ CWlmIChjID09ICZib290X2NwdV9kYXRhKQorCQkJY2hlY2tfZW5hYmxlX2Ft ZF9tbWNvbmZfZG1pKCk7CisKKwkJZmFtMTBoX2NoZWNrX2VuYWJsZV9tbWNm ZygpOworCX0KKyNlbmRpZgorCiAJaWYgKGMtPng4NiA9PSAweDE2ICYmIGMt Png4Nl9tb2RlbCA8PSAweGYpIHsKIAkJcmRtc3JsKE1TUl9BTUQ2NF9MU19D RkcsIHZhbHVlKTsKIAkJaWYgKCEodmFsdWUgJiAoMSA8PCAxNSkpKSB7CkBA IC02NjMsMTggKzY3NSw2IEBAIHN0YXRpYyB2b2lkIF9fZGV2aW5pdCBpbml0 X2FtZChzdHJ1Y3QgY3AKIAkJfQogCX0KIAotCS8qIEFNRCBDUFVzIGRvIG5v dCBzdXBwb3J0IFNZU0VOVEVSIG91dHNpZGUgb2YgbGVnYWN5IG1vZGUuICov Ci0JY2xlYXJfYml0KFg4Nl9GRUFUVVJFX1NFUCwgYy0+eDg2X2NhcGFiaWxp dHkpOwotCi0JaWYgKGMtPng4NiA9PSAweDEwKSB7Ci0JCS8qIGRvIHRoaXMg Zm9yIGJvb3QgY3B1ICovCi0JCWlmIChjID09ICZib290X2NwdV9kYXRhKQot CQkJY2hlY2tfZW5hYmxlX2FtZF9tbWNvbmZfZG1pKCk7Ci0KLQkJZmFtMTBo X2NoZWNrX2VuYWJsZV9tbWNmZygpOwotCX0KLSNlbmRpZgotCiAJaWYgKGMt Png4NiA9PSAweDEwKSB7CiAJCS8qCiAJCSAqIE9uIGZhbWlseSAxMGggQklP UyBtYXkgbm90IGhhdmUgcHJvcGVybHkgZW5hYmxlZCBXQysK --=separator Content-Type: application/octet-stream; name="xsa82-4.2-32bit.patch" Content-Disposition: attachment; filename="xsa82-4.2-32bit.patch" Content-Transfer-Encoding: base64 eDg2L0FNRDogd29yayBhcm91bmQgZXJyYXR1bSA3OTMgZm9yIDMyLWJpdAoK VGhlIG9yaWdpbmFsIGNoYW5nZSB3ZW50IGludG8gYSA2NC1iaXQgb25seSBj b2RlIHNlY3Rpb24sIHRodXMgbGVhdmluZwp0aGUgaXNzdWUgdW5maXhlZCBv biAzMi1iaXQuIFJlLW9yZGVyIGNvZGUgdG8gYWRkcmVzcyB0aGlzLgoKU2ln bmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpB Y2tlZC1ieTogSWFuIENhbXBiZWxsIDxJYW4uQ2FtcGJlbGxAY2l0cml4LmNv bT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9jcHUvYW1kLmMKKysrIGIveGVuL2Fy Y2gveDg2L2NwdS9hbWQuYwpAQCAtNTIyLDYgKzUyMiwxOCBAQCBzdGF0aWMg dm9pZCBfX2RldmluaXQgaW5pdF9hbWQoc3RydWN0IGNwCiAJCSAgICAgICAi KioqIFBhc3MgXCJhbGxvd191bnNhZmVcIiBpZiB5b3UncmUgdHJ1c3Rpbmci CiAJCSAgICAgICAiIGFsbCB5b3VyIChQVikgZ3Vlc3Qga2VybmVscy4gKioq XG4iKTsKIAorCS8qIEFNRCBDUFVzIGRvIG5vdCBzdXBwb3J0IFNZU0VOVEVS IG91dHNpZGUgb2YgbGVnYWN5IG1vZGUuICovCisJY2xlYXJfYml0KFg4Nl9G RUFUVVJFX1NFUCwgYy0+eDg2X2NhcGFiaWxpdHkpOworCisJaWYgKGMtPng4 NiA9PSAweDEwKSB7CisJCS8qIGRvIHRoaXMgZm9yIGJvb3QgY3B1ICovCisJ CWlmIChjID09ICZib290X2NwdV9kYXRhKQorCQkJY2hlY2tfZW5hYmxlX2Ft ZF9tbWNvbmZfZG1pKCk7CisKKwkJZmFtMTBoX2NoZWNrX2VuYWJsZV9tbWNm ZygpOworCX0KKyNlbmRpZgorCiAJaWYgKGMtPng4NiA9PSAweDE2ICYmIGMt Png4Nl9tb2RlbCA8PSAweGYpIHsKIAkJaWYgKGMgPT0gJmJvb3RfY3B1X2Rh dGEpIHsKIAkJCWwgPSBwY2lfY29uZl9yZWFkMzIoMCwgMCwgMHgxOCwgMHgz LCAweDU4KTsKQEAgLTU1NSwxOCArNTY3LDYgQEAgc3RhdGljIHZvaWQgX19k ZXZpbml0IGluaXRfYW1kKHN0cnVjdCBjcAogCQl9CiAJfQogCi0JLyogQU1E IENQVXMgZG8gbm90IHN1cHBvcnQgU1lTRU5URVIgb3V0c2lkZSBvZiBsZWdh Y3kgbW9kZS4gKi8KLQljbGVhcl9iaXQoWDg2X0ZFQVRVUkVfU0VQLCBjLT54 ODZfY2FwYWJpbGl0eSk7Ci0KLQlpZiAoYy0+eDg2ID09IDB4MTApIHsKLQkJ LyogZG8gdGhpcyBmb3IgYm9vdCBjcHUgKi8KLQkJaWYgKGMgPT0gJmJvb3Rf Y3B1X2RhdGEpCi0JCQljaGVja19lbmFibGVfYW1kX21tY29uZl9kbWkoKTsK LQotCQlmYW0xMGhfY2hlY2tfZW5hYmxlX21tY2ZnKCk7Ci0JfQotI2VuZGlm Ci0KIAlpZiAoYy0+eDg2ID09IDB4MTApIHsKIAkJLyoKIAkJICogT24gZmFt aWx5IDEwaCBCSU9TIG1heSBub3QgaGF2ZSBwcm9wZXJseSBlbmFibGVkIFdD Kwo= --=separator Content-Type: application/octet-stream; name="xsa82.patch" Content-Disposition: attachment; filename="xsa82.patch" Content-Transfer-Encoding: base64 eDg2L0FNRDogd29yayBhcm91bmQgZXJyYXR1bSA3OTMKClRoZSByZWNvbW1l bmRhdGlvbiBpcyB0byBzZXQgYSBiaXQgaW4gYW4gTVNSIC0gZG8gdGhpcyBp ZiB0aGUgZmlybXdhcmUKZGlkbid0LCBjb25zaWRlcmluZyB0aGF0IG90aGVy d2lzZSB3ZSBleHBvc2Ugb3Vyc2VsdmVzIHRvIGEgZ3Vlc3QKaW5kdWNlZCBE b1MuCgpUaGlzIGlzIENWRS0yMDEzLTY4ODUgLyBYU0EtODIuCgpTaWduZWQt b2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CkFja2Vk LWJ5OiBTdXJhdmVlIFN1dGhpa3VscGFuaXQgPHN1cmF2ZWUuc3V0aGlrdWxw YW5pdEBhbWQuY29tPgoKLS0tIGEveGVuL2FyY2gveDg2L2NwdS9hbWQuYwor KysgYi94ZW4vYXJjaC94ODYvY3B1L2FtZC5jCkBAIC00NzYsNiArNDc2LDIw IEBAIHN0YXRpYyB2b2lkIF9fZGV2aW5pdCBpbml0X2FtZChzdHJ1Y3QgY3AK IAkJICAgICAgICIqKiogUGFzcyBcImFsbG93X3Vuc2FmZVwiIGlmIHlvdSdy ZSB0cnVzdGluZyIKIAkJICAgICAgICIgYWxsIHlvdXIgKFBWKSBndWVzdCBr ZXJuZWxzLiAqKipcbiIpOwogCisJaWYgKGMtPng4NiA9PSAweDE2ICYmIGMt Png4Nl9tb2RlbCA8PSAweGYpIHsKKwkJcmRtc3JsKE1TUl9BTUQ2NF9MU19D RkcsIHZhbHVlKTsKKwkJaWYgKCEodmFsdWUgJiAoMSA8PCAxNSkpKSB7CisJ CQlzdGF0aWMgYm9vbF90IHdhcm5lZDsKKworCQkJaWYgKGMgPT0gJmJvb3Rf Y3B1X2RhdGEgfHwgb3B0X2NwdV9pbmZvIHx8CisJCQkgICAgIXRlc3RfYW5k X3NldF9ib29sKHdhcm5lZCkpCisJCQkJcHJpbnRrKEtFUk5fV0FSTklORwor CQkJCSAgICAgICAiQ1BVJXU6IEFwcGx5aW5nIHdvcmthcm91bmQgZm9yIGVy cmF0dW0gNzkzXG4iLAorCQkJCSAgICAgICBzbXBfcHJvY2Vzc29yX2lkKCkp OworCQkJd3Jtc3JsKE1TUl9BTUQ2NF9MU19DRkcsIHZhbHVlIHwgKDEgPDwg MTUpKTsKKwkJfQorCX0KKwogCS8qIEFNRCBDUFVzIGRvIG5vdCBzdXBwb3J0 IFNZU0VOVEVSIG91dHNpZGUgb2YgbGVnYWN5IG1vZGUuICovCiAJY2xlYXJf Yml0KFg4Nl9GRUFUVVJFX1NFUCwgYy0+eDg2X2NhcGFiaWxpdHkpOwogCi0t LSBhL3hlbi9pbmNsdWRlL2FzbS14ODYvbXNyLWluZGV4LmgKKysrIGIveGVu L2luY2x1ZGUvYXNtLXg4Ni9tc3ItaW5kZXguaApAQCAtMjEzLDYgKzIxMyw3 IEBACiAKIC8qIEFNRDY0IE1TUnMgKi8KICNkZWZpbmUgTVNSX0FNRDY0X05C X0NGRwkJMHhjMDAxMDAxZgorI2RlZmluZSBNU1JfQU1ENjRfTFNfQ0ZHCQkw eGMwMDExMDIwCiAjZGVmaW5lIE1TUl9BTUQ2NF9JQ19DRkcJCTB4YzAwMTEw MjEKICNkZWZpbmUgTVNSX0FNRDY0X0RDX0NGRwkJMHhjMDAxMTAyMgogI2Rl ZmluZSBBTUQ2NF9OQl9DRkdfQ0Y4X0VYVF9FTkFCTEVfQklUCTQ2Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Feb 19 16:56:44 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 19 Feb 2014 16:56:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WGAQk-0001Ux-68; Wed, 19 Feb 2014 16:55:30 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WGAQi-0001Ub-GM; Wed, 19 Feb 2014 16:55:28 +0000 Received: from [85.158.137.68:59489] by server-9.bemta-3.messagelabs.com id D6/B7-10184-FF1E4035; Wed, 19 Feb 2014 16:55:27 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-2.tower-31.messagelabs.com!1392828925!1377595!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 20088 invoked from network); 19 Feb 2014 16:55:26 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-2.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 19 Feb 2014 16:55:26 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WGAQa-00078q-MA; Wed, 19 Feb 2014 16:55:20 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WGAQa-0003OO-4k; Wed, 19 Feb 2014 16:55:20 +0000 Date: Wed, 19 Feb 2014 16:55:20 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 60 (CVE-2013-2212) - Excessive time to disable caching with HVM guests with PCI passthrough X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-2212 / XSA-60 version 6 Excessive time to disable caching with HVM guests with PCI passthrough UPDATES IN VERSION 6 ==================== Since the issue of this advisory, various fixes have been applied to the public Xen trees. ISSUE DESCRIPTION ================= HVM guests are able to manipulate their physical address space such that processing a subsequent request by that guest to disable caches takes an extended amount of time changing the cachability of the memory pages assigned to this guest. This applies only when the guest has been granted access to some memory mapped I/O region (typically by way of assigning a passthrough PCI device). This can cause the CPU which processes the request to become unavailable, possibly causing the hypervisor or a guest kernel (including the domain 0 one) to halt itself ("panic"). IMPACT ====== A malicious domain, given access to a device with memory mapped I/O regions, can cause the host to become unresponsive for a period of time, potentially leading to a DoS affecting the whole system. VULNERABLE SYSTEMS ================== Xen version 3.3 onwards is vulnerable. Only systems using the Intel variant of Hardware Assisted Paging (aka EPT) are vulnerable. MITIGATION ========== This issue can be avoided by not assigning PCI devices to untrusted guests, or by running HVM guests with shadow mode paging (through adding "hap=0" to the domain configuration file). CREDITS ======= Zhenzhong Duan found the issue as a bug, which on examination by the Xenproject.org Security Team turned out to be a security problem. RESOLUTION ========== This issue has been fixed in the public xen.git trees. For xen-unstable (#staging, #master), in these git commits: c13b0d65ddedd745 VMX: disable EPT when !cpu_has_vmx_pat 1c84d046735102e0 VMX: remove the problematic set_uc_mode logic 62652c00efa55fb4 VMX: fix cr0.cd handling 86d60e855fe118df VMX: flush cache when vmentry back to UC guest f1c9658d6802c433 Revert "VMX: flush cache when vmentry back to UC guest" (Earliest commit is listed first. Note that f1c9658d reverts not only 86d60e85 but also part of 62652c00.) For Xen 4.2 (#staging-4.2, #stable-4.2): f1e0df14412c VMX: disable EPT when !cpu_has_vmx_pat 644e6c5c7106 VMX: remove the problematic set_uc_mode logic 0fffcffeb594 VMX: fix cr0.cd handling -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTBOHLAAoJEIP+FMlX6CvZOZsIAI1JT1S+76kGilCSef5r2XUx uQ/cFVNjlcACeIF9/ejglQzlfaUcB3fjERdHVuYdiURgiPOwUErJV+0Xg3avFTIj hE9KeUnBl9+vS8OwmO7va4LEZf3xl8LVhirbsepL6eubvmgtmxqf/MeV6kMF5xUU 9t65V80qPNYpA+2SzUnRZFuzGHLd5IkTFUQXfKEzGH3lWu35qvGqyhYWRXHVmz9c 4e49pqO6QenjSlLxvpiW/FpeUxothpq4xxrSom4XsZrBULp4EywU9EkaF5tuFnpg dyzfz3Ap7k0H+5NoHTfof+N7rzaEOyR/QtXIerpcwuf5qMIN0c2HSZBzGdrvlfw= =SC2T -----END PGP SIGNATURE----- --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Feb 19 16:56:44 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 19 Feb 2014 16:56:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WGAQk-0001Ux-68; Wed, 19 Feb 2014 16:55:30 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WGAQi-0001Ub-GM; Wed, 19 Feb 2014 16:55:28 +0000 Received: from [85.158.137.68:59489] by server-9.bemta-3.messagelabs.com id D6/B7-10184-FF1E4035; Wed, 19 Feb 2014 16:55:27 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-2.tower-31.messagelabs.com!1392828925!1377595!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 20088 invoked from network); 19 Feb 2014 16:55:26 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-2.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 19 Feb 2014 16:55:26 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WGAQa-00078q-MA; Wed, 19 Feb 2014 16:55:20 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WGAQa-0003OO-4k; Wed, 19 Feb 2014 16:55:20 +0000 Date: Wed, 19 Feb 2014 16:55:20 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 60 (CVE-2013-2212) - Excessive time to disable caching with HVM guests with PCI passthrough X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-2212 / XSA-60 version 6 Excessive time to disable caching with HVM guests with PCI passthrough UPDATES IN VERSION 6 ==================== Since the issue of this advisory, various fixes have been applied to the public Xen trees. ISSUE DESCRIPTION ================= HVM guests are able to manipulate their physical address space such that processing a subsequent request by that guest to disable caches takes an extended amount of time changing the cachability of the memory pages assigned to this guest. This applies only when the guest has been granted access to some memory mapped I/O region (typically by way of assigning a passthrough PCI device). This can cause the CPU which processes the request to become unavailable, possibly causing the hypervisor or a guest kernel (including the domain 0 one) to halt itself ("panic"). IMPACT ====== A malicious domain, given access to a device with memory mapped I/O regions, can cause the host to become unresponsive for a period of time, potentially leading to a DoS affecting the whole system. VULNERABLE SYSTEMS ================== Xen version 3.3 onwards is vulnerable. Only systems using the Intel variant of Hardware Assisted Paging (aka EPT) are vulnerable. MITIGATION ========== This issue can be avoided by not assigning PCI devices to untrusted guests, or by running HVM guests with shadow mode paging (through adding "hap=0" to the domain configuration file). CREDITS ======= Zhenzhong Duan found the issue as a bug, which on examination by the Xenproject.org Security Team turned out to be a security problem. RESOLUTION ========== This issue has been fixed in the public xen.git trees. For xen-unstable (#staging, #master), in these git commits: c13b0d65ddedd745 VMX: disable EPT when !cpu_has_vmx_pat 1c84d046735102e0 VMX: remove the problematic set_uc_mode logic 62652c00efa55fb4 VMX: fix cr0.cd handling 86d60e855fe118df VMX: flush cache when vmentry back to UC guest f1c9658d6802c433 Revert "VMX: flush cache when vmentry back to UC guest" (Earliest commit is listed first. Note that f1c9658d reverts not only 86d60e85 but also part of 62652c00.) For Xen 4.2 (#staging-4.2, #stable-4.2): f1e0df14412c VMX: disable EPT when !cpu_has_vmx_pat 644e6c5c7106 VMX: remove the problematic set_uc_mode logic 0fffcffeb594 VMX: fix cr0.cd handling -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTBOHLAAoJEIP+FMlX6CvZOZsIAI1JT1S+76kGilCSef5r2XUx uQ/cFVNjlcACeIF9/ejglQzlfaUcB3fjERdHVuYdiURgiPOwUErJV+0Xg3avFTIj hE9KeUnBl9+vS8OwmO7va4LEZf3xl8LVhirbsepL6eubvmgtmxqf/MeV6kMF5xUU 9t65V80qPNYpA+2SzUnRZFuzGHLd5IkTFUQXfKEzGH3lWu35qvGqyhYWRXHVmz9c 4e49pqO6QenjSlLxvpiW/FpeUxothpq4xxrSom4XsZrBULp4EywU9EkaF5tuFnpg dyzfz3Ap7k0H+5NoHTfof+N7rzaEOyR/QtXIerpcwuf5qMIN0c2HSZBzGdrvlfw= =SC2T -----END PGP SIGNATURE----- --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator--