From xen-announce-bounces@lists.xen.org Thu May 01 10:55:28 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 01 May 2014 10:55:28 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Wfoca-0001qk-SK; Thu, 01 May 2014 10:53:44 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WfocY-0001qF-Sq; Thu, 01 May 2014 10:53:43 +0000 Received: from [85.158.143.35:27792] by server-3.bemta-4.messagelabs.com id E1/FB-13602-6B722635; Thu, 01 May 2014 10:53:42 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-11.tower-21.messagelabs.com!1398941620!2200581!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 24114 invoked from network); 1 May 2014 10:53:41 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-11.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 1 May 2014 10:53:41 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WfocN-0004or-28; Thu, 01 May 2014 10:53:31 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WfocM-0003zX-FP; Thu, 01 May 2014 10:53:30 +0000 Date: Thu, 01 May 2014 10:53:30 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 91 (CVE-2014-3125) - Hardware timer context is not properly context switched on ARM X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-3125 / XSA-91 version 3 Hardware timer context is not properly context switched on ARM UPDATES IN VERSION 3 ==================== This issue has been assigned CVE-2014-3125. ISSUE DESCRIPTION ================= When running on an ARM platform Xen was not context switching the CNTKCTL_EL1 register, which is used by the guest kernel to control access by userspace processes to the hardware timers. This meant that any guest can reconfigure these settings for the entire system. IMPACT ====== A malicious guest kernel can reconfigure CNTKCTL_EL1 to block userspace access to the timer hardware for all domains, including control domains. Depending on the other guest kernels in use this may cause an unexpected exception in those guests which may lead to a kernel crash and therefore a denial of service. 64-bit ARM Linux is known to be susceptible to crashing in this way. A malicious guest kernel can also enable userspace access to the timer control registers, which may not be expected by kernels running in other domains. This can allow user processes to reprogram timer interrupts and therefore lead to unexpected behaviour, potentially up to and including crashing the guest. Userspace processes will also be able to read the current timestamp value for the domain perhaps leaking information to those processes. VULNERABLE SYSTEMS ================== Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onwards. x86 systems are not vulnerable. MITIGATION ========== None. CREDITS ======= Chen Baozi discovered this issue as a bug which was then diagnosed by Julien Grall. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa91-unstable.patch xen-unstable xsa91-4.4.patch Xen 4.4.x $ sha256sum xsa91*.patch 8a3dc1f001274550acfe929a0a443b09f8164001f6eea76821bd87292b8732e0 xsa91-4.4.patch 327ccd88f2d9bc21daf51f3e5c81cbae2e779a6f997715d9d0d95285c509ecbd xsa91-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTYidcAAoJEIP+FMlX6CvZKnIH/03L/vIaj+x9AIn0FjKw/ZgH lPP5tVQT4gvBrufxwKX7elH+XPu7bU6j8rQgAkno2VRVM6Emv5/Q41DJEMItG7sm Nfqd833Jdov/2aAGj1kiLsLTv3s72G3XV1hQRviy9Uu9c2JA0Ch2BhurKvwW5K3h 6bRwPljTTaa0GmONHBso9EKHztmf2dViQar9M8WYuVDFmQ8c6fhqUX2uHkkTtdol p2YVQgyej/cnKD1ZGVX9lLmHaw2+QbToY4SyUmRs/DmmK/T13Q+YUXuS3Nt0yY+m 12kkmMNRLvI/y9YHHxNMI9zDev2GpsdhKO3ScJ0iW9y7cC1/zPejWaPF+pU1nC0= =6vG1 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa91-4.4.patch" Content-Disposition: attachment; filename="xsa91-4.4.patch" Content-Transfer-Encoding: base64 eGVuL2FybTogQ29ycmVjdGx5IHNhdmUvcmVzdG9yZSBDTlRLQ1RMX0VMMQoK Q05US0NUTF9FTDEgaXMgdXNlZCBieSB0aGUgZ3Vlc3QgdG8gY29udHJvbCBh Y2Nlc3MgdG8gdGhlIHRpbWVyIGZyb20KdXNlcnNwYWNlLiAgSXQgdGhlcmVm b3JlIG5lZWRzIHRvIGJlIHNhdmUvcmVzdG9yZWQgYnkgWGVuIGFzIHBhcnQg b2YKdGhlIFZDUFUgc3RhdGUuCgpCeSBkZWZhdWx0IExpbnV4IG9uIEFSTTY0 IGV4cG9zZXMgdGhlIHRpbWVyIHRvIHVzZXJzcGFjZS4gIEZ1cnRoZXJtb3Jl IG9uCkFSTTY0LCBMaW51eCBwcm92aWRlcyBoZWxwZXJzIGluIGEgVkRTTyAo Z2V0dGltZW9mZGF5L19fZG9fZ2V0X3RzcGVjKQp0aGF0IHVzZSB0aGUgdGlt ZXIgY291bnRlci4gIENvbnZlcnNlbHksIGR1cmluZyBDUFUgYnJpbmcgdXAs IFhlbiB3aWxsCnNldCBDTlRLQ1RMX0VMMSB0byAwIChpLmUgZGlzYWxsb3cg dGltZXIgYWNjZXNzIHRvIHRoZSB1c2Vyc3BhY2UpLiAgQXMKYSByZXN1bHQs IGN1cnJlbnRseSwgaWYgZG9tMCBoYXMgMSBWQ1BVIHdoaWNoIGlzIG1pZ3Jh dGVkIHRvIGFub3RoZXIKUENQVSwgaW5pdCBtaWdodCBjcmFzaC4KCkFsdGVy bmF0aXZlbHksIGEgZ3Vlc3QgKG1hbGljaW91cyBvciBub3QpIG1pZ2h0IGRl Y2lkZSB0byBkaXNhYmxlCmFjY2VzcyB0byB0aGUgdGltZXIgZnJvbSB1c2Vy c3BhY2UuICBJZiB0aGUgcmVnaXN0ZXIgaXMgbm90CnNhdmUvcmVzdG9yZWQs IHdoZW4gYSBET00wIFZDUFUgcnVucyBhZ2FpbiwgYSBzaW1pbGFyIGNyYXNo IHdvdWxkCnJlc3VsdC4KCkFsc28sIGRyb3AgQ05US0NUTF9FTDEgaW5pdGlh bGl6YXRpb24gaW4gaW5pdF90aW1lcl9pbnRlcnJ1cHQuICBYZW4Kc2hvdWxk IGxldCB0aGUgZ3Vlc3QgZGVhbCB3aXRoIHRoaXMgcmVnaXN0ZXIuCgpSZXBv cnRlZC1ieTogQ2hlbiBCYW96aSA8YmFvemljaEBnbWFpbC5jb20+ClNpZ25l ZC1vZmYtYnk6IEp1bGllbiBHcmFsbCA8anVsaWVuLmdyYWxsQGxpbmFyby5v cmc+ClNpZ25lZC1vZmYtYnk6IElhbiBKYWNrc29uIDxpYW4uamFja3NvbkBl dS5jaXRyaXguY29tPgpBY2tlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2Ft cGJlbGxAY2l0cml4LmNvbT4KCmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0v ZG9tYWluLmMgYi94ZW4vYXJjaC9hcm0vZG9tYWluLmMKaW5kZXggM2E2Y2M1 MC4uZGI0YjYwZCAxMDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2RvbWFpbi5j CisrKyBiL3hlbi9hcmNoL2FybS9kb21haW4uYwpAQCAtNzIsNiArNzIsNyBA QCBzdGF0aWMgdm9pZCBjdHh0X3N3aXRjaF9mcm9tKHN0cnVjdCB2Y3B1ICpw KQogICAgIHAtPmFyY2gudHBpZHJfZWwxID0gUkVBRF9TWVNSRUcoVFBJRFJf RUwxKTsKIAogICAgIC8qIEFyY2ggdGltZXIgKi8KKyAgICBwLT5hcmNoLmNu dGtjdGwgPSBSRUFEX1NZU1JFRzMyKENOVEtDVExfRUwxKTsKICAgICB2aXJ0 X3RpbWVyX3NhdmUocCk7CiAKICAgICBpZiAoIGlzX3B2MzJfZG9tYWluKHAt PmRvbWFpbikgJiYgY3B1X2hhc190aHVtYmVlICkKQEAgLTIyNCw2ICsyMjUs NyBAQCBzdGF0aWMgdm9pZCBjdHh0X3N3aXRjaF90byhzdHJ1Y3QgdmNwdSAq bikKIAogICAgIC8qIFRoaXMgaXMgY291bGQgdHJpZ2dlciBhbiBoYXJkd2Fy ZSBpbnRlcnJ1cHQgZnJvbSB0aGUgdmlydHVhbAogICAgICAqIHRpbWVyLiBU aGUgaW50ZXJydXB0IG5lZWRzIHRvIGJlIGluamVjdGVkIGludG8gdGhlIGd1 ZXN0LiAqLworICAgIFdSSVRFX1NZU1JFRzMyKG4tPmFyY2guY250a2N0bCwg Q05US0NUTF9FTDEpOwogICAgIHZpcnRfdGltZXJfcmVzdG9yZShuKTsKIH0K IApkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL3RpbWUuYyBiL3hlbi9hcmNo L2FybS90aW1lLmMKaW5kZXggNmJiZTk4MC4uZmNhMTM4NyAxMDA2NDQKLS0t IGEveGVuL2FyY2gvYXJtL3RpbWUuYworKysgYi94ZW4vYXJjaC9hcm0vdGlt ZS5jCkBAIC0yMzQsNyArMjM0LDYgQEAgdm9pZCBfX2NwdWluaXQgaW5pdF90 aW1lcl9pbnRlcnJ1cHQodm9pZCkKIHsKICAgICAvKiBTZW5zaWJsZSBkZWZh dWx0cyAqLwogICAgIFdSSVRFX1NZU1JFRzY0KDAsIENOVFZPRkZfRUwyKTsg ICAgIC8qIE5vIFZNLXNwZWNpZmljIG9mZnNldCAqLwotICAgIFdSSVRFX1NZ U1JFRzMyKDAsIENOVEtDVExfRUwxKTsgICAgIC8qIE5vIHVzZXItbW9kZSBh Y2Nlc3MgKi8KICNpZiBVU0VfSFlQX1RJTUVSCiAgICAgLyogRG8gbm90IGxl dCB0aGUgVk1zIHByb2dyYW0gdGhlIHBoeXNpY2FsIHRpbWVyLCBvbmx5IHJl YWQgdGhlIHBoeXNpY2FsIGNvdW50ZXIgKi8KICAgICBXUklURV9TWVNSRUcz MihDTlRIQ1RMX1BBLCBDTlRIQ1RMX0VMMik7CmRpZmYgLS1naXQgYS94ZW4v aW5jbHVkZS9hc20tYXJtL2RvbWFpbi5oIGIveGVuL2luY2x1ZGUvYXNtLWFy bS9kb21haW4uaAppbmRleCA1MGI5YjU0Li40ZGMxZDVhIDEwMDY0NAotLS0g YS94ZW4vaW5jbHVkZS9hc20tYXJtL2RvbWFpbi5oCisrKyBiL3hlbi9pbmNs dWRlL2FzbS1hcm0vZG9tYWluLmgKQEAgLTI4Myw2ICsyODMsOSBAQCBzdHJ1 Y3QgYXJjaF92Y3B1CiAgICAgICAgIHNwaW5sb2NrX3QgbG9jazsKICAgICB9 IHZnaWM7CiAKKyAgICAvKiBUaW1lciByZWdpc3RlcnMgICovCisgICAgdWlu dDMyX3QgY250a2N0bDsKKwogICAgIHN0cnVjdCB2dGltZXIgcGh5c190aW1l cjsKICAgICBzdHJ1Y3QgdnRpbWVyIHZpcnRfdGltZXI7CiB9ICBfX2NhY2hl bGluZV9hbGlnbmVkOwo= --=separator Content-Type: application/octet-stream; name="xsa91-unstable.patch" Content-Disposition: attachment; filename="xsa91-unstable.patch" Content-Transfer-Encoding: base64 eGVuL2FybTogQ29ycmVjdGx5IHNhdmUvcmVzdG9yZSBDTlRLQ1RMX0VMMQoK Q05US0NUTF9FTDEgaXMgdXNlZCBieSB0aGUgZ3Vlc3QgdG8gY29udHJvbCBh Y2Nlc3MgdG8gdGhlIHRpbWVyIGZyb20KdXNlcnNwYWNlLiAgSXQgdGhlcmVm b3JlIG5lZWRzIHRvIGJlIHNhdmUvcmVzdG9yZWQgYnkgWGVuIGFzIHBhcnQg b2YKdGhlIFZDUFUgc3RhdGUuCgpCeSBkZWZhdWx0IExpbnV4IG9uIEFSTTY0 IGV4cG9zZXMgdGhlIHRpbWVyIHRvIHVzZXJzcGFjZS4gIEZ1cnRoZXJtb3Jl IG9uCkFSTTY0LCBMaW51eCBwcm92aWRlcyBoZWxwZXJzIGluIGEgVkRTTyAo Z2V0dGltZW9mZGF5L19fZG9fZ2V0X3RzcGVjKQp0aGF0IHVzZSB0aGUgdGlt ZXIgY291bnRlci4gIENvbnZlcnNlbHksIGR1cmluZyBDUFUgYnJpbmcgdXAs IFhlbiB3aWxsCnNldCBDTlRLQ1RMX0VMMSB0byAwIChpLmUgZGlzYWxsb3cg dGltZXIgYWNjZXNzIHRvIHRoZSB1c2Vyc3BhY2UpLiAgQXMKYSByZXN1bHQs IGN1cnJlbnRseSwgaWYgZG9tMCBoYXMgMSBWQ1BVIHdoaWNoIGlzIG1pZ3Jh dGVkIHRvIGFub3RoZXIKUENQVSwgaW5pdCBtaWdodCBjcmFzaC4KCkFsdGVy bmF0aXZlbHksIGEgZ3Vlc3QgKG1hbGljaW91cyBvciBub3QpIG1pZ2h0IGRl Y2lkZSB0byBkaXNhYmxlCmFjY2VzcyB0byB0aGUgdGltZXIgZnJvbSB1c2Vy c3BhY2UuICBJZiB0aGUgcmVnaXN0ZXIgaXMgbm90CnNhdmUvcmVzdG9yZWQs IHdoZW4gYSBET00wIFZDUFUgcnVucyBhZ2FpbiwgYSBzaW1pbGFyIGNyYXNo IHdvdWxkCnJlc3VsdC4KCkFsc28sIGRyb3AgQ05US0NUTF9FTDEgaW5pdGlh bGl6YXRpb24gaW4gaW5pdF90aW1lcl9pbnRlcnJ1cHQuICBYZW4Kc2hvdWxk IGxldCB0aGUgZ3Vlc3QgZGVhbCB3aXRoIHRoaXMgcmVnaXN0ZXIuCgpSZXBv cnRlZC1ieTogQ2hlbiBCYW96aSA8YmFvemljaEBnbWFpbC5jb20+ClNpZ25l ZC1vZmYtYnk6IEp1bGllbiBHcmFsbCA8anVsaWVuLmdyYWxsQGxpbmFyby5v cmc+ClNpZ25lZC1vZmYtYnk6IElhbiBKYWNrc29uIDxpYW4uamFja3NvbkBl dS5jaXRyaXguY29tPgpBY2tlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2Ft cGJlbGxAY2l0cml4LmNvbT4KCmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0v ZG9tYWluLmMgYi94ZW4vYXJjaC9hcm0vZG9tYWluLmMKaW5kZXggM2E2Y2M1 MC4uZGI0YjYwZCAxMDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2RvbWFpbi5j CisrKyBiL3hlbi9hcmNoL2FybS9kb21haW4uYwpAQCAtNzMsNiArNzMsNyBA QCBzdGF0aWMgdm9pZCBjdHh0X3N3aXRjaF9mcm9tKHN0cnVjdCB2Y3B1ICpw KQogICAgIHAtPmFyY2gudHBpZHJfZWwxID0gUkVBRF9TWVNSRUcoVFBJRFJf RUwxKTsKIAogICAgIC8qIEFyY2ggdGltZXIgKi8KKyAgICBwLT5hcmNoLmNu dGtjdGwgPSBSRUFEX1NZU1JFRzMyKENOVEtDVExfRUwxKTsKICAgICB2aXJ0 X3RpbWVyX3NhdmUocCk7CiAKICAgICBpZiAoIGlzXzMyYml0X2RvbWFpbihw LT5kb21haW4pICYmIGNwdV9oYXNfdGh1bWJlZSApCkBAIC0yMDksNiArMjEw LDcgQEAgc3RhdGljIHZvaWQgY3R4dF9zd2l0Y2hfdG8oc3RydWN0IHZjcHUg Km4pCiAKICAgICAvKiBUaGlzIGlzIGNvdWxkIHRyaWdnZXIgYW4gaGFyZHdh cmUgaW50ZXJydXB0IGZyb20gdGhlIHZpcnR1YWwKICAgICAgKiB0aW1lci4g VGhlIGludGVycnVwdCBuZWVkcyB0byBiZSBpbmplY3RlZCBpbnRvIHRoZSBn dWVzdC4gKi8KKyAgICBXUklURV9TWVNSRUczMihuLT5hcmNoLmNudGtjdGws IENOVEtDVExfRUwxKTsKICAgICB2aXJ0X3RpbWVyX3Jlc3RvcmUobik7CiB9 CiAKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL2FybS90aW1lLmMgYi94ZW4vYXJj aC9hcm0vdGltZS5jCmluZGV4IDZiYmU5ODAuLmZjYTEzODcgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL2FybS90aW1lLmMKKysrIGIveGVuL2FyY2gvYXJtL3Rp bWUuYwpAQCAtMjIzLDcgKzIyMyw2IEBAIHZvaWQgX19jcHVpbml0IGluaXRf dGltZXJfaW50ZXJydXB0KHZvaWQpCiB7CiAgICAgLyogU2Vuc2libGUgZGVm YXVsdHMgKi8KICAgICBXUklURV9TWVNSRUc2NCgwLCBDTlRWT0ZGX0VMMik7 ICAgICAvKiBObyBWTS1zcGVjaWZpYyBvZmZzZXQgKi8KLSAgICBXUklURV9T WVNSRUczMigwLCBDTlRLQ1RMX0VMMSk7ICAgICAvKiBObyB1c2VyLW1vZGUg YWNjZXNzICovCiAjaWYgVVNFX0hZUF9USU1FUgogICAgIC8qIERvIG5vdCBs ZXQgdGhlIFZNcyBwcm9ncmFtIHRoZSBwaHlzaWNhbCB0aW1lciwgb25seSBy ZWFkIHRoZSBwaHlzaWNhbCBjb3VudGVyICovCiAgICAgV1JJVEVfU1lTUkVH MzIoQ05USENUTF9QQSwgQ05USENUTF9FTDIpOwpkaWZmIC0tZ2l0IGEveGVu L2luY2x1ZGUvYXNtLWFybS9kb21haW4uaCBiL3hlbi9pbmNsdWRlL2FzbS1h cm0vZG9tYWluLmgKaW5kZXggNTBiOWI1NC4uNGRjMWQ1YSAxMDA2NDQKLS0t IGEveGVuL2luY2x1ZGUvYXNtLWFybS9kb21haW4uaAorKysgYi94ZW4vaW5j bHVkZS9hc20tYXJtL2RvbWFpbi5oCkBAIC0yODksNiArMjg5LDkgQEAgc3Ry dWN0IGFyY2hfdmNwdQogICAgICAgICBzcGlubG9ja190IGxvY2s7CiAgICAg fSB2Z2ljOwogCisgICAgLyogVGltZXIgcmVnaXN0ZXJzICAqLworICAgIHVp bnQzMl90IGNudGtjdGw7CisKICAgICBzdHJ1Y3QgdnRpbWVyIHBoeXNfdGlt ZXI7CiAgICAgc3RydWN0IHZ0aW1lciB2aXJ0X3RpbWVyOwogfSAgX19jYWNo ZWxpbmVfYWxpZ25lZDsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu May 01 10:55:28 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 01 May 2014 10:55:28 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WfodQ-00021I-Jv; Thu, 01 May 2014 10:54:36 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WfodP-00020Z-17; Thu, 01 May 2014 10:54:35 +0000 Received: from [85.158.137.68:6192] by server-13.bemta-3.messagelabs.com id B4/7E-18692-AE722635; Thu, 01 May 2014 10:54:34 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-16.tower-31.messagelabs.com!1398941672!1244676!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 31464 invoked from network); 1 May 2014 10:54:33 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-16.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 1 May 2014 10:54:33 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WfodH-0004q1-ID; Thu, 01 May 2014 10:54:27 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WfodH-0004Jw-FC; Thu, 01 May 2014 10:54:27 +0000 Date: Thu, 01 May 2014 10:54:27 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 92 (CVE-2014-3124) - HVMOP_set_mem_type allows invalid P2M entries to be created X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-3124 / XSA-92 version 3 HVMOP_set_mem_type allows invalid P2M entries to be created UPDATES IN VERSION 3 ==================== This issue has been assigned CVE-2014-3124. ISSUE DESCRIPTION ================= The implementation in Xen of the HVMOP_set_mem_type HVM control operations attempts to exclude transitioning a page from an inappropriate memory type. However, only an inadequate subset of memory types is excluded. There are certain other types that don't correspond to a particular valid page, whose page table translation can be inappropriately changed (by HVMOP_set_mem_type) from not-present (due to the lack of valid memory page) to present. If this occurs, an invalid translation will be established. IMPACT ====== In a configuration where device models run with limited privilege (for example, stubdom device models), a guest attacker who successfully finds and exploits an unfixed security flaw in qemu-dm could leverage the other flaw into a Denial of Service affecting the whole host. In the more general case, in more abstract terms: a malicious administrator of a domain privileged with regard to an HVM guest can cause Xen to crash leading to a Denial of Service. Arbitrary code execution, and therefore privilege escalation, cannot be entirely excluded: On a system with a RAM page present immediately below the 52-bit address boundary, this would be possible. However, we are not aware of any systems with such a memory layout. VULNERABLE SYSTEMS ================== All Xen versions from 4.1 onwards are vulnerable. The vulnerability is only exposed to service domains for HVM guests which have privilege over the guest. In a usual configuration that means only device model emulators (qemu-dm). In the case of HVM guests whose device model is running in an unrestricted dom0 process, qemu-dm already has the ability to cause problems for the whole system. So in that case the vulnerability is not applicable. The situation is more subtle for an HVM guest with a stub qemu-dm. That is, where the device model runs in a separate domain (in the case of xl, as requested by "device_model_stubdomain_override=1" in the xl domain configuration file). The same applies with a qemu-dm in a dom0 process subjected to some kind kernel-based process privilege limitation (eg the chroot technique as found in some versions of XCP/XenServer). In those latter situations this issue means that the extra isolation does not provide as good a defence (against denial of service) as intended. That is the essence of this vulnerability. However, the security is still better than with a qemu-dm running as an unrestricted dom0 process. Therefore users with these configurations should not switch to an unrestricted dom0 qemu-dm. Finally, in a radically disaggregated system: where the HVM service domain software (probably, the device model domain image) is not always supplied by the host administrator, a malicious service domain administrator can exercise this vulnerability. MITIGATION ========== Running only PV guests will avoid this vulnerability. In a radically disaggregated system, restricting HVM service domains to software images approved by the host administrator will avoid the vulnerability. CREDITS ======= This issue was discovered by Jan Beulich. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa92.patch xen-unstable, Xen 4.4.x, Xen 4.3.x xsa92-4.2.patch Xen 4.2.x xsa92-4.1.patch Xen 4.1.x $ sha256sum xsa92*.patch 184dcb88dfb4540fca33016ffcfe0f4f557449ab5b4ec6a4bf486c75926d23f3 xsa92.patch 76905398958dfcec98fb5bde2a68c0e86a3ccc9f442a8a658e972937fd75534a xsa92-4.1.patch bca98827834f807c787fceb6c719d9d4fe3c40786cb087156829e5e6fb5700d6 xsa92-4.2.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTYidfAAoJEIP+FMlX6CvZ6m0H/0khx5ZZ0MiEf52szuhdBoCe zmNRuD8FrjS16CQx6KIUvvlLujWHg3hE+PFAoV3tM5U9++WrvXVO8o1ckKysle26 udRignUc1Y+Am5nB1p1KRwpVb4v8votb+/GJfFlYd01V4wyaMttQLJkI9jcLRMN7 f0bcttCZTTToQGpl6DuYh1NCOc1mLEtlC66SAHvvA8jC6K395M/MsSs+lkB63AHW SS2kdatHpt3BH4zSPRZQiwStMTCYMPN3+oc9BX1N1DphbqKo5yC1WaamF//24Ew9 ZDjtBgjQhJfZ9IKPbRctsxKOrObEfkcLLO3ETaZ74MHl94I000L+lfki7D8Gk+k= =xTcW -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa92.patch" Content-Disposition: attachment; filename="xsa92.patch" Content-Transfer-Encoding: base64 eDg2L0hWTTogcmVzdHJpY3QgSFZNT1Bfc2V0X21lbV90eXBlCgpQZXJtaXR0 aW5nIGFyYml0cmFyeSB0eXBlIGNoYW5nZXMgaGVyZSBoYXMgdGhlIHBvdGVu dGlhbCBvZiBjcmVhdGluZwpwcmVzZW50IFAyTSAoYW5kIGhlbmNlIEVQVC9O UFQvSU9NTVUpIGVudHJpZXMgcG9pbnRpbmcgdG8gYW4gaW52YWxpZApNRk4g KElOVkFMSURfTUZOIHRydW5jYXRlZCB0byB0aGUgcmVzcGVjdGl2ZSBoYXJk d2FyZSBzdHJ1Y3R1cmUgZmllbGQncwp3aWR0aCkuIFRoaXMgd291bGQgYmVj b21lIGEgcHJvYmxlbSB0aGUgbGF0ZXN0IHdoZW4gc29tZXRoaW5nIHJlYWwg c2F0CmF0IHRoZSBlbmQgb2YgdGhlIHBoeXNpY2FsIGFkZHJlc3Mgc3BhY2U7 IEknbSBzdXNwZWN0aW5nIHRob3VnaCB0aGF0Cm90aGVyIHRoaW5ncyBtaWdo dCBicmVhayB3aXRoIHN1Y2ggYm9ndXMgZW50cmllcy4KCkFsb25nIHdpdGgg dGhhdCBkcm9wIGEgYm9ndXMgKGFuZCBvdGhlcndpc2UgYmVjb21pbmcgc3Rh bGUpIGxvZwptZXNzYWdlLgoKQWZhaWN0IHRoZSBzaW1pbGFyIG9wZXJhdGlv biBpbiBwMm1fc2V0X21lbV9hY2Nlc3MoKSBpcyBzYWZlLgoKVGhpcyBpcyBY U0EtOTIuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA c3VzZS5jb20+ClJldmlld2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9y Zz4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vaHZtLmMKKysrIGIveGVuL2Fy Y2gveDg2L2h2bS9odm0uYwpAQCAtNDU0MSwxMiArNDU0MSwxMCBAQCBsb25n IGRvX2h2bV9vcCh1bnNpZ25lZCBsb25nIG9wLCBYRU5fR1VFCiAgICAgICAg ICAgICAgICAgcmMgPSAtRUlOVkFMOwogICAgICAgICAgICAgICAgIGdvdG8g cGFyYW1fZmFpbDQ7CiAgICAgICAgICAgICB9IAotICAgICAgICAgICAgaWYg KCBwMm1faXNfZ3JhbnQodCkgKQorICAgICAgICAgICAgaWYgKCAhcDJtX2lz X3JhbSh0KSAmJgorICAgICAgICAgICAgICAgICAoIXAybV9pc19ob2xlKHQp IHx8IGEuaHZtbWVtX3R5cGUgIT0gSFZNTUVNX21taW9fZG0pICkKICAgICAg ICAgICAgIHsKICAgICAgICAgICAgICAgICBwdXRfZ2ZuKGQsIHBmbik7Ci0g ICAgICAgICAgICAgICAgZ2RwcmludGsoWEVOTE9HX1dBUk5JTkcsCi0gICAg ICAgICAgICAgICAgICAgICAgICAgInR5cGUgZm9yIHBmbiAlI2x4IGNoYW5n ZWQgdG8gZ3JhbnQgd2hpbGUgIgotICAgICAgICAgICAgICAgICAgICAgICAg ICJ3ZSB3ZXJlIHdvcmtpbmc/XG4iLCBwZm4pOwogICAgICAgICAgICAgICAg IGdvdG8gcGFyYW1fZmFpbDQ7CiAgICAgICAgICAgICB9CiAgICAgICAgICAg ICBlbHNlCg== --=separator Content-Type: application/octet-stream; name="xsa92-4.1.patch" Content-Disposition: attachment; filename="xsa92-4.1.patch" Content-Transfer-Encoding: base64 eDg2L0hWTTogcmVzdHJpY3QgSFZNT1Bfc2V0X21lbV90eXBlCgpQZXJtaXR0 aW5nIGFyYml0cmFyeSB0eXBlIGNoYW5nZXMgaGVyZSBoYXMgdGhlIHBvdGVu dGlhbCBvZiBjcmVhdGluZwpwcmVzZW50IFAyTSAoYW5kIGhlbmNlIEVQVC9O UFQvSU9NTVUpIGVudHJpZXMgcG9pbnRpbmcgdG8gYW4gaW52YWxpZApNRk4g KElOVkFMSURfTUZOIHRydW5jYXRlZCB0byB0aGUgcmVzcGVjdGl2ZSBoYXJk d2FyZSBzdHJ1Y3R1cmUgZmllbGQncwp3aWR0aCkuIFRoaXMgd291bGQgYmVj b21lIGEgcHJvYmxlbSB0aGUgbGF0ZXN0IHdoZW4gc29tZXRoaW5nIHJlYWwg c2F0CmF0IHRoZSBlbmQgb2YgdGhlIHBoeXNpY2FsIGFkZHJlc3Mgc3BhY2U7 IEknbSBzdXNwZWN0aW5nIHRob3VnaCB0aGF0Cm90aGVyIHRoaW5ncyBtaWdo dCBicmVhayB3aXRoIHN1Y2ggYm9ndXMgZW50cmllcy4KCkFsb25nIHdpdGgg dGhhdCBkcm9wIGEgYm9ndXMgKGFuZCBvdGhlcndpc2UgYmVjb21pbmcgc3Rh bGUpIGxvZwptZXNzYWdlLgoKQWZhaWN0IHRoZSBzaW1pbGFyIG9wZXJhdGlv biBpbiBwMm1fc2V0X21lbV9hY2Nlc3MoKSBpcyBzYWZlLgoKVGhpcyBpcyBY U0EtOTIuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA c3VzZS5jb20+ClJldmlld2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9y Zz4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vaHZtLmMKKysrIGIveGVuL2Fy Y2gveDg2L2h2bS9odm0uYwpAQCAtMzY2NiwxMyArMzY2Niw5IEBAIGxvbmcg ZG9faHZtX29wKHVuc2lnbmVkIGxvbmcgb3AsIFhFTl9HVUUKICAgICAgICAg ICAgICAgICByYyA9IC1FSU5WQUw7CiAgICAgICAgICAgICAgICAgZ290byBw YXJhbV9mYWlsNDsKICAgICAgICAgICAgIH0gCi0gICAgICAgICAgICBpZiAo IHAybV9pc19ncmFudCh0KSApCi0gICAgICAgICAgICB7Ci0gICAgICAgICAg ICAgICAgZ2RwcmludGsoWEVOTE9HX1dBUk5JTkcsCi0gICAgICAgICAgICAg ICAgICAgICAgICAgInR5cGUgZm9yIHBmbiAweCVseCBjaGFuZ2VkIHRvIGdy YW50IHdoaWxlICIKLSAgICAgICAgICAgICAgICAgICAgICAgICAid2Ugd2Vy ZSB3b3JraW5nP1xuIiwgcGZuKTsKKyAgICAgICAgICAgIGlmICggIXAybV9p c19yYW0odCkgJiYKKyAgICAgICAgICAgICAgICAgKCFwMm1faXNfaG9sZSh0 KSB8fCBhLmh2bW1lbV90eXBlICE9IEhWTU1FTV9tbWlvX2RtKSApCiAgICAg ICAgICAgICAgICAgZ290byBwYXJhbV9mYWlsNDsKLSAgICAgICAgICAgIH0K ICAgICAgICAgICAgIGVsc2UKICAgICAgICAgICAgIHsKICAgICAgICAgICAg ICAgICBudCA9IHAybV9jaGFuZ2VfdHlwZShwMm0sIHBmbiwgdCwgbWVtdHlw ZVthLmh2bW1lbV90eXBlXSk7Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS14ODYv cDJtLmgKKysrIGIveGVuL2luY2x1ZGUvYXNtLXg4Ni9wMm0uaApAQCAtMTM0 LDYgKzEzNCwxMyBAQCB0eXBlZGVmIGVudW0gewogICAgICAgICAgICAgICAg ICAgICAgICB8IHAybV90b19tYXNrKHAybV9yYW1fcGFnaW5nX2luKSAgICAg ICBcCiAgICAgICAgICAgICAgICAgICAgICAgIHwgcDJtX3RvX21hc2socDJt X3JhbV9zaGFyZWQpKQogCisvKiBUeXBlcyB0aGF0IHJlcHJlc2VudCBhIHBo eXNtYXAgaG9sZS4gKi8KKyNkZWZpbmUgUDJNX0hPTEVfVFlQRVMgKHAybV90 b19tYXNrKHAybV9tbWlvX2RtKSAgICAgICAgICAgICAgIFwKKyAgICAgICAg ICAgICAgICAgICAgICAgIHwgcDJtX3RvX21hc2socDJtX2ludmFsaWQpICAg ICAgICAgICAgIFwKKyAgICAgICAgICAgICAgICAgICAgICAgIHwgcDJtX3Rv X21hc2socDJtX3JhbV9wYWdpbmdfaW5fc3RhcnQpIFwKKyAgICAgICAgICAg ICAgICAgICAgICAgIHwgcDJtX3RvX21hc2socDJtX3JhbV9wYWdpbmdfaW4p ICAgICAgIFwKKyAgICAgICAgICAgICAgICAgICAgICAgIHwgcDJtX3RvX21h c2socDJtX3JhbV9wYWdlZCkpCisKIC8qIEdyYW50IG1hcHBpbmcgdHlwZXMs IHdoaWNoIG1hcCB0byBhIHJlYWwgbWFjaGluZSBmcmFtZSBpbiBhbm90aGVy CiAgKiBWTSAqLwogI2RlZmluZSBQMk1fR1JBTlRfVFlQRVMgKHAybV90b19t YXNrKHAybV9ncmFudF9tYXBfcncpICBcCkBAIC0xNzAsNiArMTc3LDcgQEAg dHlwZWRlZiBlbnVtIHsKIAogLyogVXNlZnVsIHByZWRpY2F0ZXMgKi8KICNk ZWZpbmUgcDJtX2lzX3JhbShfdCkgKHAybV90b19tYXNrKF90KSAmIFAyTV9S QU1fVFlQRVMpCisjZGVmaW5lIHAybV9pc19ob2xlKF90KSAocDJtX3RvX21h c2soX3QpICYgUDJNX0hPTEVfVFlQRVMpCiAjZGVmaW5lIHAybV9pc19tbWlv KF90KSAocDJtX3RvX21hc2soX3QpICYgUDJNX01NSU9fVFlQRVMpCiAjZGVm aW5lIHAybV9pc19yZWFkb25seShfdCkgKHAybV90b19tYXNrKF90KSAmIFAy TV9ST19UWVBFUykKICNkZWZpbmUgcDJtX2lzX21hZ2ljKF90KSAocDJtX3Rv X21hc2soX3QpICYgUDJNX01BR0lDX1RZUEVTKQo= --=separator Content-Type: application/octet-stream; name="xsa92-4.2.patch" Content-Disposition: attachment; filename="xsa92-4.2.patch" Content-Transfer-Encoding: base64 eDg2L0hWTTogcmVzdHJpY3QgSFZNT1Bfc2V0X21lbV90eXBlCgpQZXJtaXR0 aW5nIGFyYml0cmFyeSB0eXBlIGNoYW5nZXMgaGVyZSBoYXMgdGhlIHBvdGVu dGlhbCBvZiBjcmVhdGluZwpwcmVzZW50IFAyTSAoYW5kIGhlbmNlIEVQVC9O UFQvSU9NTVUpIGVudHJpZXMgcG9pbnRpbmcgdG8gYW4gaW52YWxpZApNRk4g KElOVkFMSURfTUZOIHRydW5jYXRlZCB0byB0aGUgcmVzcGVjdGl2ZSBoYXJk d2FyZSBzdHJ1Y3R1cmUgZmllbGQncwp3aWR0aCkuIFRoaXMgd291bGQgYmVj b21lIGEgcHJvYmxlbSB0aGUgbGF0ZXN0IHdoZW4gc29tZXRoaW5nIHJlYWwg c2F0CmF0IHRoZSBlbmQgb2YgdGhlIHBoeXNpY2FsIGFkZHJlc3Mgc3BhY2U7 IEknbSBzdXNwZWN0aW5nIHRob3VnaCB0aGF0Cm90aGVyIHRoaW5ncyBtaWdo dCBicmVhayB3aXRoIHN1Y2ggYm9ndXMgZW50cmllcy4KCkFsb25nIHdpdGgg dGhhdCBkcm9wIGEgYm9ndXMgKGFuZCBvdGhlcndpc2UgYmVjb21pbmcgc3Rh bGUpIGxvZwptZXNzYWdlLgoKQWZhaWN0IHRoZSBzaW1pbGFyIG9wZXJhdGlv biBpbiBwMm1fc2V0X21lbV9hY2Nlc3MoKSBpcyBzYWZlLgoKVGhpcyBpcyBY U0EtOTIuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA c3VzZS5jb20+ClJldmlld2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9y Zz4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vaHZtLmMKKysrIGIveGVuL2Fy Y2gveDg2L2h2bS9odm0uYwpAQCAtNDI0NSwxMiArNDI0NSwxMCBAQCBsb25n IGRvX2h2bV9vcCh1bnNpZ25lZCBsb25nIG9wLCBYRU5fR1VFCiAgICAgICAg ICAgICAgICAgcmMgPSAtRUlOVkFMOwogICAgICAgICAgICAgICAgIGdvdG8g cGFyYW1fZmFpbDQ7CiAgICAgICAgICAgICB9IAotICAgICAgICAgICAgaWYg KCBwMm1faXNfZ3JhbnQodCkgKQorICAgICAgICAgICAgaWYgKCAhcDJtX2lz X3JhbSh0KSAmJgorICAgICAgICAgICAgICAgICAoIXAybV9pc19ob2xlKHQp IHx8IGEuaHZtbWVtX3R5cGUgIT0gSFZNTUVNX21taW9fZG0pICkKICAgICAg ICAgICAgIHsKICAgICAgICAgICAgICAgICBwdXRfZ2ZuKGQsIHBmbik7Ci0g ICAgICAgICAgICAgICAgZ2RwcmludGsoWEVOTE9HX1dBUk5JTkcsCi0gICAg ICAgICAgICAgICAgICAgICAgICAgInR5cGUgZm9yIHBmbiAweCVseCBjaGFu Z2VkIHRvIGdyYW50IHdoaWxlICIKLSAgICAgICAgICAgICAgICAgICAgICAg ICAid2Ugd2VyZSB3b3JraW5nP1xuIiwgcGZuKTsKICAgICAgICAgICAgICAg ICBnb3RvIHBhcmFtX2ZhaWw0OwogICAgICAgICAgICAgfQogICAgICAgICAg ICAgZWxzZQo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu May 01 10:55:28 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 01 May 2014 10:55:28 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Wfoca-0001qk-SK; Thu, 01 May 2014 10:53:44 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WfocY-0001qF-Sq; Thu, 01 May 2014 10:53:43 +0000 Received: from [85.158.143.35:27792] by server-3.bemta-4.messagelabs.com id E1/FB-13602-6B722635; Thu, 01 May 2014 10:53:42 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-11.tower-21.messagelabs.com!1398941620!2200581!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 24114 invoked from network); 1 May 2014 10:53:41 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-11.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 1 May 2014 10:53:41 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WfocN-0004or-28; Thu, 01 May 2014 10:53:31 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WfocM-0003zX-FP; Thu, 01 May 2014 10:53:30 +0000 Date: Thu, 01 May 2014 10:53:30 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 91 (CVE-2014-3125) - Hardware timer context is not properly context switched on ARM X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-3125 / XSA-91 version 3 Hardware timer context is not properly context switched on ARM UPDATES IN VERSION 3 ==================== This issue has been assigned CVE-2014-3125. ISSUE DESCRIPTION ================= When running on an ARM platform Xen was not context switching the CNTKCTL_EL1 register, which is used by the guest kernel to control access by userspace processes to the hardware timers. This meant that any guest can reconfigure these settings for the entire system. IMPACT ====== A malicious guest kernel can reconfigure CNTKCTL_EL1 to block userspace access to the timer hardware for all domains, including control domains. Depending on the other guest kernels in use this may cause an unexpected exception in those guests which may lead to a kernel crash and therefore a denial of service. 64-bit ARM Linux is known to be susceptible to crashing in this way. A malicious guest kernel can also enable userspace access to the timer control registers, which may not be expected by kernels running in other domains. This can allow user processes to reprogram timer interrupts and therefore lead to unexpected behaviour, potentially up to and including crashing the guest. Userspace processes will also be able to read the current timestamp value for the domain perhaps leaking information to those processes. VULNERABLE SYSTEMS ================== Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onwards. x86 systems are not vulnerable. MITIGATION ========== None. CREDITS ======= Chen Baozi discovered this issue as a bug which was then diagnosed by Julien Grall. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa91-unstable.patch xen-unstable xsa91-4.4.patch Xen 4.4.x $ sha256sum xsa91*.patch 8a3dc1f001274550acfe929a0a443b09f8164001f6eea76821bd87292b8732e0 xsa91-4.4.patch 327ccd88f2d9bc21daf51f3e5c81cbae2e779a6f997715d9d0d95285c509ecbd xsa91-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTYidcAAoJEIP+FMlX6CvZKnIH/03L/vIaj+x9AIn0FjKw/ZgH lPP5tVQT4gvBrufxwKX7elH+XPu7bU6j8rQgAkno2VRVM6Emv5/Q41DJEMItG7sm Nfqd833Jdov/2aAGj1kiLsLTv3s72G3XV1hQRviy9Uu9c2JA0Ch2BhurKvwW5K3h 6bRwPljTTaa0GmONHBso9EKHztmf2dViQar9M8WYuVDFmQ8c6fhqUX2uHkkTtdol p2YVQgyej/cnKD1ZGVX9lLmHaw2+QbToY4SyUmRs/DmmK/T13Q+YUXuS3Nt0yY+m 12kkmMNRLvI/y9YHHxNMI9zDev2GpsdhKO3ScJ0iW9y7cC1/zPejWaPF+pU1nC0= =6vG1 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa91-4.4.patch" Content-Disposition: attachment; filename="xsa91-4.4.patch" Content-Transfer-Encoding: base64 eGVuL2FybTogQ29ycmVjdGx5IHNhdmUvcmVzdG9yZSBDTlRLQ1RMX0VMMQoK Q05US0NUTF9FTDEgaXMgdXNlZCBieSB0aGUgZ3Vlc3QgdG8gY29udHJvbCBh Y2Nlc3MgdG8gdGhlIHRpbWVyIGZyb20KdXNlcnNwYWNlLiAgSXQgdGhlcmVm b3JlIG5lZWRzIHRvIGJlIHNhdmUvcmVzdG9yZWQgYnkgWGVuIGFzIHBhcnQg b2YKdGhlIFZDUFUgc3RhdGUuCgpCeSBkZWZhdWx0IExpbnV4IG9uIEFSTTY0 IGV4cG9zZXMgdGhlIHRpbWVyIHRvIHVzZXJzcGFjZS4gIEZ1cnRoZXJtb3Jl IG9uCkFSTTY0LCBMaW51eCBwcm92aWRlcyBoZWxwZXJzIGluIGEgVkRTTyAo Z2V0dGltZW9mZGF5L19fZG9fZ2V0X3RzcGVjKQp0aGF0IHVzZSB0aGUgdGlt ZXIgY291bnRlci4gIENvbnZlcnNlbHksIGR1cmluZyBDUFUgYnJpbmcgdXAs IFhlbiB3aWxsCnNldCBDTlRLQ1RMX0VMMSB0byAwIChpLmUgZGlzYWxsb3cg dGltZXIgYWNjZXNzIHRvIHRoZSB1c2Vyc3BhY2UpLiAgQXMKYSByZXN1bHQs IGN1cnJlbnRseSwgaWYgZG9tMCBoYXMgMSBWQ1BVIHdoaWNoIGlzIG1pZ3Jh dGVkIHRvIGFub3RoZXIKUENQVSwgaW5pdCBtaWdodCBjcmFzaC4KCkFsdGVy bmF0aXZlbHksIGEgZ3Vlc3QgKG1hbGljaW91cyBvciBub3QpIG1pZ2h0IGRl Y2lkZSB0byBkaXNhYmxlCmFjY2VzcyB0byB0aGUgdGltZXIgZnJvbSB1c2Vy c3BhY2UuICBJZiB0aGUgcmVnaXN0ZXIgaXMgbm90CnNhdmUvcmVzdG9yZWQs IHdoZW4gYSBET00wIFZDUFUgcnVucyBhZ2FpbiwgYSBzaW1pbGFyIGNyYXNo IHdvdWxkCnJlc3VsdC4KCkFsc28sIGRyb3AgQ05US0NUTF9FTDEgaW5pdGlh bGl6YXRpb24gaW4gaW5pdF90aW1lcl9pbnRlcnJ1cHQuICBYZW4Kc2hvdWxk IGxldCB0aGUgZ3Vlc3QgZGVhbCB3aXRoIHRoaXMgcmVnaXN0ZXIuCgpSZXBv cnRlZC1ieTogQ2hlbiBCYW96aSA8YmFvemljaEBnbWFpbC5jb20+ClNpZ25l ZC1vZmYtYnk6IEp1bGllbiBHcmFsbCA8anVsaWVuLmdyYWxsQGxpbmFyby5v cmc+ClNpZ25lZC1vZmYtYnk6IElhbiBKYWNrc29uIDxpYW4uamFja3NvbkBl dS5jaXRyaXguY29tPgpBY2tlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2Ft cGJlbGxAY2l0cml4LmNvbT4KCmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0v ZG9tYWluLmMgYi94ZW4vYXJjaC9hcm0vZG9tYWluLmMKaW5kZXggM2E2Y2M1 MC4uZGI0YjYwZCAxMDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2RvbWFpbi5j CisrKyBiL3hlbi9hcmNoL2FybS9kb21haW4uYwpAQCAtNzIsNiArNzIsNyBA QCBzdGF0aWMgdm9pZCBjdHh0X3N3aXRjaF9mcm9tKHN0cnVjdCB2Y3B1ICpw KQogICAgIHAtPmFyY2gudHBpZHJfZWwxID0gUkVBRF9TWVNSRUcoVFBJRFJf RUwxKTsKIAogICAgIC8qIEFyY2ggdGltZXIgKi8KKyAgICBwLT5hcmNoLmNu dGtjdGwgPSBSRUFEX1NZU1JFRzMyKENOVEtDVExfRUwxKTsKICAgICB2aXJ0 X3RpbWVyX3NhdmUocCk7CiAKICAgICBpZiAoIGlzX3B2MzJfZG9tYWluKHAt PmRvbWFpbikgJiYgY3B1X2hhc190aHVtYmVlICkKQEAgLTIyNCw2ICsyMjUs NyBAQCBzdGF0aWMgdm9pZCBjdHh0X3N3aXRjaF90byhzdHJ1Y3QgdmNwdSAq bikKIAogICAgIC8qIFRoaXMgaXMgY291bGQgdHJpZ2dlciBhbiBoYXJkd2Fy ZSBpbnRlcnJ1cHQgZnJvbSB0aGUgdmlydHVhbAogICAgICAqIHRpbWVyLiBU aGUgaW50ZXJydXB0IG5lZWRzIHRvIGJlIGluamVjdGVkIGludG8gdGhlIGd1 ZXN0LiAqLworICAgIFdSSVRFX1NZU1JFRzMyKG4tPmFyY2guY250a2N0bCwg Q05US0NUTF9FTDEpOwogICAgIHZpcnRfdGltZXJfcmVzdG9yZShuKTsKIH0K IApkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL3RpbWUuYyBiL3hlbi9hcmNo L2FybS90aW1lLmMKaW5kZXggNmJiZTk4MC4uZmNhMTM4NyAxMDA2NDQKLS0t IGEveGVuL2FyY2gvYXJtL3RpbWUuYworKysgYi94ZW4vYXJjaC9hcm0vdGlt ZS5jCkBAIC0yMzQsNyArMjM0LDYgQEAgdm9pZCBfX2NwdWluaXQgaW5pdF90 aW1lcl9pbnRlcnJ1cHQodm9pZCkKIHsKICAgICAvKiBTZW5zaWJsZSBkZWZh dWx0cyAqLwogICAgIFdSSVRFX1NZU1JFRzY0KDAsIENOVFZPRkZfRUwyKTsg ICAgIC8qIE5vIFZNLXNwZWNpZmljIG9mZnNldCAqLwotICAgIFdSSVRFX1NZ U1JFRzMyKDAsIENOVEtDVExfRUwxKTsgICAgIC8qIE5vIHVzZXItbW9kZSBh Y2Nlc3MgKi8KICNpZiBVU0VfSFlQX1RJTUVSCiAgICAgLyogRG8gbm90IGxl dCB0aGUgVk1zIHByb2dyYW0gdGhlIHBoeXNpY2FsIHRpbWVyLCBvbmx5IHJl YWQgdGhlIHBoeXNpY2FsIGNvdW50ZXIgKi8KICAgICBXUklURV9TWVNSRUcz MihDTlRIQ1RMX1BBLCBDTlRIQ1RMX0VMMik7CmRpZmYgLS1naXQgYS94ZW4v aW5jbHVkZS9hc20tYXJtL2RvbWFpbi5oIGIveGVuL2luY2x1ZGUvYXNtLWFy bS9kb21haW4uaAppbmRleCA1MGI5YjU0Li40ZGMxZDVhIDEwMDY0NAotLS0g YS94ZW4vaW5jbHVkZS9hc20tYXJtL2RvbWFpbi5oCisrKyBiL3hlbi9pbmNs dWRlL2FzbS1hcm0vZG9tYWluLmgKQEAgLTI4Myw2ICsyODMsOSBAQCBzdHJ1 Y3QgYXJjaF92Y3B1CiAgICAgICAgIHNwaW5sb2NrX3QgbG9jazsKICAgICB9 IHZnaWM7CiAKKyAgICAvKiBUaW1lciByZWdpc3RlcnMgICovCisgICAgdWlu dDMyX3QgY250a2N0bDsKKwogICAgIHN0cnVjdCB2dGltZXIgcGh5c190aW1l cjsKICAgICBzdHJ1Y3QgdnRpbWVyIHZpcnRfdGltZXI7CiB9ICBfX2NhY2hl bGluZV9hbGlnbmVkOwo= --=separator Content-Type: application/octet-stream; name="xsa91-unstable.patch" Content-Disposition: attachment; filename="xsa91-unstable.patch" Content-Transfer-Encoding: base64 eGVuL2FybTogQ29ycmVjdGx5IHNhdmUvcmVzdG9yZSBDTlRLQ1RMX0VMMQoK Q05US0NUTF9FTDEgaXMgdXNlZCBieSB0aGUgZ3Vlc3QgdG8gY29udHJvbCBh Y2Nlc3MgdG8gdGhlIHRpbWVyIGZyb20KdXNlcnNwYWNlLiAgSXQgdGhlcmVm b3JlIG5lZWRzIHRvIGJlIHNhdmUvcmVzdG9yZWQgYnkgWGVuIGFzIHBhcnQg b2YKdGhlIFZDUFUgc3RhdGUuCgpCeSBkZWZhdWx0IExpbnV4IG9uIEFSTTY0 IGV4cG9zZXMgdGhlIHRpbWVyIHRvIHVzZXJzcGFjZS4gIEZ1cnRoZXJtb3Jl IG9uCkFSTTY0LCBMaW51eCBwcm92aWRlcyBoZWxwZXJzIGluIGEgVkRTTyAo Z2V0dGltZW9mZGF5L19fZG9fZ2V0X3RzcGVjKQp0aGF0IHVzZSB0aGUgdGlt ZXIgY291bnRlci4gIENvbnZlcnNlbHksIGR1cmluZyBDUFUgYnJpbmcgdXAs IFhlbiB3aWxsCnNldCBDTlRLQ1RMX0VMMSB0byAwIChpLmUgZGlzYWxsb3cg dGltZXIgYWNjZXNzIHRvIHRoZSB1c2Vyc3BhY2UpLiAgQXMKYSByZXN1bHQs IGN1cnJlbnRseSwgaWYgZG9tMCBoYXMgMSBWQ1BVIHdoaWNoIGlzIG1pZ3Jh dGVkIHRvIGFub3RoZXIKUENQVSwgaW5pdCBtaWdodCBjcmFzaC4KCkFsdGVy bmF0aXZlbHksIGEgZ3Vlc3QgKG1hbGljaW91cyBvciBub3QpIG1pZ2h0IGRl Y2lkZSB0byBkaXNhYmxlCmFjY2VzcyB0byB0aGUgdGltZXIgZnJvbSB1c2Vy c3BhY2UuICBJZiB0aGUgcmVnaXN0ZXIgaXMgbm90CnNhdmUvcmVzdG9yZWQs IHdoZW4gYSBET00wIFZDUFUgcnVucyBhZ2FpbiwgYSBzaW1pbGFyIGNyYXNo IHdvdWxkCnJlc3VsdC4KCkFsc28sIGRyb3AgQ05US0NUTF9FTDEgaW5pdGlh bGl6YXRpb24gaW4gaW5pdF90aW1lcl9pbnRlcnJ1cHQuICBYZW4Kc2hvdWxk IGxldCB0aGUgZ3Vlc3QgZGVhbCB3aXRoIHRoaXMgcmVnaXN0ZXIuCgpSZXBv cnRlZC1ieTogQ2hlbiBCYW96aSA8YmFvemljaEBnbWFpbC5jb20+ClNpZ25l ZC1vZmYtYnk6IEp1bGllbiBHcmFsbCA8anVsaWVuLmdyYWxsQGxpbmFyby5v cmc+ClNpZ25lZC1vZmYtYnk6IElhbiBKYWNrc29uIDxpYW4uamFja3NvbkBl dS5jaXRyaXguY29tPgpBY2tlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2Ft cGJlbGxAY2l0cml4LmNvbT4KCmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0v ZG9tYWluLmMgYi94ZW4vYXJjaC9hcm0vZG9tYWluLmMKaW5kZXggM2E2Y2M1 MC4uZGI0YjYwZCAxMDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2RvbWFpbi5j CisrKyBiL3hlbi9hcmNoL2FybS9kb21haW4uYwpAQCAtNzMsNiArNzMsNyBA QCBzdGF0aWMgdm9pZCBjdHh0X3N3aXRjaF9mcm9tKHN0cnVjdCB2Y3B1ICpw KQogICAgIHAtPmFyY2gudHBpZHJfZWwxID0gUkVBRF9TWVNSRUcoVFBJRFJf RUwxKTsKIAogICAgIC8qIEFyY2ggdGltZXIgKi8KKyAgICBwLT5hcmNoLmNu dGtjdGwgPSBSRUFEX1NZU1JFRzMyKENOVEtDVExfRUwxKTsKICAgICB2aXJ0 X3RpbWVyX3NhdmUocCk7CiAKICAgICBpZiAoIGlzXzMyYml0X2RvbWFpbihw LT5kb21haW4pICYmIGNwdV9oYXNfdGh1bWJlZSApCkBAIC0yMDksNiArMjEw LDcgQEAgc3RhdGljIHZvaWQgY3R4dF9zd2l0Y2hfdG8oc3RydWN0IHZjcHUg Km4pCiAKICAgICAvKiBUaGlzIGlzIGNvdWxkIHRyaWdnZXIgYW4gaGFyZHdh cmUgaW50ZXJydXB0IGZyb20gdGhlIHZpcnR1YWwKICAgICAgKiB0aW1lci4g VGhlIGludGVycnVwdCBuZWVkcyB0byBiZSBpbmplY3RlZCBpbnRvIHRoZSBn dWVzdC4gKi8KKyAgICBXUklURV9TWVNSRUczMihuLT5hcmNoLmNudGtjdGws IENOVEtDVExfRUwxKTsKICAgICB2aXJ0X3RpbWVyX3Jlc3RvcmUobik7CiB9 CiAKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL2FybS90aW1lLmMgYi94ZW4vYXJj aC9hcm0vdGltZS5jCmluZGV4IDZiYmU5ODAuLmZjYTEzODcgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL2FybS90aW1lLmMKKysrIGIveGVuL2FyY2gvYXJtL3Rp bWUuYwpAQCAtMjIzLDcgKzIyMyw2IEBAIHZvaWQgX19jcHVpbml0IGluaXRf dGltZXJfaW50ZXJydXB0KHZvaWQpCiB7CiAgICAgLyogU2Vuc2libGUgZGVm YXVsdHMgKi8KICAgICBXUklURV9TWVNSRUc2NCgwLCBDTlRWT0ZGX0VMMik7 ICAgICAvKiBObyBWTS1zcGVjaWZpYyBvZmZzZXQgKi8KLSAgICBXUklURV9T WVNSRUczMigwLCBDTlRLQ1RMX0VMMSk7ICAgICAvKiBObyB1c2VyLW1vZGUg YWNjZXNzICovCiAjaWYgVVNFX0hZUF9USU1FUgogICAgIC8qIERvIG5vdCBs ZXQgdGhlIFZNcyBwcm9ncmFtIHRoZSBwaHlzaWNhbCB0aW1lciwgb25seSBy ZWFkIHRoZSBwaHlzaWNhbCBjb3VudGVyICovCiAgICAgV1JJVEVfU1lTUkVH MzIoQ05USENUTF9QQSwgQ05USENUTF9FTDIpOwpkaWZmIC0tZ2l0IGEveGVu L2luY2x1ZGUvYXNtLWFybS9kb21haW4uaCBiL3hlbi9pbmNsdWRlL2FzbS1h cm0vZG9tYWluLmgKaW5kZXggNTBiOWI1NC4uNGRjMWQ1YSAxMDA2NDQKLS0t IGEveGVuL2luY2x1ZGUvYXNtLWFybS9kb21haW4uaAorKysgYi94ZW4vaW5j bHVkZS9hc20tYXJtL2RvbWFpbi5oCkBAIC0yODksNiArMjg5LDkgQEAgc3Ry dWN0IGFyY2hfdmNwdQogICAgICAgICBzcGlubG9ja190IGxvY2s7CiAgICAg fSB2Z2ljOwogCisgICAgLyogVGltZXIgcmVnaXN0ZXJzICAqLworICAgIHVp bnQzMl90IGNudGtjdGw7CisKICAgICBzdHJ1Y3QgdnRpbWVyIHBoeXNfdGlt ZXI7CiAgICAgc3RydWN0IHZ0aW1lciB2aXJ0X3RpbWVyOwogfSAgX19jYWNo ZWxpbmVfYWxpZ25lZDsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu May 01 10:55:28 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 01 May 2014 10:55:28 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WfodQ-00021I-Jv; Thu, 01 May 2014 10:54:36 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WfodP-00020Z-17; Thu, 01 May 2014 10:54:35 +0000 Received: from [85.158.137.68:6192] by server-13.bemta-3.messagelabs.com id B4/7E-18692-AE722635; Thu, 01 May 2014 10:54:34 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-16.tower-31.messagelabs.com!1398941672!1244676!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 31464 invoked from network); 1 May 2014 10:54:33 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-16.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 1 May 2014 10:54:33 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WfodH-0004q1-ID; Thu, 01 May 2014 10:54:27 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WfodH-0004Jw-FC; Thu, 01 May 2014 10:54:27 +0000 Date: Thu, 01 May 2014 10:54:27 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 92 (CVE-2014-3124) - HVMOP_set_mem_type allows invalid P2M entries to be created X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-3124 / XSA-92 version 3 HVMOP_set_mem_type allows invalid P2M entries to be created UPDATES IN VERSION 3 ==================== This issue has been assigned CVE-2014-3124. ISSUE DESCRIPTION ================= The implementation in Xen of the HVMOP_set_mem_type HVM control operations attempts to exclude transitioning a page from an inappropriate memory type. However, only an inadequate subset of memory types is excluded. There are certain other types that don't correspond to a particular valid page, whose page table translation can be inappropriately changed (by HVMOP_set_mem_type) from not-present (due to the lack of valid memory page) to present. If this occurs, an invalid translation will be established. IMPACT ====== In a configuration where device models run with limited privilege (for example, stubdom device models), a guest attacker who successfully finds and exploits an unfixed security flaw in qemu-dm could leverage the other flaw into a Denial of Service affecting the whole host. In the more general case, in more abstract terms: a malicious administrator of a domain privileged with regard to an HVM guest can cause Xen to crash leading to a Denial of Service. Arbitrary code execution, and therefore privilege escalation, cannot be entirely excluded: On a system with a RAM page present immediately below the 52-bit address boundary, this would be possible. However, we are not aware of any systems with such a memory layout. VULNERABLE SYSTEMS ================== All Xen versions from 4.1 onwards are vulnerable. The vulnerability is only exposed to service domains for HVM guests which have privilege over the guest. In a usual configuration that means only device model emulators (qemu-dm). In the case of HVM guests whose device model is running in an unrestricted dom0 process, qemu-dm already has the ability to cause problems for the whole system. So in that case the vulnerability is not applicable. The situation is more subtle for an HVM guest with a stub qemu-dm. That is, where the device model runs in a separate domain (in the case of xl, as requested by "device_model_stubdomain_override=1" in the xl domain configuration file). The same applies with a qemu-dm in a dom0 process subjected to some kind kernel-based process privilege limitation (eg the chroot technique as found in some versions of XCP/XenServer). In those latter situations this issue means that the extra isolation does not provide as good a defence (against denial of service) as intended. That is the essence of this vulnerability. However, the security is still better than with a qemu-dm running as an unrestricted dom0 process. Therefore users with these configurations should not switch to an unrestricted dom0 qemu-dm. Finally, in a radically disaggregated system: where the HVM service domain software (probably, the device model domain image) is not always supplied by the host administrator, a malicious service domain administrator can exercise this vulnerability. MITIGATION ========== Running only PV guests will avoid this vulnerability. In a radically disaggregated system, restricting HVM service domains to software images approved by the host administrator will avoid the vulnerability. CREDITS ======= This issue was discovered by Jan Beulich. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa92.patch xen-unstable, Xen 4.4.x, Xen 4.3.x xsa92-4.2.patch Xen 4.2.x xsa92-4.1.patch Xen 4.1.x $ sha256sum xsa92*.patch 184dcb88dfb4540fca33016ffcfe0f4f557449ab5b4ec6a4bf486c75926d23f3 xsa92.patch 76905398958dfcec98fb5bde2a68c0e86a3ccc9f442a8a658e972937fd75534a xsa92-4.1.patch bca98827834f807c787fceb6c719d9d4fe3c40786cb087156829e5e6fb5700d6 xsa92-4.2.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTYidfAAoJEIP+FMlX6CvZ6m0H/0khx5ZZ0MiEf52szuhdBoCe zmNRuD8FrjS16CQx6KIUvvlLujWHg3hE+PFAoV3tM5U9++WrvXVO8o1ckKysle26 udRignUc1Y+Am5nB1p1KRwpVb4v8votb+/GJfFlYd01V4wyaMttQLJkI9jcLRMN7 f0bcttCZTTToQGpl6DuYh1NCOc1mLEtlC66SAHvvA8jC6K395M/MsSs+lkB63AHW SS2kdatHpt3BH4zSPRZQiwStMTCYMPN3+oc9BX1N1DphbqKo5yC1WaamF//24Ew9 ZDjtBgjQhJfZ9IKPbRctsxKOrObEfkcLLO3ETaZ74MHl94I000L+lfki7D8Gk+k= =xTcW -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa92.patch" Content-Disposition: attachment; filename="xsa92.patch" Content-Transfer-Encoding: base64 eDg2L0hWTTogcmVzdHJpY3QgSFZNT1Bfc2V0X21lbV90eXBlCgpQZXJtaXR0 aW5nIGFyYml0cmFyeSB0eXBlIGNoYW5nZXMgaGVyZSBoYXMgdGhlIHBvdGVu dGlhbCBvZiBjcmVhdGluZwpwcmVzZW50IFAyTSAoYW5kIGhlbmNlIEVQVC9O UFQvSU9NTVUpIGVudHJpZXMgcG9pbnRpbmcgdG8gYW4gaW52YWxpZApNRk4g KElOVkFMSURfTUZOIHRydW5jYXRlZCB0byB0aGUgcmVzcGVjdGl2ZSBoYXJk d2FyZSBzdHJ1Y3R1cmUgZmllbGQncwp3aWR0aCkuIFRoaXMgd291bGQgYmVj b21lIGEgcHJvYmxlbSB0aGUgbGF0ZXN0IHdoZW4gc29tZXRoaW5nIHJlYWwg c2F0CmF0IHRoZSBlbmQgb2YgdGhlIHBoeXNpY2FsIGFkZHJlc3Mgc3BhY2U7 IEknbSBzdXNwZWN0aW5nIHRob3VnaCB0aGF0Cm90aGVyIHRoaW5ncyBtaWdo dCBicmVhayB3aXRoIHN1Y2ggYm9ndXMgZW50cmllcy4KCkFsb25nIHdpdGgg dGhhdCBkcm9wIGEgYm9ndXMgKGFuZCBvdGhlcndpc2UgYmVjb21pbmcgc3Rh bGUpIGxvZwptZXNzYWdlLgoKQWZhaWN0IHRoZSBzaW1pbGFyIG9wZXJhdGlv biBpbiBwMm1fc2V0X21lbV9hY2Nlc3MoKSBpcyBzYWZlLgoKVGhpcyBpcyBY U0EtOTIuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA c3VzZS5jb20+ClJldmlld2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9y Zz4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vaHZtLmMKKysrIGIveGVuL2Fy Y2gveDg2L2h2bS9odm0uYwpAQCAtNDU0MSwxMiArNDU0MSwxMCBAQCBsb25n IGRvX2h2bV9vcCh1bnNpZ25lZCBsb25nIG9wLCBYRU5fR1VFCiAgICAgICAg ICAgICAgICAgcmMgPSAtRUlOVkFMOwogICAgICAgICAgICAgICAgIGdvdG8g cGFyYW1fZmFpbDQ7CiAgICAgICAgICAgICB9IAotICAgICAgICAgICAgaWYg KCBwMm1faXNfZ3JhbnQodCkgKQorICAgICAgICAgICAgaWYgKCAhcDJtX2lz X3JhbSh0KSAmJgorICAgICAgICAgICAgICAgICAoIXAybV9pc19ob2xlKHQp IHx8IGEuaHZtbWVtX3R5cGUgIT0gSFZNTUVNX21taW9fZG0pICkKICAgICAg ICAgICAgIHsKICAgICAgICAgICAgICAgICBwdXRfZ2ZuKGQsIHBmbik7Ci0g ICAgICAgICAgICAgICAgZ2RwcmludGsoWEVOTE9HX1dBUk5JTkcsCi0gICAg ICAgICAgICAgICAgICAgICAgICAgInR5cGUgZm9yIHBmbiAlI2x4IGNoYW5n ZWQgdG8gZ3JhbnQgd2hpbGUgIgotICAgICAgICAgICAgICAgICAgICAgICAg ICJ3ZSB3ZXJlIHdvcmtpbmc/XG4iLCBwZm4pOwogICAgICAgICAgICAgICAg IGdvdG8gcGFyYW1fZmFpbDQ7CiAgICAgICAgICAgICB9CiAgICAgICAgICAg ICBlbHNlCg== --=separator Content-Type: application/octet-stream; name="xsa92-4.1.patch" Content-Disposition: attachment; filename="xsa92-4.1.patch" Content-Transfer-Encoding: base64 eDg2L0hWTTogcmVzdHJpY3QgSFZNT1Bfc2V0X21lbV90eXBlCgpQZXJtaXR0 aW5nIGFyYml0cmFyeSB0eXBlIGNoYW5nZXMgaGVyZSBoYXMgdGhlIHBvdGVu dGlhbCBvZiBjcmVhdGluZwpwcmVzZW50IFAyTSAoYW5kIGhlbmNlIEVQVC9O UFQvSU9NTVUpIGVudHJpZXMgcG9pbnRpbmcgdG8gYW4gaW52YWxpZApNRk4g KElOVkFMSURfTUZOIHRydW5jYXRlZCB0byB0aGUgcmVzcGVjdGl2ZSBoYXJk d2FyZSBzdHJ1Y3R1cmUgZmllbGQncwp3aWR0aCkuIFRoaXMgd291bGQgYmVj b21lIGEgcHJvYmxlbSB0aGUgbGF0ZXN0IHdoZW4gc29tZXRoaW5nIHJlYWwg c2F0CmF0IHRoZSBlbmQgb2YgdGhlIHBoeXNpY2FsIGFkZHJlc3Mgc3BhY2U7 IEknbSBzdXNwZWN0aW5nIHRob3VnaCB0aGF0Cm90aGVyIHRoaW5ncyBtaWdo dCBicmVhayB3aXRoIHN1Y2ggYm9ndXMgZW50cmllcy4KCkFsb25nIHdpdGgg dGhhdCBkcm9wIGEgYm9ndXMgKGFuZCBvdGhlcndpc2UgYmVjb21pbmcgc3Rh bGUpIGxvZwptZXNzYWdlLgoKQWZhaWN0IHRoZSBzaW1pbGFyIG9wZXJhdGlv biBpbiBwMm1fc2V0X21lbV9hY2Nlc3MoKSBpcyBzYWZlLgoKVGhpcyBpcyBY U0EtOTIuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA c3VzZS5jb20+ClJldmlld2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9y Zz4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vaHZtLmMKKysrIGIveGVuL2Fy Y2gveDg2L2h2bS9odm0uYwpAQCAtMzY2NiwxMyArMzY2Niw5IEBAIGxvbmcg ZG9faHZtX29wKHVuc2lnbmVkIGxvbmcgb3AsIFhFTl9HVUUKICAgICAgICAg ICAgICAgICByYyA9IC1FSU5WQUw7CiAgICAgICAgICAgICAgICAgZ290byBw YXJhbV9mYWlsNDsKICAgICAgICAgICAgIH0gCi0gICAgICAgICAgICBpZiAo IHAybV9pc19ncmFudCh0KSApCi0gICAgICAgICAgICB7Ci0gICAgICAgICAg ICAgICAgZ2RwcmludGsoWEVOTE9HX1dBUk5JTkcsCi0gICAgICAgICAgICAg ICAgICAgICAgICAgInR5cGUgZm9yIHBmbiAweCVseCBjaGFuZ2VkIHRvIGdy YW50IHdoaWxlICIKLSAgICAgICAgICAgICAgICAgICAgICAgICAid2Ugd2Vy ZSB3b3JraW5nP1xuIiwgcGZuKTsKKyAgICAgICAgICAgIGlmICggIXAybV9p c19yYW0odCkgJiYKKyAgICAgICAgICAgICAgICAgKCFwMm1faXNfaG9sZSh0 KSB8fCBhLmh2bW1lbV90eXBlICE9IEhWTU1FTV9tbWlvX2RtKSApCiAgICAg ICAgICAgICAgICAgZ290byBwYXJhbV9mYWlsNDsKLSAgICAgICAgICAgIH0K ICAgICAgICAgICAgIGVsc2UKICAgICAgICAgICAgIHsKICAgICAgICAgICAg ICAgICBudCA9IHAybV9jaGFuZ2VfdHlwZShwMm0sIHBmbiwgdCwgbWVtdHlw ZVthLmh2bW1lbV90eXBlXSk7Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS14ODYv cDJtLmgKKysrIGIveGVuL2luY2x1ZGUvYXNtLXg4Ni9wMm0uaApAQCAtMTM0 LDYgKzEzNCwxMyBAQCB0eXBlZGVmIGVudW0gewogICAgICAgICAgICAgICAg ICAgICAgICB8IHAybV90b19tYXNrKHAybV9yYW1fcGFnaW5nX2luKSAgICAg ICBcCiAgICAgICAgICAgICAgICAgICAgICAgIHwgcDJtX3RvX21hc2socDJt X3JhbV9zaGFyZWQpKQogCisvKiBUeXBlcyB0aGF0IHJlcHJlc2VudCBhIHBo eXNtYXAgaG9sZS4gKi8KKyNkZWZpbmUgUDJNX0hPTEVfVFlQRVMgKHAybV90 b19tYXNrKHAybV9tbWlvX2RtKSAgICAgICAgICAgICAgIFwKKyAgICAgICAg ICAgICAgICAgICAgICAgIHwgcDJtX3RvX21hc2socDJtX2ludmFsaWQpICAg ICAgICAgICAgIFwKKyAgICAgICAgICAgICAgICAgICAgICAgIHwgcDJtX3Rv X21hc2socDJtX3JhbV9wYWdpbmdfaW5fc3RhcnQpIFwKKyAgICAgICAgICAg ICAgICAgICAgICAgIHwgcDJtX3RvX21hc2socDJtX3JhbV9wYWdpbmdfaW4p ICAgICAgIFwKKyAgICAgICAgICAgICAgICAgICAgICAgIHwgcDJtX3RvX21h c2socDJtX3JhbV9wYWdlZCkpCisKIC8qIEdyYW50IG1hcHBpbmcgdHlwZXMs IHdoaWNoIG1hcCB0byBhIHJlYWwgbWFjaGluZSBmcmFtZSBpbiBhbm90aGVy CiAgKiBWTSAqLwogI2RlZmluZSBQMk1fR1JBTlRfVFlQRVMgKHAybV90b19t YXNrKHAybV9ncmFudF9tYXBfcncpICBcCkBAIC0xNzAsNiArMTc3LDcgQEAg dHlwZWRlZiBlbnVtIHsKIAogLyogVXNlZnVsIHByZWRpY2F0ZXMgKi8KICNk ZWZpbmUgcDJtX2lzX3JhbShfdCkgKHAybV90b19tYXNrKF90KSAmIFAyTV9S QU1fVFlQRVMpCisjZGVmaW5lIHAybV9pc19ob2xlKF90KSAocDJtX3RvX21h c2soX3QpICYgUDJNX0hPTEVfVFlQRVMpCiAjZGVmaW5lIHAybV9pc19tbWlv KF90KSAocDJtX3RvX21hc2soX3QpICYgUDJNX01NSU9fVFlQRVMpCiAjZGVm aW5lIHAybV9pc19yZWFkb25seShfdCkgKHAybV90b19tYXNrKF90KSAmIFAy TV9ST19UWVBFUykKICNkZWZpbmUgcDJtX2lzX21hZ2ljKF90KSAocDJtX3Rv X21hc2soX3QpICYgUDJNX01BR0lDX1RZUEVTKQo= --=separator Content-Type: application/octet-stream; name="xsa92-4.2.patch" Content-Disposition: attachment; filename="xsa92-4.2.patch" Content-Transfer-Encoding: base64 eDg2L0hWTTogcmVzdHJpY3QgSFZNT1Bfc2V0X21lbV90eXBlCgpQZXJtaXR0 aW5nIGFyYml0cmFyeSB0eXBlIGNoYW5nZXMgaGVyZSBoYXMgdGhlIHBvdGVu dGlhbCBvZiBjcmVhdGluZwpwcmVzZW50IFAyTSAoYW5kIGhlbmNlIEVQVC9O UFQvSU9NTVUpIGVudHJpZXMgcG9pbnRpbmcgdG8gYW4gaW52YWxpZApNRk4g KElOVkFMSURfTUZOIHRydW5jYXRlZCB0byB0aGUgcmVzcGVjdGl2ZSBoYXJk d2FyZSBzdHJ1Y3R1cmUgZmllbGQncwp3aWR0aCkuIFRoaXMgd291bGQgYmVj b21lIGEgcHJvYmxlbSB0aGUgbGF0ZXN0IHdoZW4gc29tZXRoaW5nIHJlYWwg c2F0CmF0IHRoZSBlbmQgb2YgdGhlIHBoeXNpY2FsIGFkZHJlc3Mgc3BhY2U7 IEknbSBzdXNwZWN0aW5nIHRob3VnaCB0aGF0Cm90aGVyIHRoaW5ncyBtaWdo dCBicmVhayB3aXRoIHN1Y2ggYm9ndXMgZW50cmllcy4KCkFsb25nIHdpdGgg dGhhdCBkcm9wIGEgYm9ndXMgKGFuZCBvdGhlcndpc2UgYmVjb21pbmcgc3Rh bGUpIGxvZwptZXNzYWdlLgoKQWZhaWN0IHRoZSBzaW1pbGFyIG9wZXJhdGlv biBpbiBwMm1fc2V0X21lbV9hY2Nlc3MoKSBpcyBzYWZlLgoKVGhpcyBpcyBY U0EtOTIuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA c3VzZS5jb20+ClJldmlld2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9y Zz4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vaHZtLmMKKysrIGIveGVuL2Fy Y2gveDg2L2h2bS9odm0uYwpAQCAtNDI0NSwxMiArNDI0NSwxMCBAQCBsb25n IGRvX2h2bV9vcCh1bnNpZ25lZCBsb25nIG9wLCBYRU5fR1VFCiAgICAgICAg ICAgICAgICAgcmMgPSAtRUlOVkFMOwogICAgICAgICAgICAgICAgIGdvdG8g cGFyYW1fZmFpbDQ7CiAgICAgICAgICAgICB9IAotICAgICAgICAgICAgaWYg KCBwMm1faXNfZ3JhbnQodCkgKQorICAgICAgICAgICAgaWYgKCAhcDJtX2lz X3JhbSh0KSAmJgorICAgICAgICAgICAgICAgICAoIXAybV9pc19ob2xlKHQp IHx8IGEuaHZtbWVtX3R5cGUgIT0gSFZNTUVNX21taW9fZG0pICkKICAgICAg ICAgICAgIHsKICAgICAgICAgICAgICAgICBwdXRfZ2ZuKGQsIHBmbik7Ci0g ICAgICAgICAgICAgICAgZ2RwcmludGsoWEVOTE9HX1dBUk5JTkcsCi0gICAg ICAgICAgICAgICAgICAgICAgICAgInR5cGUgZm9yIHBmbiAweCVseCBjaGFu Z2VkIHRvIGdyYW50IHdoaWxlICIKLSAgICAgICAgICAgICAgICAgICAgICAg ICAid2Ugd2VyZSB3b3JraW5nP1xuIiwgcGZuKTsKICAgICAgICAgICAgICAg ICBnb3RvIHBhcmFtX2ZhaWw0OwogICAgICAgICAgICAgfQogICAgICAgICAg ICAgZWxzZQo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed May 14 11:51:08 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 14 May 2014 11:51:08 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WkXgr-0004rF-LD; Wed, 14 May 2014 11:49:41 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WkXcL-0004Jc-25 for xen-announce@lists.xen.org; Wed, 14 May 2014 11:45:10 +0000 Received: from [193.109.254.147:4208] by server-9.bemta-14.messagelabs.com id CC/D7-03644-C3753735; Wed, 14 May 2014 11:45:00 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-15.tower-27.messagelabs.com!1400067899!4754514!1 X-Originating-IP: [74.125.82.182] X-SpamReason: No, hits=0.0 required=7.0 tests=HTML_MESSAGE X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 918 invoked from network); 14 May 2014 11:44:59 -0000 Received: from mail-we0-f182.google.com (HELO mail-we0-f182.google.com) (74.125.82.182) by server-15.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 14 May 2014 11:44:59 -0000 Received: by mail-we0-f182.google.com with SMTP id t60so1799977wes.13 for ; Wed, 14 May 2014 04:44:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:reply-to:user-agent:mime-version:to :subject:content-type; bh=WL29i+Vax6R5MubpowReJJ7F9RijWN6XTBhN/umbdPw=; b=MBicNGkSi1x/su1i3wlCWCG3RtCtJ9czG9e9YaGBMBEtIZ/LwehaLgHzXbnBOOmblV UwdOwqGywDTy5fMxG4Obe01mF+LinKFz3IqiRfe7WKFBPNdYlpLUUwDChe+as+WZRMLT OWFQPpFNrNbx5nnMTdv5fXu+eI91YTe2GYfuUAvvu37Ky5V4nW6M0KaSLp0+mU2Oz3Hm hz6hwWRbsqEdJbsQP/Zn56cEEwmZZorO2YmShZ2tEEzIRgpctDeaKAs9DJTeTVUJtimC 5I1rvZv8ieURvxjDRcfvNcbuxf0yKasLbJiYXJobD7IjANAfNEEm7zON/afcT19HzLIf JWuQ== X-Received: by 10.194.236.232 with SMTP id ux8mr2682777wjc.46.1400067898990; Wed, 14 May 2014 04:44:58 -0700 (PDT) Received: from [172.16.26.11] (97e5a5cd.skybroadband.com. [151.229.165.205]) by mx.google.com with ESMTPSA id kr6sm2194542wjb.16.2014.05.14.04.44.57 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 14 May 2014 04:44:57 -0700 (PDT) Message-ID: <53735739.2000201@xen.org> Date: Wed, 14 May 2014 12:44:57 +0100 From: Lars Kurth User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: xen-announce@lists.xen.org X-Mailman-Approved-At: Wed, 14 May 2014 11:49:40 +0000 Subject: [Xen-announce] Xen Project Developer Summit Update : CfP closes in two days X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list Reply-To: lars.kurth@xen.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============6400556019039246283==" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org This is a multi-part message in MIME format. --===============6400556019039246283== Content-Type: multipart/alternative; boundary="------------090605010301070408000609" This is a multi-part message in MIME format. --------------090605010301070408000609 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit The Xen Project Developer Summit is approaching: theCall For Participation will be open for two more days until*/May 16, 2014 11:55pm (EST)/*. Our Program Management Committee I wanted to also take the opportunity to introduce this year's Program Management Committee. * *Amir Chaudhry (University of Cambridge):*Amir is a post-doc at the Cambridge Computer Lab. Amir is program manager at OCaml Labs and runs community outearch activities in Mirage OS, a Xen Project team. * *Boris Ostrovski (Oracle):*Boris is working on various Linux and Xen Project components and is also maintainer of a number of Xen project subsystems. He is also a Google Summer of Code Mentor. * *Dario Faggioli (Citrix):*Dario has interacted with the Linux kernel as part of his PhD working on real-time scheduling and other embedded technologies. He now works on various Xen Project components and is the Xen Project Blog Czar. * *Lars Kurth (Chairman of the Xen Project Advisory Board):*Lars has been working as Community Manager for the Xen Project for 3 years now and also chairs the Xen Project Advisory Board and other Xen Project Working Groups. Developer Summit Program Announcement We are aiming to publish the Xen Project Developer Summit program in the/1st week of June/. People who have submitted talks, should get an acceptance e-mail a week before. Birds of a Feather Sessions & Discussion Groups This year we will again have space for Birds of a Feather Sessions & Discussion Groups. We will publish how you can request a BoF a little bit closer to the event. In the meantime you should be aware of the ground rules for BoFs: * Each BoF host will get 3-5 minutes (depending on the number of BoFs on the day) to pitch your BoF to the entire audience. Slides are not allowed. * After we publish the Xen Project Developer schedule, community members that have registered for the summit can submit a request to host a BoF (specifying a couple of slots in preference order) * BoFs are small discussion groups, not presentations. You are expected to take notes (or nominate an attendee to do so) and post discussion notes on one of our mailing lists after the summit. Developer Meeting I am also pleased to announce that we will also be hosting a 1/2 day Xen Project Developer Meeting the day after the Xen Project Developer Summit. Spaces are limited: the event is open to all members of the Developer Community. More details will follow soon. Where to stay at the summit Discounted hotels are listed at theevent website at the price of 199 USD per night including wifi. Reservations have to be made by/July 30th/. We are sharing a room block with other Linux Foundation events, so please book early. --------------090605010301070408000609 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit

The Xen Project Developer Summit is approaching: the Call For Participation will be open for two more days until May 16, 2014 11:55pm (EST).

Our Program Management Committee

I wanted to also take the opportunity to introduce this year’s Program Management Committee.

  • Amir Chaudhry (University of Cambridge): Amir is a post-doc at the Cambridge Computer Lab. Amir is program manager at OCaml Labs and runs community outearch activities in Mirage OS, a Xen Project team.
  • Boris Ostrovski (Oracle): Boris is working on various Linux and Xen Project components and is also maintainer of a number of Xen project subsystems. He is also a Google Summer of Code Mentor.
  • Dario Faggioli (Citrix): Dario has interacted with the Linux kernel as part of his PhD working on real-time scheduling and other embedded technologies. He now works on various Xen Project components and is the Xen Project Blog Czar.
  • Lars Kurth (Chairman of the Xen Project Advisory Board): Lars has been working as Community Manager for the Xen Project for 3 years now and also chairs the Xen Project Advisory Board and other Xen Project Working Groups.

Developer Summit Program Announcement

We are aiming to publish the Xen Project Developer Summit program in the 1st week of June. People who have submitted talks, should get an acceptance e-mail a week before.

Birds of a Feather Sessions & Discussion Groups

This year we will again have space for Birds of a Feather Sessions & Discussion Groups. We will publish how you can request a BoF a little bit closer to the event. In the meantime you should be aware of the ground rules for BoFs:

  • Each BoF host will get 3-5 minutes (depending on the number of BoFs on the day) to pitch your BoF to the entire audience. Slides are not allowed.
  • After we publish the Xen Project Developer schedule, community members that have registered for the summit can submit a request to host a BoF (specifying a couple of slots in preference order)
  • BoFs are small discussion groups, not presentations. You are expected to take notes (or nominate an attendee to do so) and post discussion notes on one of our mailing lists after the summit.

Developer Meeting

I am also pleased to announce that we will also be hosting a 1/2 day Xen Project Developer Meeting the day after the Xen Project Developer Summit. Spaces are limited: the event is open to all members of the Developer Community. More details will follow soon.

Where to stay at the summit

Discounted hotels are listed at the event website at the price of 199 USD per night including wifi. Reservations have to be made by July 30th. We are sharing a room block with other Linux Foundation events, so please book early.

--------------090605010301070408000609-- --===============6400556019039246283== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --===============6400556019039246283==-- From xen-announce-bounces@lists.xen.org Wed May 14 11:51:08 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 14 May 2014 11:51:08 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WkXgr-0004rF-LD; Wed, 14 May 2014 11:49:41 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WkXcL-0004Jc-25 for xen-announce@lists.xen.org; Wed, 14 May 2014 11:45:10 +0000 Received: from [193.109.254.147:4208] by server-9.bemta-14.messagelabs.com id CC/D7-03644-C3753735; Wed, 14 May 2014 11:45:00 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-15.tower-27.messagelabs.com!1400067899!4754514!1 X-Originating-IP: [74.125.82.182] X-SpamReason: No, hits=0.0 required=7.0 tests=HTML_MESSAGE X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 918 invoked from network); 14 May 2014 11:44:59 -0000 Received: from mail-we0-f182.google.com (HELO mail-we0-f182.google.com) (74.125.82.182) by server-15.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 14 May 2014 11:44:59 -0000 Received: by mail-we0-f182.google.com with SMTP id t60so1799977wes.13 for ; Wed, 14 May 2014 04:44:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:reply-to:user-agent:mime-version:to :subject:content-type; bh=WL29i+Vax6R5MubpowReJJ7F9RijWN6XTBhN/umbdPw=; b=MBicNGkSi1x/su1i3wlCWCG3RtCtJ9czG9e9YaGBMBEtIZ/LwehaLgHzXbnBOOmblV UwdOwqGywDTy5fMxG4Obe01mF+LinKFz3IqiRfe7WKFBPNdYlpLUUwDChe+as+WZRMLT OWFQPpFNrNbx5nnMTdv5fXu+eI91YTe2GYfuUAvvu37Ky5V4nW6M0KaSLp0+mU2Oz3Hm hz6hwWRbsqEdJbsQP/Zn56cEEwmZZorO2YmShZ2tEEzIRgpctDeaKAs9DJTeTVUJtimC 5I1rvZv8ieURvxjDRcfvNcbuxf0yKasLbJiYXJobD7IjANAfNEEm7zON/afcT19HzLIf JWuQ== X-Received: by 10.194.236.232 with SMTP id ux8mr2682777wjc.46.1400067898990; Wed, 14 May 2014 04:44:58 -0700 (PDT) Received: from [172.16.26.11] (97e5a5cd.skybroadband.com. [151.229.165.205]) by mx.google.com with ESMTPSA id kr6sm2194542wjb.16.2014.05.14.04.44.57 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 14 May 2014 04:44:57 -0700 (PDT) Message-ID: <53735739.2000201@xen.org> Date: Wed, 14 May 2014 12:44:57 +0100 From: Lars Kurth User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: xen-announce@lists.xen.org X-Mailman-Approved-At: Wed, 14 May 2014 11:49:40 +0000 Subject: [Xen-announce] Xen Project Developer Summit Update : CfP closes in two days X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list Reply-To: lars.kurth@xen.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============6400556019039246283==" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org This is a multi-part message in MIME format. --===============6400556019039246283== Content-Type: multipart/alternative; boundary="------------090605010301070408000609" This is a multi-part message in MIME format. --------------090605010301070408000609 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit The Xen Project Developer Summit is approaching: theCall For Participation will be open for two more days until*/May 16, 2014 11:55pm (EST)/*. Our Program Management Committee I wanted to also take the opportunity to introduce this year's Program Management Committee. * *Amir Chaudhry (University of Cambridge):*Amir is a post-doc at the Cambridge Computer Lab. Amir is program manager at OCaml Labs and runs community outearch activities in Mirage OS, a Xen Project team. * *Boris Ostrovski (Oracle):*Boris is working on various Linux and Xen Project components and is also maintainer of a number of Xen project subsystems. He is also a Google Summer of Code Mentor. * *Dario Faggioli (Citrix):*Dario has interacted with the Linux kernel as part of his PhD working on real-time scheduling and other embedded technologies. He now works on various Xen Project components and is the Xen Project Blog Czar. * *Lars Kurth (Chairman of the Xen Project Advisory Board):*Lars has been working as Community Manager for the Xen Project for 3 years now and also chairs the Xen Project Advisory Board and other Xen Project Working Groups. Developer Summit Program Announcement We are aiming to publish the Xen Project Developer Summit program in the/1st week of June/. People who have submitted talks, should get an acceptance e-mail a week before. Birds of a Feather Sessions & Discussion Groups This year we will again have space for Birds of a Feather Sessions & Discussion Groups. We will publish how you can request a BoF a little bit closer to the event. In the meantime you should be aware of the ground rules for BoFs: * Each BoF host will get 3-5 minutes (depending on the number of BoFs on the day) to pitch your BoF to the entire audience. Slides are not allowed. * After we publish the Xen Project Developer schedule, community members that have registered for the summit can submit a request to host a BoF (specifying a couple of slots in preference order) * BoFs are small discussion groups, not presentations. You are expected to take notes (or nominate an attendee to do so) and post discussion notes on one of our mailing lists after the summit. Developer Meeting I am also pleased to announce that we will also be hosting a 1/2 day Xen Project Developer Meeting the day after the Xen Project Developer Summit. Spaces are limited: the event is open to all members of the Developer Community. More details will follow soon. Where to stay at the summit Discounted hotels are listed at theevent website at the price of 199 USD per night including wifi. Reservations have to be made by/July 30th/. We are sharing a room block with other Linux Foundation events, so please book early. --------------090605010301070408000609 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit

The Xen Project Developer Summit is approaching: the Call For Participation will be open for two more days until May 16, 2014 11:55pm (EST).

Our Program Management Committee

I wanted to also take the opportunity to introduce this year’s Program Management Committee.

  • Amir Chaudhry (University of Cambridge): Amir is a post-doc at the Cambridge Computer Lab. Amir is program manager at OCaml Labs and runs community outearch activities in Mirage OS, a Xen Project team.
  • Boris Ostrovski (Oracle): Boris is working on various Linux and Xen Project components and is also maintainer of a number of Xen project subsystems. He is also a Google Summer of Code Mentor.
  • Dario Faggioli (Citrix): Dario has interacted with the Linux kernel as part of his PhD working on real-time scheduling and other embedded technologies. He now works on various Xen Project components and is the Xen Project Blog Czar.
  • Lars Kurth (Chairman of the Xen Project Advisory Board): Lars has been working as Community Manager for the Xen Project for 3 years now and also chairs the Xen Project Advisory Board and other Xen Project Working Groups.

Developer Summit Program Announcement

We are aiming to publish the Xen Project Developer Summit program in the 1st week of June. People who have submitted talks, should get an acceptance e-mail a week before.

Birds of a Feather Sessions & Discussion Groups

This year we will again have space for Birds of a Feather Sessions & Discussion Groups. We will publish how you can request a BoF a little bit closer to the event. In the meantime you should be aware of the ground rules for BoFs:

  • Each BoF host will get 3-5 minutes (depending on the number of BoFs on the day) to pitch your BoF to the entire audience. Slides are not allowed.
  • After we publish the Xen Project Developer schedule, community members that have registered for the summit can submit a request to host a BoF (specifying a couple of slots in preference order)
  • BoFs are small discussion groups, not presentations. You are expected to take notes (or nominate an attendee to do so) and post discussion notes on one of our mailing lists after the summit.

Developer Meeting

I am also pleased to announce that we will also be hosting a 1/2 day Xen Project Developer Meeting the day after the Xen Project Developer Summit. Spaces are limited: the event is open to all members of the Developer Community. More details will follow soon.

Where to stay at the summit

Discounted hotels are listed at the event website at the price of 199 USD per night including wifi. Reservations have to be made by July 30th. We are sharing a room block with other Linux Foundation events, so please book early.

--------------090605010301070408000609-- --===============6400556019039246283== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --===============6400556019039246283==-- From xen-announce-bounces@lists.xen.org Wed May 14 12:05:45 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 14 May 2014 12:05:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WkXvD-00060o-Cf; Wed, 14 May 2014 12:04:31 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WkXvC-00060R-Do for xen-announce@lists.xen.org; Wed, 14 May 2014 12:04:30 +0000 Received: from [85.158.139.211:65310] by server-6.bemta-5.messagelabs.com id A1/7F-19576-DCB53735; Wed, 14 May 2014 12:04:29 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-6.tower-206.messagelabs.com!1400069067!4207709!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 23668 invoked from network); 14 May 2014 12:04:28 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-6.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 14 May 2014 12:04:28 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WkXv1-0004ld-2m; Wed, 14 May 2014 12:04:19 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WkXv0-0000iX-OI; Wed, 14 May 2014 12:04:18 +0000 Date: Wed, 14 May 2014 12:04:18 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 95 - input handling vulnerabilities loading guest kernel on ARM X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-95 version 2 input handling vulnerabilities loading guest kernel on ARM UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= When loading a 32-bit ARM guest kernel the Xen tools did not correctly validate the length of the kernel against the actual image size. This would then lead to an overrun on the input buffer when loading the kernel into guest RAM. Furthermore when checking a 32-bit guest kernel for an appended DTB, the Xen tools were prone to additional overruns also leading to an overrun on the input buffer when loading the kernel into guest RAM. Also, the tools would access a field in the putative DTB header without checking for its alignment. When loading a 64-bit ARM guest kernel the tools similarly did not fully validate the requested load addresses, possibly leading to an overrun on the input buffer when loading the kernel into guest RAM. IMPACT ====== An attacker who can control the kernel used to boot a guest can exploit these issues. Exploiting the overflow issues allows information which follows the guest kernel in the toolstack address space to be copied into the guest's memory, constituting an information leak. Alternatively either the overflow or alignment issues could be used to crash the toolstack process, leading to a denial of service. VULNERABLE SYSTEMS ================== ARM systems are vulnerable from Xen 4.4 onwards. MITIGATION ========== Ensuring that guests use only trustworthy kernels will avoid this problem. CREDITS ======= This issue was discovered by Thomas Leonard. RESOLUTION ========== Applying the attached patch resolves this issue. xsa95.patch xen-unstable, Xen 4.4.x $ sha256sum xsa95*.patch 1ab63ff126b92e752e88b240838dd66b66415604eaa3e49e373cb50ad3cdd0af xsa95.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTc0j+AAoJEIP+FMlX6CvZAYIH/29FLbtbM/jnSuMksWvf1G6g OgM3BhKGWAiNpebvPhhzqsKODchxpbrtGbLEIS9YDD8Qz5pQlnrLMsSBaSnrZvAs 5tQR5EKWpvDZry6THnxVP9OGxzR23+JEPtd1FQuNKiG68MeKmmFiAIGR1HfowSTs VOoAWZ1h8ep85iI4qz1U4+wbTBAhNwFpM1JH/IUmSTlWbSxXpQomX/lQqrPpiHEs 8zVBMni8HNYlWBEeWTktpc45JXBhbbNSGaqduEO3s8WJBpJd1D+YJ8u+nz2AJVVu JF6AkC1EL+cR6P7FSQZ+FrA9Spj+kND/SXlPNO/KLMn8QSlItMTUO2qH6UwcPKI= =2MET -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa95.patch" Content-Disposition: attachment; filename="xsa95.patch" Content-Transfer-Encoding: base64 dG9vbHM6IGFybTogcmVtb3ZlIGNvZGUgdG8gY2hlY2sgZm9yIGEgRFRCIGFw cGVuZGVkIHRvIHRoZSBrZXJuZWwKClRoZSBjb2RlIHRvIGNoZWNrIGZvciBh biBhcHBlbmRlZCBEVEIgd2FzIGNvbmZ1c2luZyBhbmQgdW5uZWNlc3Nhcnku IFNpbmNlIHdlCmtub3cgdGhlIHNpemUgb2YgdGhlIGtlcm5lbCBiaW5hcnkg cGFzc2VkIHRvIHVzIHdlIHNob3VsZCBqdXN0IGxvYWQgdGhlIGVudGlyZQp0 aGluZyBpbnRvIGd1ZXN0IFJBTSAoc3ViamVjdCB0byB0aGUgbGltaXRzIGNo ZWNrcykuIFJlbW92aW5nIHRoaXMgY29kZSBhdm9pZHMKYSB3aG9sZSByYWZ0 IG9mIG92ZXJmbG93IGFuZCBhbGlnbm1lbnQgaXNzdWVzLgoKV2UgYWxzbyBu ZWVkIHRvIHZhbGlkYXRlIHRoZSBsaW1pdHMgb2YgdGhlIHNlZ21lbnQgd2hl cmUgd2UgaW50ZW5kIHRvIGxvYWQgdGhlCmtlcm5lbCB0byBhdm9pZCBvdmVy ZmxvdyBpc3N1ZXMuCgpGb3IgQVJNMzIgd2UgY29udHJvbCB0aGUgbG9hZCBh ZGRyZXNzLCBidXQgd2UgbmVlZCB0byB2YWxpZGF0ZSB0aGUgc2l6ZS4gVGhl CmVudHJ5IHBvaW50IGlzIG9ubHkgcmVsZXZhbnQgd2l0aGluIHRoZSBndWVz dCBzbyB3ZSBkb24ndCBuZWVkIHRvIHdvcnJ5IGFib3V0CnRoYXQuCgpGb3Ig QVJNNjQgd2UgbmVlZCB0byB2YWxpZGF0ZSBib3RoIHRoZSBsb2FkIGFkZHJl c3MgKHdoaWNoIGlzIHRoZSBzYW1lIGFzIHRoZQplbnRyeSBwb2ludCkgYW5k IHRoZSBzaXplLgoKVGhpcyBpcyBYU0EtOTUuCgpSZXBvcnRlZC1ieTogVGhv bWFzIExlb25hcmQgPHRhbGV4NUBnbWFpbC5jb20+ClNpZ25lZC1vZmYtYnk6 IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CkFja2Vk LWJ5OiBJYW4gSmFja3NvbiA8aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4K CmRpZmYgLS1naXQgYS90b29scy9saWJ4Yy94Y19kb21fYXJtemltYWdlbG9h ZGVyLmMgYi90b29scy9saWJ4Yy94Y19kb21fYXJtemltYWdlbG9hZGVyLmMK aW5kZXggZTY1MTZhMS4uMmIyODc4MSAxMDA2NDQKLS0tIGEvdG9vbHMvbGli eGMveGNfZG9tX2FybXppbWFnZWxvYWRlci5jCisrKyBiL3Rvb2xzL2xpYnhj L3hjX2RvbV9hcm16aW1hZ2Vsb2FkZXIuYwpAQCAtNTEsNyArNTEsNiBAQCBz dHJ1Y3QgbWluaW1hbF9kdGJfaGVhZGVyIHsKIHN0YXRpYyBpbnQgeGNfZG9t X3Byb2JlX3ppbWFnZTMyX2tlcm5lbChzdHJ1Y3QgeGNfZG9tX2ltYWdlICpk b20pCiB7CiAgICAgdWludDMyX3QgKnppbWFnZTsKLSAgICB1aW50MzJfdCBl bmQ7CiAKICAgICBpZiAoIGRvbS0+a2VybmVsX2Jsb2IgPT0gTlVMTCApCiAg ICAgewpAQCAtNzMsMjIgKzcyLDYgQEAgc3RhdGljIGludCB4Y19kb21fcHJv YmVfemltYWdlMzJfa2VybmVsKHN0cnVjdCB4Y19kb21faW1hZ2UgKmRvbSkK ICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgfQogCi0gICAgZW5kID0g emltYWdlW1pJTUFHRTMyX0VORF9PRkZTRVQvNF07Ci0KLSAgICAvKgotICAg ICAqIENoZWNrIGZvciBhbiBhcHBlbmRlZCBEVEIuCi0gICAgICovCi0gICAg aWYgKCBlbmQgKyBzaXplb2Yoc3RydWN0IG1pbmltYWxfZHRiX2hlYWRlcikg PCBkb20tPmtlcm5lbF9zaXplICkgewotICAgICAgICBzdHJ1Y3QgbWluaW1h bF9kdGJfaGVhZGVyICpkdGJfaGRyOwotICAgICAgICBkdGJfaGRyID0gKHN0 cnVjdCBtaW5pbWFsX2R0Yl9oZWFkZXIgKikoZG9tLT5rZXJuZWxfYmxvYiAr IGVuZCk7Ci0gICAgICAgIGlmIChudG9obC8qYmUzMl90b19jcHUqLyhkdGJf aGRyLT5tYWdpYykgPT0gRFRCX01BR0lDKSB7Ci0gICAgICAgICAgICB4Y19k b21fcHJpbnRmKGRvbS0+eGNoLCAiJXM6IGZvdW5kIGFuIGFwcGVuZGVkIERU QiIsIF9fRlVOQ1RJT05fXyk7Ci0gICAgICAgICAgICBlbmQgKz0gbnRvaGwv KmJlMzJfdG9fY3B1Ki8oZHRiX2hkci0+dG90YWxfc2l6ZSk7Ci0gICAgICAg IH0KLSAgICB9Ci0KLSAgICBkb20tPmtlcm5lbF9zaXplID0gZW5kOwotCiAg ICAgcmV0dXJuIDA7CiB9CiAKQEAgLTEwNSw4ICs4OCwyMCBAQCBzdGF0aWMg aW50IHhjX2RvbV9wYXJzZV96aW1hZ2UzMl9rZXJuZWwoc3RydWN0IHhjX2Rv bV9pbWFnZSAqZG9tKQogCiAgICAgLyogRG8gbm90IGxvYWQga2VybmVsIGF0 IHRoZSB2ZXJ5IGZpcnN0IFJBTSBhZGRyZXNzICovCiAgICAgdl9zdGFydCA9 IHJhbWJhc2UgKyAweDgwMDA7CisKKyAgICBpZiAoIGRvbS0+a2VybmVsX3Np emUgPiBVSU5UNjRfTUFYIC0gdl9zdGFydCApCisgICAgeworICAgICAgICBE T01QUklOVEYoIiVzOiBrZXJuZWwgaXMgdG9vIGxhcmdlXG4iLCBfX0ZVTkNU SU9OX18pOworICAgICAgICByZXR1cm4gLUVJTlZBTDsKKyAgICB9CisKICAg ICB2X2VuZCA9IHZfc3RhcnQgKyBkb20tPmtlcm5lbF9zaXplOwogCisgICAg LyoKKyAgICAgKiBJZiBzdGFydCBpcyBpbnZhbGlkIHRoZW4gdGhlIGd1ZXN0 IHdpbGwgc3RhcnQgYXQgc29tZSBpbnZhbGlkCisgICAgICogYWRkcmVzcyBh bmQgY3Jhc2gsIGJ1dCB0aGlzIGhhcHBlbnMgaW4gZ3Vlc3QgY29udGV4dCBz byBkb2Vzbid0CisgICAgICogY29uY2VybiB1cyBoZXJlLgorICAgICAqLwog ICAgIHN0YXJ0ID0gemltYWdlW1pJTUFHRTMyX1NUQVJUX09GRlNFVC80XTsK IAogICAgIGlmIChzdGFydCA9PSAwKQpAQCAtMTg3LDcgKzE4MiwyMCBAQCBz dGF0aWMgaW50IHhjX2RvbV9wYXJzZV96aW1hZ2U2NF9rZXJuZWwoc3RydWN0 IHhjX2RvbV9pbWFnZSAqZG9tKQogCiAgICAgemltYWdlID0gZG9tLT5rZXJu ZWxfYmxvYjsKIAorICAgIGlmICggemltYWdlLT50ZXh0X29mZnNldCA+IFVJ TlQ2NF9NQVggLSByYW1iYXNlICkKKyAgICB7CisgICAgICAgIERPTVBSSU5U RigiJXM6IGtlcm5lbCB0ZXh0IG9mZnNldCBpcyB0b28gbGFyZ2VcbiIsIF9f RlVOQ1RJT05fXyk7CisgICAgICAgIHJldHVybiAtRUlOVkFMOworICAgIH0K KwogICAgIHZfc3RhcnQgPSByYW1iYXNlICsgemltYWdlLT50ZXh0X29mZnNl dDsKKworICAgIGlmICggZG9tLT5rZXJuZWxfc2l6ZSA+IFVJTlQ2NF9NQVgg LSB2X3N0YXJ0ICkKKyAgICB7CisgICAgICAgIERPTVBSSU5URigiJXM6IGtl cm5lbCBpcyB0b28gbGFyZ2VcbiIsIF9fRlVOQ1RJT05fXyk7CisgICAgICAg IHJldHVybiAtRUlOVkFMOworICAgIH0KKwogICAgIHZfZW5kID0gdl9zdGFy dCArIGRvbS0+a2VybmVsX3NpemU7CiAKICAgICBkb20tPmtlcm5lbF9zZWcu dnN0YXJ0ID0gdl9zdGFydDsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed May 14 12:05:45 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 14 May 2014 12:05:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WkXvD-00060o-Cf; Wed, 14 May 2014 12:04:31 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WkXvC-00060R-Do for xen-announce@lists.xen.org; Wed, 14 May 2014 12:04:30 +0000 Received: from [85.158.139.211:65310] by server-6.bemta-5.messagelabs.com id A1/7F-19576-DCB53735; Wed, 14 May 2014 12:04:29 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-6.tower-206.messagelabs.com!1400069067!4207709!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 23668 invoked from network); 14 May 2014 12:04:28 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-6.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 14 May 2014 12:04:28 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WkXv1-0004ld-2m; Wed, 14 May 2014 12:04:19 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WkXv0-0000iX-OI; Wed, 14 May 2014 12:04:18 +0000 Date: Wed, 14 May 2014 12:04:18 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 95 - input handling vulnerabilities loading guest kernel on ARM X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-95 version 2 input handling vulnerabilities loading guest kernel on ARM UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= When loading a 32-bit ARM guest kernel the Xen tools did not correctly validate the length of the kernel against the actual image size. This would then lead to an overrun on the input buffer when loading the kernel into guest RAM. Furthermore when checking a 32-bit guest kernel for an appended DTB, the Xen tools were prone to additional overruns also leading to an overrun on the input buffer when loading the kernel into guest RAM. Also, the tools would access a field in the putative DTB header without checking for its alignment. When loading a 64-bit ARM guest kernel the tools similarly did not fully validate the requested load addresses, possibly leading to an overrun on the input buffer when loading the kernel into guest RAM. IMPACT ====== An attacker who can control the kernel used to boot a guest can exploit these issues. Exploiting the overflow issues allows information which follows the guest kernel in the toolstack address space to be copied into the guest's memory, constituting an information leak. Alternatively either the overflow or alignment issues could be used to crash the toolstack process, leading to a denial of service. VULNERABLE SYSTEMS ================== ARM systems are vulnerable from Xen 4.4 onwards. MITIGATION ========== Ensuring that guests use only trustworthy kernels will avoid this problem. CREDITS ======= This issue was discovered by Thomas Leonard. RESOLUTION ========== Applying the attached patch resolves this issue. xsa95.patch xen-unstable, Xen 4.4.x $ sha256sum xsa95*.patch 1ab63ff126b92e752e88b240838dd66b66415604eaa3e49e373cb50ad3cdd0af xsa95.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTc0j+AAoJEIP+FMlX6CvZAYIH/29FLbtbM/jnSuMksWvf1G6g OgM3BhKGWAiNpebvPhhzqsKODchxpbrtGbLEIS9YDD8Qz5pQlnrLMsSBaSnrZvAs 5tQR5EKWpvDZry6THnxVP9OGxzR23+JEPtd1FQuNKiG68MeKmmFiAIGR1HfowSTs VOoAWZ1h8ep85iI4qz1U4+wbTBAhNwFpM1JH/IUmSTlWbSxXpQomX/lQqrPpiHEs 8zVBMni8HNYlWBEeWTktpc45JXBhbbNSGaqduEO3s8WJBpJd1D+YJ8u+nz2AJVVu JF6AkC1EL+cR6P7FSQZ+FrA9Spj+kND/SXlPNO/KLMn8QSlItMTUO2qH6UwcPKI= =2MET -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa95.patch" Content-Disposition: attachment; filename="xsa95.patch" Content-Transfer-Encoding: base64 dG9vbHM6IGFybTogcmVtb3ZlIGNvZGUgdG8gY2hlY2sgZm9yIGEgRFRCIGFw cGVuZGVkIHRvIHRoZSBrZXJuZWwKClRoZSBjb2RlIHRvIGNoZWNrIGZvciBh biBhcHBlbmRlZCBEVEIgd2FzIGNvbmZ1c2luZyBhbmQgdW5uZWNlc3Nhcnku IFNpbmNlIHdlCmtub3cgdGhlIHNpemUgb2YgdGhlIGtlcm5lbCBiaW5hcnkg cGFzc2VkIHRvIHVzIHdlIHNob3VsZCBqdXN0IGxvYWQgdGhlIGVudGlyZQp0 aGluZyBpbnRvIGd1ZXN0IFJBTSAoc3ViamVjdCB0byB0aGUgbGltaXRzIGNo ZWNrcykuIFJlbW92aW5nIHRoaXMgY29kZSBhdm9pZHMKYSB3aG9sZSByYWZ0 IG9mIG92ZXJmbG93IGFuZCBhbGlnbm1lbnQgaXNzdWVzLgoKV2UgYWxzbyBu ZWVkIHRvIHZhbGlkYXRlIHRoZSBsaW1pdHMgb2YgdGhlIHNlZ21lbnQgd2hl cmUgd2UgaW50ZW5kIHRvIGxvYWQgdGhlCmtlcm5lbCB0byBhdm9pZCBvdmVy ZmxvdyBpc3N1ZXMuCgpGb3IgQVJNMzIgd2UgY29udHJvbCB0aGUgbG9hZCBh ZGRyZXNzLCBidXQgd2UgbmVlZCB0byB2YWxpZGF0ZSB0aGUgc2l6ZS4gVGhl CmVudHJ5IHBvaW50IGlzIG9ubHkgcmVsZXZhbnQgd2l0aGluIHRoZSBndWVz dCBzbyB3ZSBkb24ndCBuZWVkIHRvIHdvcnJ5IGFib3V0CnRoYXQuCgpGb3Ig QVJNNjQgd2UgbmVlZCB0byB2YWxpZGF0ZSBib3RoIHRoZSBsb2FkIGFkZHJl c3MgKHdoaWNoIGlzIHRoZSBzYW1lIGFzIHRoZQplbnRyeSBwb2ludCkgYW5k IHRoZSBzaXplLgoKVGhpcyBpcyBYU0EtOTUuCgpSZXBvcnRlZC1ieTogVGhv bWFzIExlb25hcmQgPHRhbGV4NUBnbWFpbC5jb20+ClNpZ25lZC1vZmYtYnk6 IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CkFja2Vk LWJ5OiBJYW4gSmFja3NvbiA8aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4K CmRpZmYgLS1naXQgYS90b29scy9saWJ4Yy94Y19kb21fYXJtemltYWdlbG9h ZGVyLmMgYi90b29scy9saWJ4Yy94Y19kb21fYXJtemltYWdlbG9hZGVyLmMK aW5kZXggZTY1MTZhMS4uMmIyODc4MSAxMDA2NDQKLS0tIGEvdG9vbHMvbGli eGMveGNfZG9tX2FybXppbWFnZWxvYWRlci5jCisrKyBiL3Rvb2xzL2xpYnhj L3hjX2RvbV9hcm16aW1hZ2Vsb2FkZXIuYwpAQCAtNTEsNyArNTEsNiBAQCBz dHJ1Y3QgbWluaW1hbF9kdGJfaGVhZGVyIHsKIHN0YXRpYyBpbnQgeGNfZG9t X3Byb2JlX3ppbWFnZTMyX2tlcm5lbChzdHJ1Y3QgeGNfZG9tX2ltYWdlICpk b20pCiB7CiAgICAgdWludDMyX3QgKnppbWFnZTsKLSAgICB1aW50MzJfdCBl bmQ7CiAKICAgICBpZiAoIGRvbS0+a2VybmVsX2Jsb2IgPT0gTlVMTCApCiAg ICAgewpAQCAtNzMsMjIgKzcyLDYgQEAgc3RhdGljIGludCB4Y19kb21fcHJv YmVfemltYWdlMzJfa2VybmVsKHN0cnVjdCB4Y19kb21faW1hZ2UgKmRvbSkK ICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgfQogCi0gICAgZW5kID0g emltYWdlW1pJTUFHRTMyX0VORF9PRkZTRVQvNF07Ci0KLSAgICAvKgotICAg ICAqIENoZWNrIGZvciBhbiBhcHBlbmRlZCBEVEIuCi0gICAgICovCi0gICAg aWYgKCBlbmQgKyBzaXplb2Yoc3RydWN0IG1pbmltYWxfZHRiX2hlYWRlcikg PCBkb20tPmtlcm5lbF9zaXplICkgewotICAgICAgICBzdHJ1Y3QgbWluaW1h bF9kdGJfaGVhZGVyICpkdGJfaGRyOwotICAgICAgICBkdGJfaGRyID0gKHN0 cnVjdCBtaW5pbWFsX2R0Yl9oZWFkZXIgKikoZG9tLT5rZXJuZWxfYmxvYiAr IGVuZCk7Ci0gICAgICAgIGlmIChudG9obC8qYmUzMl90b19jcHUqLyhkdGJf aGRyLT5tYWdpYykgPT0gRFRCX01BR0lDKSB7Ci0gICAgICAgICAgICB4Y19k b21fcHJpbnRmKGRvbS0+eGNoLCAiJXM6IGZvdW5kIGFuIGFwcGVuZGVkIERU QiIsIF9fRlVOQ1RJT05fXyk7Ci0gICAgICAgICAgICBlbmQgKz0gbnRvaGwv KmJlMzJfdG9fY3B1Ki8oZHRiX2hkci0+dG90YWxfc2l6ZSk7Ci0gICAgICAg IH0KLSAgICB9Ci0KLSAgICBkb20tPmtlcm5lbF9zaXplID0gZW5kOwotCiAg ICAgcmV0dXJuIDA7CiB9CiAKQEAgLTEwNSw4ICs4OCwyMCBAQCBzdGF0aWMg aW50IHhjX2RvbV9wYXJzZV96aW1hZ2UzMl9rZXJuZWwoc3RydWN0IHhjX2Rv bV9pbWFnZSAqZG9tKQogCiAgICAgLyogRG8gbm90IGxvYWQga2VybmVsIGF0 IHRoZSB2ZXJ5IGZpcnN0IFJBTSBhZGRyZXNzICovCiAgICAgdl9zdGFydCA9 IHJhbWJhc2UgKyAweDgwMDA7CisKKyAgICBpZiAoIGRvbS0+a2VybmVsX3Np emUgPiBVSU5UNjRfTUFYIC0gdl9zdGFydCApCisgICAgeworICAgICAgICBE T01QUklOVEYoIiVzOiBrZXJuZWwgaXMgdG9vIGxhcmdlXG4iLCBfX0ZVTkNU SU9OX18pOworICAgICAgICByZXR1cm4gLUVJTlZBTDsKKyAgICB9CisKICAg ICB2X2VuZCA9IHZfc3RhcnQgKyBkb20tPmtlcm5lbF9zaXplOwogCisgICAg LyoKKyAgICAgKiBJZiBzdGFydCBpcyBpbnZhbGlkIHRoZW4gdGhlIGd1ZXN0 IHdpbGwgc3RhcnQgYXQgc29tZSBpbnZhbGlkCisgICAgICogYWRkcmVzcyBh bmQgY3Jhc2gsIGJ1dCB0aGlzIGhhcHBlbnMgaW4gZ3Vlc3QgY29udGV4dCBz byBkb2Vzbid0CisgICAgICogY29uY2VybiB1cyBoZXJlLgorICAgICAqLwog ICAgIHN0YXJ0ID0gemltYWdlW1pJTUFHRTMyX1NUQVJUX09GRlNFVC80XTsK IAogICAgIGlmIChzdGFydCA9PSAwKQpAQCAtMTg3LDcgKzE4MiwyMCBAQCBz dGF0aWMgaW50IHhjX2RvbV9wYXJzZV96aW1hZ2U2NF9rZXJuZWwoc3RydWN0 IHhjX2RvbV9pbWFnZSAqZG9tKQogCiAgICAgemltYWdlID0gZG9tLT5rZXJu ZWxfYmxvYjsKIAorICAgIGlmICggemltYWdlLT50ZXh0X29mZnNldCA+IFVJ TlQ2NF9NQVggLSByYW1iYXNlICkKKyAgICB7CisgICAgICAgIERPTVBSSU5U RigiJXM6IGtlcm5lbCB0ZXh0IG9mZnNldCBpcyB0b28gbGFyZ2VcbiIsIF9f RlVOQ1RJT05fXyk7CisgICAgICAgIHJldHVybiAtRUlOVkFMOworICAgIH0K KwogICAgIHZfc3RhcnQgPSByYW1iYXNlICsgemltYWdlLT50ZXh0X29mZnNl dDsKKworICAgIGlmICggZG9tLT5rZXJuZWxfc2l6ZSA+IFVJTlQ2NF9NQVgg LSB2X3N0YXJ0ICkKKyAgICB7CisgICAgICAgIERPTVBSSU5URigiJXM6IGtl cm5lbCBpcyB0b28gbGFyZ2VcbiIsIF9fRlVOQ1RJT05fXyk7CisgICAgICAg IHJldHVybiAtRUlOVkFMOworICAgIH0KKwogICAgIHZfZW5kID0gdl9zdGFy dCArIGRvbS0+a2VybmVsX3NpemU7CiAKICAgICBkb20tPmtlcm5lbF9zZWcu dnN0YXJ0ID0gdl9zdGFydDsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Fri May 16 10:36:55 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 16 May 2014 10:36:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WlFUU-0004XF-8h; Fri, 16 May 2014 10:35:50 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WlFUT-0004Wr-7J; Fri, 16 May 2014 10:35:49 +0000 Received: from [193.109.254.147:30560] by server-13.bemta-14.messagelabs.com id E7/88-23211-40AE5735; Fri, 16 May 2014 10:35:48 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-8.tower-27.messagelabs.com!1400236546!5251607!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 25304 invoked from network); 16 May 2014 10:35:47 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-8.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 16 May 2014 10:35:47 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WlFUL-00016z-3T; Fri, 16 May 2014 10:35:41 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WlFUK-00079S-Oi; Fri, 16 May 2014 10:35:41 +0000 Date: Fri, 16 May 2014 10:35:40 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 95 (CVE-2014-3714, CVE-2014-3715, CVE-2014-3716, CVE-2014-3717) - input handling vulnerabilities loading guest kernel on ARM X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-3714,CVE-2014-3715,CVE-2014-3716,CVE-2014-3717 / XSA-95 version 3 input handling vulnerabilities loading guest kernel on ARM UPDATES IN VERSION 3 ==================== Several CVE numbers, CVE-2014-{3714,3715,3716,3717} have been assigned to the issues described here. References have been added to the issue description. ISSUE DESCRIPTION ================= When loading a 32-bit ARM guest kernel the Xen tools did not correctly validate the length of the kernel against the actual image size. This would then lead to an overrun on the input buffer when loading the kernel into guest RAM (CVE-2014-3714). Furthermore when checking a 32-bit guest kernel for an appended DTB, the Xen tools were prone to additional overruns also leading to an overrun on the input buffer when loading the kernel into guest RAM (CVE-2014-3715). Also, the tools would access a field in the putative DTB header without checking for its alignment (CVE-2014-3716). When loading a 64-bit ARM guest kernel the tools similarly did not fully validate the requested load addresses, possibly leading to an overrun on the input buffer when loading the kernel into guest RAM (CVE-2014-3717). IMPACT ====== An attacker who can control the kernel used to boot a guest can exploit these issues. Exploiting the overflow issues allows information which follows the guest kernel in the toolstack address space to be copied into the guest's memory, constituting an information leak. Alternatively either the overflow or alignment issues could be used to crash the toolstack process, leading to a denial of service. VULNERABLE SYSTEMS ================== ARM systems are vulnerable from Xen 4.4 onwards. MITIGATION ========== Ensuring that guests use only trustworthy kernels will avoid this problem. CREDITS ======= This issue was discovered by Thomas Leonard. RESOLUTION ========== Applying the attached patch resolves this issue. xsa95.patch xen-unstable, Xen 4.4.x $ sha256sum xsa95*.patch 1ab63ff126b92e752e88b240838dd66b66415604eaa3e49e373cb50ad3cdd0af xsa95.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTdenGAAoJEIP+FMlX6CvZHbAIAI581kr07vf1KNlGVIyfOoJN y8iqAS4n4D8JM7HJgoC+4Yf8HXA+KljR2Pg31ciY1eryWFibvZiBt1aykZVS7y+c nVMHNoOVv0HmA/RycMT06iNy8BRThat4QY5/Eov8voRESU0yCPXTgoNg1iBLt5Eb ZG31pI2Nk+xOmC4+wtJ8BLv+k2dV6vLNNaZB60OrXL7VOFlQlyCRrUSy3wy86y+h FkhelkAWnRBpYOBn0ZSJayVlMH1fRtZWSYQOhDQHt14laJE/UJVQ5gNnSJDCQevS io2i30xT38SfdoBPfiTj6yfgmmT3YmJRZvJ7QnSqBDWL1r4xcTCtHB7Uyy94X4w= =ivP8 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa95.patch" Content-Disposition: attachment; filename="xsa95.patch" Content-Transfer-Encoding: base64 dG9vbHM6IGFybTogcmVtb3ZlIGNvZGUgdG8gY2hlY2sgZm9yIGEgRFRCIGFw cGVuZGVkIHRvIHRoZSBrZXJuZWwKClRoZSBjb2RlIHRvIGNoZWNrIGZvciBh biBhcHBlbmRlZCBEVEIgd2FzIGNvbmZ1c2luZyBhbmQgdW5uZWNlc3Nhcnku IFNpbmNlIHdlCmtub3cgdGhlIHNpemUgb2YgdGhlIGtlcm5lbCBiaW5hcnkg cGFzc2VkIHRvIHVzIHdlIHNob3VsZCBqdXN0IGxvYWQgdGhlIGVudGlyZQp0 aGluZyBpbnRvIGd1ZXN0IFJBTSAoc3ViamVjdCB0byB0aGUgbGltaXRzIGNo ZWNrcykuIFJlbW92aW5nIHRoaXMgY29kZSBhdm9pZHMKYSB3aG9sZSByYWZ0 IG9mIG92ZXJmbG93IGFuZCBhbGlnbm1lbnQgaXNzdWVzLgoKV2UgYWxzbyBu ZWVkIHRvIHZhbGlkYXRlIHRoZSBsaW1pdHMgb2YgdGhlIHNlZ21lbnQgd2hl cmUgd2UgaW50ZW5kIHRvIGxvYWQgdGhlCmtlcm5lbCB0byBhdm9pZCBvdmVy ZmxvdyBpc3N1ZXMuCgpGb3IgQVJNMzIgd2UgY29udHJvbCB0aGUgbG9hZCBh ZGRyZXNzLCBidXQgd2UgbmVlZCB0byB2YWxpZGF0ZSB0aGUgc2l6ZS4gVGhl CmVudHJ5IHBvaW50IGlzIG9ubHkgcmVsZXZhbnQgd2l0aGluIHRoZSBndWVz dCBzbyB3ZSBkb24ndCBuZWVkIHRvIHdvcnJ5IGFib3V0CnRoYXQuCgpGb3Ig QVJNNjQgd2UgbmVlZCB0byB2YWxpZGF0ZSBib3RoIHRoZSBsb2FkIGFkZHJl c3MgKHdoaWNoIGlzIHRoZSBzYW1lIGFzIHRoZQplbnRyeSBwb2ludCkgYW5k IHRoZSBzaXplLgoKVGhpcyBpcyBYU0EtOTUuCgpSZXBvcnRlZC1ieTogVGhv bWFzIExlb25hcmQgPHRhbGV4NUBnbWFpbC5jb20+ClNpZ25lZC1vZmYtYnk6 IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CkFja2Vk LWJ5OiBJYW4gSmFja3NvbiA8aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4K CmRpZmYgLS1naXQgYS90b29scy9saWJ4Yy94Y19kb21fYXJtemltYWdlbG9h ZGVyLmMgYi90b29scy9saWJ4Yy94Y19kb21fYXJtemltYWdlbG9hZGVyLmMK aW5kZXggZTY1MTZhMS4uMmIyODc4MSAxMDA2NDQKLS0tIGEvdG9vbHMvbGli eGMveGNfZG9tX2FybXppbWFnZWxvYWRlci5jCisrKyBiL3Rvb2xzL2xpYnhj L3hjX2RvbV9hcm16aW1hZ2Vsb2FkZXIuYwpAQCAtNTEsNyArNTEsNiBAQCBz dHJ1Y3QgbWluaW1hbF9kdGJfaGVhZGVyIHsKIHN0YXRpYyBpbnQgeGNfZG9t X3Byb2JlX3ppbWFnZTMyX2tlcm5lbChzdHJ1Y3QgeGNfZG9tX2ltYWdlICpk b20pCiB7CiAgICAgdWludDMyX3QgKnppbWFnZTsKLSAgICB1aW50MzJfdCBl bmQ7CiAKICAgICBpZiAoIGRvbS0+a2VybmVsX2Jsb2IgPT0gTlVMTCApCiAg ICAgewpAQCAtNzMsMjIgKzcyLDYgQEAgc3RhdGljIGludCB4Y19kb21fcHJv YmVfemltYWdlMzJfa2VybmVsKHN0cnVjdCB4Y19kb21faW1hZ2UgKmRvbSkK ICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgfQogCi0gICAgZW5kID0g emltYWdlW1pJTUFHRTMyX0VORF9PRkZTRVQvNF07Ci0KLSAgICAvKgotICAg ICAqIENoZWNrIGZvciBhbiBhcHBlbmRlZCBEVEIuCi0gICAgICovCi0gICAg aWYgKCBlbmQgKyBzaXplb2Yoc3RydWN0IG1pbmltYWxfZHRiX2hlYWRlcikg PCBkb20tPmtlcm5lbF9zaXplICkgewotICAgICAgICBzdHJ1Y3QgbWluaW1h bF9kdGJfaGVhZGVyICpkdGJfaGRyOwotICAgICAgICBkdGJfaGRyID0gKHN0 cnVjdCBtaW5pbWFsX2R0Yl9oZWFkZXIgKikoZG9tLT5rZXJuZWxfYmxvYiAr IGVuZCk7Ci0gICAgICAgIGlmIChudG9obC8qYmUzMl90b19jcHUqLyhkdGJf aGRyLT5tYWdpYykgPT0gRFRCX01BR0lDKSB7Ci0gICAgICAgICAgICB4Y19k b21fcHJpbnRmKGRvbS0+eGNoLCAiJXM6IGZvdW5kIGFuIGFwcGVuZGVkIERU QiIsIF9fRlVOQ1RJT05fXyk7Ci0gICAgICAgICAgICBlbmQgKz0gbnRvaGwv KmJlMzJfdG9fY3B1Ki8oZHRiX2hkci0+dG90YWxfc2l6ZSk7Ci0gICAgICAg IH0KLSAgICB9Ci0KLSAgICBkb20tPmtlcm5lbF9zaXplID0gZW5kOwotCiAg ICAgcmV0dXJuIDA7CiB9CiAKQEAgLTEwNSw4ICs4OCwyMCBAQCBzdGF0aWMg aW50IHhjX2RvbV9wYXJzZV96aW1hZ2UzMl9rZXJuZWwoc3RydWN0IHhjX2Rv bV9pbWFnZSAqZG9tKQogCiAgICAgLyogRG8gbm90IGxvYWQga2VybmVsIGF0 IHRoZSB2ZXJ5IGZpcnN0IFJBTSBhZGRyZXNzICovCiAgICAgdl9zdGFydCA9 IHJhbWJhc2UgKyAweDgwMDA7CisKKyAgICBpZiAoIGRvbS0+a2VybmVsX3Np emUgPiBVSU5UNjRfTUFYIC0gdl9zdGFydCApCisgICAgeworICAgICAgICBE T01QUklOVEYoIiVzOiBrZXJuZWwgaXMgdG9vIGxhcmdlXG4iLCBfX0ZVTkNU SU9OX18pOworICAgICAgICByZXR1cm4gLUVJTlZBTDsKKyAgICB9CisKICAg ICB2X2VuZCA9IHZfc3RhcnQgKyBkb20tPmtlcm5lbF9zaXplOwogCisgICAg LyoKKyAgICAgKiBJZiBzdGFydCBpcyBpbnZhbGlkIHRoZW4gdGhlIGd1ZXN0 IHdpbGwgc3RhcnQgYXQgc29tZSBpbnZhbGlkCisgICAgICogYWRkcmVzcyBh bmQgY3Jhc2gsIGJ1dCB0aGlzIGhhcHBlbnMgaW4gZ3Vlc3QgY29udGV4dCBz byBkb2Vzbid0CisgICAgICogY29uY2VybiB1cyBoZXJlLgorICAgICAqLwog ICAgIHN0YXJ0ID0gemltYWdlW1pJTUFHRTMyX1NUQVJUX09GRlNFVC80XTsK IAogICAgIGlmIChzdGFydCA9PSAwKQpAQCAtMTg3LDcgKzE4MiwyMCBAQCBz dGF0aWMgaW50IHhjX2RvbV9wYXJzZV96aW1hZ2U2NF9rZXJuZWwoc3RydWN0 IHhjX2RvbV9pbWFnZSAqZG9tKQogCiAgICAgemltYWdlID0gZG9tLT5rZXJu ZWxfYmxvYjsKIAorICAgIGlmICggemltYWdlLT50ZXh0X29mZnNldCA+IFVJ TlQ2NF9NQVggLSByYW1iYXNlICkKKyAgICB7CisgICAgICAgIERPTVBSSU5U RigiJXM6IGtlcm5lbCB0ZXh0IG9mZnNldCBpcyB0b28gbGFyZ2VcbiIsIF9f RlVOQ1RJT05fXyk7CisgICAgICAgIHJldHVybiAtRUlOVkFMOworICAgIH0K KwogICAgIHZfc3RhcnQgPSByYW1iYXNlICsgemltYWdlLT50ZXh0X29mZnNl dDsKKworICAgIGlmICggZG9tLT5rZXJuZWxfc2l6ZSA+IFVJTlQ2NF9NQVgg LSB2X3N0YXJ0ICkKKyAgICB7CisgICAgICAgIERPTVBSSU5URigiJXM6IGtl cm5lbCBpcyB0b28gbGFyZ2VcbiIsIF9fRlVOQ1RJT05fXyk7CisgICAgICAg IHJldHVybiAtRUlOVkFMOworICAgIH0KKwogICAgIHZfZW5kID0gdl9zdGFy dCArIGRvbS0+a2VybmVsX3NpemU7CiAKICAgICBkb20tPmtlcm5lbF9zZWcu dnN0YXJ0ID0gdl9zdGFydDsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Fri May 16 10:36:55 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 16 May 2014 10:36:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WlFUU-0004XF-8h; Fri, 16 May 2014 10:35:50 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WlFUT-0004Wr-7J; Fri, 16 May 2014 10:35:49 +0000 Received: from [193.109.254.147:30560] by server-13.bemta-14.messagelabs.com id E7/88-23211-40AE5735; Fri, 16 May 2014 10:35:48 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-8.tower-27.messagelabs.com!1400236546!5251607!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 25304 invoked from network); 16 May 2014 10:35:47 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-8.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 16 May 2014 10:35:47 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WlFUL-00016z-3T; Fri, 16 May 2014 10:35:41 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WlFUK-00079S-Oi; Fri, 16 May 2014 10:35:41 +0000 Date: Fri, 16 May 2014 10:35:40 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 95 (CVE-2014-3714, CVE-2014-3715, CVE-2014-3716, CVE-2014-3717) - input handling vulnerabilities loading guest kernel on ARM X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-3714,CVE-2014-3715,CVE-2014-3716,CVE-2014-3717 / XSA-95 version 3 input handling vulnerabilities loading guest kernel on ARM UPDATES IN VERSION 3 ==================== Several CVE numbers, CVE-2014-{3714,3715,3716,3717} have been assigned to the issues described here. References have been added to the issue description. ISSUE DESCRIPTION ================= When loading a 32-bit ARM guest kernel the Xen tools did not correctly validate the length of the kernel against the actual image size. This would then lead to an overrun on the input buffer when loading the kernel into guest RAM (CVE-2014-3714). Furthermore when checking a 32-bit guest kernel for an appended DTB, the Xen tools were prone to additional overruns also leading to an overrun on the input buffer when loading the kernel into guest RAM (CVE-2014-3715). Also, the tools would access a field in the putative DTB header without checking for its alignment (CVE-2014-3716). When loading a 64-bit ARM guest kernel the tools similarly did not fully validate the requested load addresses, possibly leading to an overrun on the input buffer when loading the kernel into guest RAM (CVE-2014-3717). IMPACT ====== An attacker who can control the kernel used to boot a guest can exploit these issues. Exploiting the overflow issues allows information which follows the guest kernel in the toolstack address space to be copied into the guest's memory, constituting an information leak. Alternatively either the overflow or alignment issues could be used to crash the toolstack process, leading to a denial of service. VULNERABLE SYSTEMS ================== ARM systems are vulnerable from Xen 4.4 onwards. MITIGATION ========== Ensuring that guests use only trustworthy kernels will avoid this problem. CREDITS ======= This issue was discovered by Thomas Leonard. RESOLUTION ========== Applying the attached patch resolves this issue. xsa95.patch xen-unstable, Xen 4.4.x $ sha256sum xsa95*.patch 1ab63ff126b92e752e88b240838dd66b66415604eaa3e49e373cb50ad3cdd0af xsa95.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTdenGAAoJEIP+FMlX6CvZHbAIAI581kr07vf1KNlGVIyfOoJN y8iqAS4n4D8JM7HJgoC+4Yf8HXA+KljR2Pg31ciY1eryWFibvZiBt1aykZVS7y+c nVMHNoOVv0HmA/RycMT06iNy8BRThat4QY5/Eov8voRESU0yCPXTgoNg1iBLt5Eb ZG31pI2Nk+xOmC4+wtJ8BLv+k2dV6vLNNaZB60OrXL7VOFlQlyCRrUSy3wy86y+h FkhelkAWnRBpYOBn0ZSJayVlMH1fRtZWSYQOhDQHt14laJE/UJVQ5gNnSJDCQevS io2i30xT38SfdoBPfiTj6yfgmmT3YmJRZvJ7QnSqBDWL1r4xcTCtHB7Uyy94X4w= =ivP8 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa95.patch" Content-Disposition: attachment; filename="xsa95.patch" Content-Transfer-Encoding: base64 dG9vbHM6IGFybTogcmVtb3ZlIGNvZGUgdG8gY2hlY2sgZm9yIGEgRFRCIGFw cGVuZGVkIHRvIHRoZSBrZXJuZWwKClRoZSBjb2RlIHRvIGNoZWNrIGZvciBh biBhcHBlbmRlZCBEVEIgd2FzIGNvbmZ1c2luZyBhbmQgdW5uZWNlc3Nhcnku IFNpbmNlIHdlCmtub3cgdGhlIHNpemUgb2YgdGhlIGtlcm5lbCBiaW5hcnkg cGFzc2VkIHRvIHVzIHdlIHNob3VsZCBqdXN0IGxvYWQgdGhlIGVudGlyZQp0 aGluZyBpbnRvIGd1ZXN0IFJBTSAoc3ViamVjdCB0byB0aGUgbGltaXRzIGNo ZWNrcykuIFJlbW92aW5nIHRoaXMgY29kZSBhdm9pZHMKYSB3aG9sZSByYWZ0 IG9mIG92ZXJmbG93IGFuZCBhbGlnbm1lbnQgaXNzdWVzLgoKV2UgYWxzbyBu ZWVkIHRvIHZhbGlkYXRlIHRoZSBsaW1pdHMgb2YgdGhlIHNlZ21lbnQgd2hl cmUgd2UgaW50ZW5kIHRvIGxvYWQgdGhlCmtlcm5lbCB0byBhdm9pZCBvdmVy ZmxvdyBpc3N1ZXMuCgpGb3IgQVJNMzIgd2UgY29udHJvbCB0aGUgbG9hZCBh ZGRyZXNzLCBidXQgd2UgbmVlZCB0byB2YWxpZGF0ZSB0aGUgc2l6ZS4gVGhl CmVudHJ5IHBvaW50IGlzIG9ubHkgcmVsZXZhbnQgd2l0aGluIHRoZSBndWVz dCBzbyB3ZSBkb24ndCBuZWVkIHRvIHdvcnJ5IGFib3V0CnRoYXQuCgpGb3Ig QVJNNjQgd2UgbmVlZCB0byB2YWxpZGF0ZSBib3RoIHRoZSBsb2FkIGFkZHJl c3MgKHdoaWNoIGlzIHRoZSBzYW1lIGFzIHRoZQplbnRyeSBwb2ludCkgYW5k IHRoZSBzaXplLgoKVGhpcyBpcyBYU0EtOTUuCgpSZXBvcnRlZC1ieTogVGhv bWFzIExlb25hcmQgPHRhbGV4NUBnbWFpbC5jb20+ClNpZ25lZC1vZmYtYnk6 IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CkFja2Vk LWJ5OiBJYW4gSmFja3NvbiA8aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4K CmRpZmYgLS1naXQgYS90b29scy9saWJ4Yy94Y19kb21fYXJtemltYWdlbG9h ZGVyLmMgYi90b29scy9saWJ4Yy94Y19kb21fYXJtemltYWdlbG9hZGVyLmMK aW5kZXggZTY1MTZhMS4uMmIyODc4MSAxMDA2NDQKLS0tIGEvdG9vbHMvbGli eGMveGNfZG9tX2FybXppbWFnZWxvYWRlci5jCisrKyBiL3Rvb2xzL2xpYnhj L3hjX2RvbV9hcm16aW1hZ2Vsb2FkZXIuYwpAQCAtNTEsNyArNTEsNiBAQCBz dHJ1Y3QgbWluaW1hbF9kdGJfaGVhZGVyIHsKIHN0YXRpYyBpbnQgeGNfZG9t X3Byb2JlX3ppbWFnZTMyX2tlcm5lbChzdHJ1Y3QgeGNfZG9tX2ltYWdlICpk b20pCiB7CiAgICAgdWludDMyX3QgKnppbWFnZTsKLSAgICB1aW50MzJfdCBl bmQ7CiAKICAgICBpZiAoIGRvbS0+a2VybmVsX2Jsb2IgPT0gTlVMTCApCiAg ICAgewpAQCAtNzMsMjIgKzcyLDYgQEAgc3RhdGljIGludCB4Y19kb21fcHJv YmVfemltYWdlMzJfa2VybmVsKHN0cnVjdCB4Y19kb21faW1hZ2UgKmRvbSkK ICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgfQogCi0gICAgZW5kID0g emltYWdlW1pJTUFHRTMyX0VORF9PRkZTRVQvNF07Ci0KLSAgICAvKgotICAg ICAqIENoZWNrIGZvciBhbiBhcHBlbmRlZCBEVEIuCi0gICAgICovCi0gICAg aWYgKCBlbmQgKyBzaXplb2Yoc3RydWN0IG1pbmltYWxfZHRiX2hlYWRlcikg PCBkb20tPmtlcm5lbF9zaXplICkgewotICAgICAgICBzdHJ1Y3QgbWluaW1h bF9kdGJfaGVhZGVyICpkdGJfaGRyOwotICAgICAgICBkdGJfaGRyID0gKHN0 cnVjdCBtaW5pbWFsX2R0Yl9oZWFkZXIgKikoZG9tLT5rZXJuZWxfYmxvYiAr IGVuZCk7Ci0gICAgICAgIGlmIChudG9obC8qYmUzMl90b19jcHUqLyhkdGJf aGRyLT5tYWdpYykgPT0gRFRCX01BR0lDKSB7Ci0gICAgICAgICAgICB4Y19k b21fcHJpbnRmKGRvbS0+eGNoLCAiJXM6IGZvdW5kIGFuIGFwcGVuZGVkIERU QiIsIF9fRlVOQ1RJT05fXyk7Ci0gICAgICAgICAgICBlbmQgKz0gbnRvaGwv KmJlMzJfdG9fY3B1Ki8oZHRiX2hkci0+dG90YWxfc2l6ZSk7Ci0gICAgICAg IH0KLSAgICB9Ci0KLSAgICBkb20tPmtlcm5lbF9zaXplID0gZW5kOwotCiAg ICAgcmV0dXJuIDA7CiB9CiAKQEAgLTEwNSw4ICs4OCwyMCBAQCBzdGF0aWMg aW50IHhjX2RvbV9wYXJzZV96aW1hZ2UzMl9rZXJuZWwoc3RydWN0IHhjX2Rv bV9pbWFnZSAqZG9tKQogCiAgICAgLyogRG8gbm90IGxvYWQga2VybmVsIGF0 IHRoZSB2ZXJ5IGZpcnN0IFJBTSBhZGRyZXNzICovCiAgICAgdl9zdGFydCA9 IHJhbWJhc2UgKyAweDgwMDA7CisKKyAgICBpZiAoIGRvbS0+a2VybmVsX3Np emUgPiBVSU5UNjRfTUFYIC0gdl9zdGFydCApCisgICAgeworICAgICAgICBE T01QUklOVEYoIiVzOiBrZXJuZWwgaXMgdG9vIGxhcmdlXG4iLCBfX0ZVTkNU SU9OX18pOworICAgICAgICByZXR1cm4gLUVJTlZBTDsKKyAgICB9CisKICAg ICB2X2VuZCA9IHZfc3RhcnQgKyBkb20tPmtlcm5lbF9zaXplOwogCisgICAg LyoKKyAgICAgKiBJZiBzdGFydCBpcyBpbnZhbGlkIHRoZW4gdGhlIGd1ZXN0 IHdpbGwgc3RhcnQgYXQgc29tZSBpbnZhbGlkCisgICAgICogYWRkcmVzcyBh bmQgY3Jhc2gsIGJ1dCB0aGlzIGhhcHBlbnMgaW4gZ3Vlc3QgY29udGV4dCBz byBkb2Vzbid0CisgICAgICogY29uY2VybiB1cyBoZXJlLgorICAgICAqLwog ICAgIHN0YXJ0ID0gemltYWdlW1pJTUFHRTMyX1NUQVJUX09GRlNFVC80XTsK IAogICAgIGlmIChzdGFydCA9PSAwKQpAQCAtMTg3LDcgKzE4MiwyMCBAQCBz dGF0aWMgaW50IHhjX2RvbV9wYXJzZV96aW1hZ2U2NF9rZXJuZWwoc3RydWN0 IHhjX2RvbV9pbWFnZSAqZG9tKQogCiAgICAgemltYWdlID0gZG9tLT5rZXJu ZWxfYmxvYjsKIAorICAgIGlmICggemltYWdlLT50ZXh0X29mZnNldCA+IFVJ TlQ2NF9NQVggLSByYW1iYXNlICkKKyAgICB7CisgICAgICAgIERPTVBSSU5U RigiJXM6IGtlcm5lbCB0ZXh0IG9mZnNldCBpcyB0b28gbGFyZ2VcbiIsIF9f RlVOQ1RJT05fXyk7CisgICAgICAgIHJldHVybiAtRUlOVkFMOworICAgIH0K KwogICAgIHZfc3RhcnQgPSByYW1iYXNlICsgemltYWdlLT50ZXh0X29mZnNl dDsKKworICAgIGlmICggZG9tLT5rZXJuZWxfc2l6ZSA+IFVJTlQ2NF9NQVgg LSB2X3N0YXJ0ICkKKyAgICB7CisgICAgICAgIERPTVBSSU5URigiJXM6IGtl cm5lbCBpcyB0b28gbGFyZ2VcbiIsIF9fRlVOQ1RJT05fXyk7CisgICAgICAg IHJldHVybiAtRUlOVkFMOworICAgIH0KKwogICAgIHZfZW5kID0gdl9zdGFy dCArIGRvbS0+a2VybmVsX3NpemU7CiAKICAgICBkb20tPmtlcm5lbF9zZWcu dnN0YXJ0ID0gdl9zdGFydDsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator--