From xen-announce-bounces@lists.xen.org Wed Sep 03 11:32:17 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Sep 2014 11:32:17 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XP8lx-0004hc-HA; Wed, 03 Sep 2014 11:30:45 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XP8lH-0004cU-Ir for xen-announce@lists.xenproject.org; Wed, 03 Sep 2014 11:30:07 +0000 Received: from [85.158.143.35:46674] by server-2.bemta-4.messagelabs.com id 4B/A5-04525-ABBF6045; Wed, 03 Sep 2014 11:30:02 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-8.tower-21.messagelabs.com!1409743800!13364720!1 X-Originating-IP: [209.85.212.169] X-SpamReason: No, hits=1.4 required=7.0 tests=BODY_RANDOM_LONG, HTML_20_30,HTML_MESSAGE,ML_RADAR_SPEW_LINKS_14,spamassassin: X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 22667 invoked from network); 3 Sep 2014 11:30:00 -0000 Received: from mail-wi0-f169.google.com (HELO mail-wi0-f169.google.com) (209.85.212.169) by server-8.tower-21.messagelabs.com with RC4-SHA encrypted SMTP; 3 Sep 2014 11:30:00 -0000 Received: by mail-wi0-f169.google.com with SMTP id n3so5686710wiv.4 for ; Wed, 03 Sep 2014 04:30:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:subject:message-id:date:to:mime-version; bh=/4Y88Lz9eJYn1DIeG4WZglDvSXECAw16Hb6gBeGnTVo=; b=uuA6hPaQu58edQlUqqu5ZsUwjtMuc6iSUP//Q3ZTo5mQW94MRnNhStfTXa9n1saSuE P1c1lKqV5eVF5W9Xnlxbdz1AqU3TTmwYfpWrDLCcB9YBELgZN53y/n6aCk6Tvg2LyEVb IL/LF0dztwmlkqi0KeIr83FtLK94K5Zzb6fsg1o6qIwF77I41ZBCMia3oRM3n59HQocj k+9V1o4yG2a8G8PcbBTcxVZHrON7xOzqqE8UnoJxaFedxIXD086r5YfYauPRh2otebZR Mnz6qKk0Lh1O9favC7WhAmv1WxwG306TobziFBO9RvydbydiHdppZ5SjJLLCHWj3spNM cFtw== X-Received: by 10.180.218.4 with SMTP id pc4mr34872953wic.15.1409743800137; Wed, 03 Sep 2014 04:30:00 -0700 (PDT) Received: from [192.168.0.25] (97e553ce.skybroadband.com. [151.229.83.206]) by mx.google.com with ESMTPSA id s2sm15353016wjz.8.2014.09.03.04.29.58 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 03 Sep 2014 04:29:59 -0700 (PDT) From: Lars Kurth Message-Id: <8BEB8C15-B6AC-49CD-A255-5E17F43322FA@gmail.com> Date: Wed, 3 Sep 2014 12:29:55 +0100 To: xen-announce@lists.xenproject.org Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) X-Mailer: Apple Mail (2.1878.6) X-Mailman-Approved-At: Wed, 03 Sep 2014 11:30:44 +0000 Subject: [Xen-announce] Xen Project Maintenance Releases Available (Versions 4.4.1, 4.3.3, 4.2.5) X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============6491937359104331650==" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --===============6491937359104331650== Content-Type: multipart/alternative; boundary="Apple-Mail=_9DE4C3B4-67C4-4B53-A8B3-70F709B4AA13" --Apple-Mail=_9DE4C3B4-67C4-4B53-A8B3-70F709B4AA13 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii I am pleased to announce the release of Xen 4.4.1, 4.3.3 and 4.2.5. We = recommend that all users of the 4.4, 4.3 and 4.2 stable series update to = the latest point release. =3D Xen 4.4.1 =3D Xen 4.4.1 is available immediately from its git repository = http://xenbits.xen.org/gitweb/?p=3Dxen.git;a=3Dshortlog;h=3Drefs/heads/sta= ble-4.4 (tag RELEASE-4.4.1) or from the XenProject download = pagehttp://www.xenproject.org/downloads/xen-archives/supported-xen-44-seri= es/xen-441.html This fixes the following critical vulnerabilities (also see = http://xenbits.xen.org/xsa/): * CVE-2014-2599 / XSA-89: HVMOP_set_mem_access is not preemptible * CVE-2014-3125 / XSA-91: Hardware timer context is not properly context = switched on ARM * CVE-2014-3124 / XSA-92: HVMOP_set_mem_type allows invalid P2M entries = to be created * CVE-2014-2915 / XSA-93: Hardware features unintentionally exposed to = guests on ARM * CVE-2014-2986 / XSA-94: ARM hypervisor crash on guest interrupt = controller access * CVE-2014-3714,CVE-2014-3715,CVE-2014-3716,CVE-2014-3717 / XSA-95: = input handling vulnerabilities loading guest kernel on ARM * CVE-2014-3967,CVE-2014-3968 / XSA-96: Vulnerabilities in HVM MSI = injection * CVE-2014-3969 / XSA-98: insufficient permissions checks accessing = guest memory on ARM * CVE-2014-4021 / XSA-100: Hypervisor heap contents leaked to guests * CVE-2014-4022 / XSA-101: information leak via gnttab_setup_table on = ARM * CVE-2014-5147 / XSA-102: Flaws in handling traps from 32-bit userspace = on 64-bit ARM * CVE-2014-5148 / XSA-103: Flaw in handling unknown system register = access from 64-bit userspace on ARM Additionally a workaround for CVE-2013-3495 / XSA-59 (Intel VT-d = Interrupt Remapping engines can be evaded by native NMI interrupts) has = been put in place. However, at this point we can't guarantee that all = affected chipsets are being covered; Intel is working diligently on = providing us with a complete list. Apart from those there are many further bug fixes and improvements. =3D Xen 4.3.3 =3D Xen 4.3.3 is available immediately from its git repository = http://xenbits.xen.org/gitweb/?p=3Dxen.git;a=3Dshortlog;h=3Drefs/heads/sta= ble-4.3 (tag RELEASE-4.3.3) or from the XenProject download page = http://www.xenproject.org/downloads/xen-archives/supported-xen-43-series/x= en-433.html This fixes the following critical vulnerabilities (also see = http://xenbits.xen.org/xsa/): * CVE-2014-2599 / XSA-89: HVMOP_set_mem_access is not preemptible * CVE-2014-3124 / XSA-92: HVMOP_set_mem_type allows invalid P2M entries = to be created * CVE-2014-3967,CVE-2014-3968 / XSA-96: Vulnerabilities in HVM MSI = injection * CVE-2014-4021 / XSA-100: Hypervisor heap contents leaked to guests Additionally a workaround for CVE-2013-3495 / XSA-59 (Intel VT-d = Interrupt Remapping engines can be evaded by native NMI interrupts) has = been put in place. However, at this point we can't guarantee that all = affected chipsets are being covered; Intel is working diligently on = providing us with a complete list. Apart from those there are many further bug fixes and improvements. =3D Xen 4.2.5 =3D=20 Xen 4.2.5 is available immediately from its git repository = http://xenbits.xen.org/gitweb/?p=3Dxen.git;a=3Dshortlog;h=3Drefs/heads/sta= ble-4.2 (tag RELEASE-4.2.5) or from the XenProject download = pagehttp://www.xenproject.org/downloads/xen-archives/supported-xen-42-seri= es/xen-425.html Note that this is expected to be the last release of the 4.2 stable = series. The tree will be switched to security only maintenance mode = after this release. This fixes the following critical vulnerabilities (also see = http://xenbits.xen.org/xsa/): * CVE-2014-2599 / XSA-89: HVMOP_set_mem_access is not preemptible * CVE-2014-3124 / XSA-92: HVMOP_set_mem_type allows invalid P2M entries = to be created * CVE-2014-3967,CVE-2014-3968 / XSA-96: Vulnerabilities in HVM MSI = injection * CVE-2014-4021 / XSA-100: Hypervisor heap contents leaked to guests Apart from those there are many further bug fixes and improvements.= --Apple-Mail=_9DE4C3B4-67C4-4B53-A8B3-70F709B4AA13 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii I am = pleased to announce the release of Xen 4.4.1, 4.3.3 and 4.2.5. We = recommend that all users of the 4.4, 4.3 and 4.2 stable series update to = the latest point release.

=3D Xen 4.4.1 =3D

Xen 4.4.1 is = available immediately from its git repository http://xenbits.xen.org/gitweb/?p=3Dxen.git;a=3Dshortlog;h= =3Drefs/heads/stable-4.4
(tag RELEASE-4.4.1) or from the = XenProject download pagehttp://www.xenproject.org/downloads/xen-archives/supp= orted-xen-44-series/xen-441.html

This fixes the following = critical vulnerabilities (also see http://xenbits.xen.org/xsa/):
=
* CVE-2014-2599 / XSA-89: HVMOP_set_mem_access is not = preemptible
* CVE-2014-3125 / XSA-91: Hardware timer context is not = properly context switched on ARM
* CVE-2014-3124 / XSA-92: = HVMOP_set_mem_type allows invalid P2M entries to be created
* = CVE-2014-2915 / XSA-93: Hardware features unintentionally exposed to = guests on ARM
* CVE-2014-2986 / XSA-94: ARM hypervisor crash on guest = interrupt controller access
* = CVE-2014-3714,CVE-2014-3715,CVE-2014-3716,CVE-2014-3717 / XSA-95: input = handling vulnerabilities loading guest kernel on ARM
* = CVE-2014-3967,CVE-2014-3968 / XSA-96: Vulnerabilities in HVM MSI = injection
* CVE-2014-3969 / XSA-98: insufficient permissions checks = accessing guest memory on ARM
* CVE-2014-4021 / XSA-100: Hypervisor = heap contents leaked to guests
* CVE-2014-4022 / XSA-101: information = leak via gnttab_setup_table on ARM
* CVE-2014-5147 / XSA-102: Flaws = in handling traps from 32-bit userspace on 64-bit ARM
* CVE-2014-5148 = / XSA-103: Flaw in handling unknown system register access from 64-bit = userspace on ARM

Additionally a workaround for CVE-2013-3495 / = XSA-59 (Intel VT-d Interrupt Remapping engines can be evaded by native = NMI interrupts) has been put in place. However, at this point we can't = guarantee that all affected chipsets are being covered; Intel is working = diligently on providing us with a complete list.

Apart from those = there are many further bug fixes and improvements.

=3D Xen 4.3.3 = =3D

Xen 4.3.3 is available immediately from its git = repository http://xenbits.xen.org/gitweb/?p=3Dxen.git;a=3Dshortlog;h= =3Drefs/heads/stable-4.3 (tag RELEASE-4.3.3) or from the = XenProject download page http://www.xenproject.org/downloads/xen-archives/supp= orted-xen-43-series/xen-433.html

This fixes the following = critical vulnerabilities (also see http://xenbits.xen.org/xsa/):
=
* CVE-2014-2599 / XSA-89: HVMOP_set_mem_access is not = preemptible
* CVE-2014-3124 / XSA-92: HVMOP_set_mem_type allows = invalid P2M entries to be created
* CVE-2014-3967,CVE-2014-3968 / = XSA-96: Vulnerabilities in HVM MSI injection
* CVE-2014-4021 / = XSA-100: Hypervisor heap contents leaked to guests

Additionally a = workaround for CVE-2013-3495 / XSA-59 (Intel VT-d Interrupt Remapping = engines can be evaded by native NMI interrupts) has been put in place. = However, at this point we can't guarantee that all affected chipsets are = being covered; Intel is working diligently on providing us with a = complete list.

Apart from those there are many further bug fixes = and improvements.

=3D Xen 4.2.5 =3D 

Xen 4.2.5 is = available immediately from its git repository http://xenbits.xen.org/gitweb/?p=3Dxen.git;a=3Dshortlog;h= =3Drefs/heads/stable-4.2
(tag RELEASE-4.2.5) or from the = XenProject download pagehttp://www.xenproject.org/downloads/xen-archives/supp= orted-xen-42-series/xen-425.html

Note that this is expected = to be the last release of the 4.2 stable series. The tree will be = switched to security only maintenance mode after this = release.

This fixes the following critical vulnerabilities (also = see http://xenbits.xen.org/xsa/):
=
* CVE-2014-2599 / XSA-89: HVMOP_set_mem_access is not = preemptible
* CVE-2014-3124 / XSA-92: HVMOP_set_mem_type allows = invalid P2M entries to be created
* CVE-2014-3967,CVE-2014-3968 / = XSA-96: Vulnerabilities in HVM MSI injection
* CVE-2014-4021 / = XSA-100: Hypervisor heap contents leaked to guests

Apart from = those there are many further bug fixes and improvements.= --Apple-Mail=_9DE4C3B4-67C4-4B53-A8B3-70F709B4AA13-- --===============6491937359104331650== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --===============6491937359104331650==-- From xen-announce-bounces@lists.xen.org Wed Sep 03 11:32:17 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Sep 2014 11:32:17 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XP8lx-0004hc-HA; Wed, 03 Sep 2014 11:30:45 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XP8lH-0004cU-Ir for xen-announce@lists.xenproject.org; Wed, 03 Sep 2014 11:30:07 +0000 Received: from [85.158.143.35:46674] by server-2.bemta-4.messagelabs.com id 4B/A5-04525-ABBF6045; Wed, 03 Sep 2014 11:30:02 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-8.tower-21.messagelabs.com!1409743800!13364720!1 X-Originating-IP: [209.85.212.169] X-SpamReason: No, hits=1.4 required=7.0 tests=BODY_RANDOM_LONG, HTML_20_30,HTML_MESSAGE,ML_RADAR_SPEW_LINKS_14,spamassassin: X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 22667 invoked from network); 3 Sep 2014 11:30:00 -0000 Received: from mail-wi0-f169.google.com (HELO mail-wi0-f169.google.com) (209.85.212.169) by server-8.tower-21.messagelabs.com with RC4-SHA encrypted SMTP; 3 Sep 2014 11:30:00 -0000 Received: by mail-wi0-f169.google.com with SMTP id n3so5686710wiv.4 for ; Wed, 03 Sep 2014 04:30:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:subject:message-id:date:to:mime-version; bh=/4Y88Lz9eJYn1DIeG4WZglDvSXECAw16Hb6gBeGnTVo=; b=uuA6hPaQu58edQlUqqu5ZsUwjtMuc6iSUP//Q3ZTo5mQW94MRnNhStfTXa9n1saSuE P1c1lKqV5eVF5W9Xnlxbdz1AqU3TTmwYfpWrDLCcB9YBELgZN53y/n6aCk6Tvg2LyEVb IL/LF0dztwmlkqi0KeIr83FtLK94K5Zzb6fsg1o6qIwF77I41ZBCMia3oRM3n59HQocj k+9V1o4yG2a8G8PcbBTcxVZHrON7xOzqqE8UnoJxaFedxIXD086r5YfYauPRh2otebZR Mnz6qKk0Lh1O9favC7WhAmv1WxwG306TobziFBO9RvydbydiHdppZ5SjJLLCHWj3spNM cFtw== X-Received: by 10.180.218.4 with SMTP id pc4mr34872953wic.15.1409743800137; Wed, 03 Sep 2014 04:30:00 -0700 (PDT) Received: from [192.168.0.25] (97e553ce.skybroadband.com. [151.229.83.206]) by mx.google.com with ESMTPSA id s2sm15353016wjz.8.2014.09.03.04.29.58 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 03 Sep 2014 04:29:59 -0700 (PDT) From: Lars Kurth Message-Id: <8BEB8C15-B6AC-49CD-A255-5E17F43322FA@gmail.com> Date: Wed, 3 Sep 2014 12:29:55 +0100 To: xen-announce@lists.xenproject.org Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) X-Mailer: Apple Mail (2.1878.6) X-Mailman-Approved-At: Wed, 03 Sep 2014 11:30:44 +0000 Subject: [Xen-announce] Xen Project Maintenance Releases Available (Versions 4.4.1, 4.3.3, 4.2.5) X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============6491937359104331650==" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --===============6491937359104331650== Content-Type: multipart/alternative; boundary="Apple-Mail=_9DE4C3B4-67C4-4B53-A8B3-70F709B4AA13" --Apple-Mail=_9DE4C3B4-67C4-4B53-A8B3-70F709B4AA13 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii I am pleased to announce the release of Xen 4.4.1, 4.3.3 and 4.2.5. We = recommend that all users of the 4.4, 4.3 and 4.2 stable series update to = the latest point release. =3D Xen 4.4.1 =3D Xen 4.4.1 is available immediately from its git repository = http://xenbits.xen.org/gitweb/?p=3Dxen.git;a=3Dshortlog;h=3Drefs/heads/sta= ble-4.4 (tag RELEASE-4.4.1) or from the XenProject download = pagehttp://www.xenproject.org/downloads/xen-archives/supported-xen-44-seri= es/xen-441.html This fixes the following critical vulnerabilities (also see = http://xenbits.xen.org/xsa/): * CVE-2014-2599 / XSA-89: HVMOP_set_mem_access is not preemptible * CVE-2014-3125 / XSA-91: Hardware timer context is not properly context = switched on ARM * CVE-2014-3124 / XSA-92: HVMOP_set_mem_type allows invalid P2M entries = to be created * CVE-2014-2915 / XSA-93: Hardware features unintentionally exposed to = guests on ARM * CVE-2014-2986 / XSA-94: ARM hypervisor crash on guest interrupt = controller access * CVE-2014-3714,CVE-2014-3715,CVE-2014-3716,CVE-2014-3717 / XSA-95: = input handling vulnerabilities loading guest kernel on ARM * CVE-2014-3967,CVE-2014-3968 / XSA-96: Vulnerabilities in HVM MSI = injection * CVE-2014-3969 / XSA-98: insufficient permissions checks accessing = guest memory on ARM * CVE-2014-4021 / XSA-100: Hypervisor heap contents leaked to guests * CVE-2014-4022 / XSA-101: information leak via gnttab_setup_table on = ARM * CVE-2014-5147 / XSA-102: Flaws in handling traps from 32-bit userspace = on 64-bit ARM * CVE-2014-5148 / XSA-103: Flaw in handling unknown system register = access from 64-bit userspace on ARM Additionally a workaround for CVE-2013-3495 / XSA-59 (Intel VT-d = Interrupt Remapping engines can be evaded by native NMI interrupts) has = been put in place. However, at this point we can't guarantee that all = affected chipsets are being covered; Intel is working diligently on = providing us with a complete list. Apart from those there are many further bug fixes and improvements. =3D Xen 4.3.3 =3D Xen 4.3.3 is available immediately from its git repository = http://xenbits.xen.org/gitweb/?p=3Dxen.git;a=3Dshortlog;h=3Drefs/heads/sta= ble-4.3 (tag RELEASE-4.3.3) or from the XenProject download page = http://www.xenproject.org/downloads/xen-archives/supported-xen-43-series/x= en-433.html This fixes the following critical vulnerabilities (also see = http://xenbits.xen.org/xsa/): * CVE-2014-2599 / XSA-89: HVMOP_set_mem_access is not preemptible * CVE-2014-3124 / XSA-92: HVMOP_set_mem_type allows invalid P2M entries = to be created * CVE-2014-3967,CVE-2014-3968 / XSA-96: Vulnerabilities in HVM MSI = injection * CVE-2014-4021 / XSA-100: Hypervisor heap contents leaked to guests Additionally a workaround for CVE-2013-3495 / XSA-59 (Intel VT-d = Interrupt Remapping engines can be evaded by native NMI interrupts) has = been put in place. However, at this point we can't guarantee that all = affected chipsets are being covered; Intel is working diligently on = providing us with a complete list. Apart from those there are many further bug fixes and improvements. =3D Xen 4.2.5 =3D=20 Xen 4.2.5 is available immediately from its git repository = http://xenbits.xen.org/gitweb/?p=3Dxen.git;a=3Dshortlog;h=3Drefs/heads/sta= ble-4.2 (tag RELEASE-4.2.5) or from the XenProject download = pagehttp://www.xenproject.org/downloads/xen-archives/supported-xen-42-seri= es/xen-425.html Note that this is expected to be the last release of the 4.2 stable = series. The tree will be switched to security only maintenance mode = after this release. This fixes the following critical vulnerabilities (also see = http://xenbits.xen.org/xsa/): * CVE-2014-2599 / XSA-89: HVMOP_set_mem_access is not preemptible * CVE-2014-3124 / XSA-92: HVMOP_set_mem_type allows invalid P2M entries = to be created * CVE-2014-3967,CVE-2014-3968 / XSA-96: Vulnerabilities in HVM MSI = injection * CVE-2014-4021 / XSA-100: Hypervisor heap contents leaked to guests Apart from those there are many further bug fixes and improvements.= --Apple-Mail=_9DE4C3B4-67C4-4B53-A8B3-70F709B4AA13 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii I am = pleased to announce the release of Xen 4.4.1, 4.3.3 and 4.2.5. We = recommend that all users of the 4.4, 4.3 and 4.2 stable series update to = the latest point release.

=3D Xen 4.4.1 =3D

Xen 4.4.1 is = available immediately from its git repository http://xenbits.xen.org/gitweb/?p=3Dxen.git;a=3Dshortlog;h= =3Drefs/heads/stable-4.4
(tag RELEASE-4.4.1) or from the = XenProject download pagehttp://www.xenproject.org/downloads/xen-archives/supp= orted-xen-44-series/xen-441.html

This fixes the following = critical vulnerabilities (also see http://xenbits.xen.org/xsa/):
=
* CVE-2014-2599 / XSA-89: HVMOP_set_mem_access is not = preemptible
* CVE-2014-3125 / XSA-91: Hardware timer context is not = properly context switched on ARM
* CVE-2014-3124 / XSA-92: = HVMOP_set_mem_type allows invalid P2M entries to be created
* = CVE-2014-2915 / XSA-93: Hardware features unintentionally exposed to = guests on ARM
* CVE-2014-2986 / XSA-94: ARM hypervisor crash on guest = interrupt controller access
* = CVE-2014-3714,CVE-2014-3715,CVE-2014-3716,CVE-2014-3717 / XSA-95: input = handling vulnerabilities loading guest kernel on ARM
* = CVE-2014-3967,CVE-2014-3968 / XSA-96: Vulnerabilities in HVM MSI = injection
* CVE-2014-3969 / XSA-98: insufficient permissions checks = accessing guest memory on ARM
* CVE-2014-4021 / XSA-100: Hypervisor = heap contents leaked to guests
* CVE-2014-4022 / XSA-101: information = leak via gnttab_setup_table on ARM
* CVE-2014-5147 / XSA-102: Flaws = in handling traps from 32-bit userspace on 64-bit ARM
* CVE-2014-5148 = / XSA-103: Flaw in handling unknown system register access from 64-bit = userspace on ARM

Additionally a workaround for CVE-2013-3495 / = XSA-59 (Intel VT-d Interrupt Remapping engines can be evaded by native = NMI interrupts) has been put in place. However, at this point we can't = guarantee that all affected chipsets are being covered; Intel is working = diligently on providing us with a complete list.

Apart from those = there are many further bug fixes and improvements.

=3D Xen 4.3.3 = =3D

Xen 4.3.3 is available immediately from its git = repository http://xenbits.xen.org/gitweb/?p=3Dxen.git;a=3Dshortlog;h= =3Drefs/heads/stable-4.3 (tag RELEASE-4.3.3) or from the = XenProject download page http://www.xenproject.org/downloads/xen-archives/supp= orted-xen-43-series/xen-433.html

This fixes the following = critical vulnerabilities (also see http://xenbits.xen.org/xsa/):
=
* CVE-2014-2599 / XSA-89: HVMOP_set_mem_access is not = preemptible
* CVE-2014-3124 / XSA-92: HVMOP_set_mem_type allows = invalid P2M entries to be created
* CVE-2014-3967,CVE-2014-3968 / = XSA-96: Vulnerabilities in HVM MSI injection
* CVE-2014-4021 / = XSA-100: Hypervisor heap contents leaked to guests

Additionally a = workaround for CVE-2013-3495 / XSA-59 (Intel VT-d Interrupt Remapping = engines can be evaded by native NMI interrupts) has been put in place. = However, at this point we can't guarantee that all affected chipsets are = being covered; Intel is working diligently on providing us with a = complete list.

Apart from those there are many further bug fixes = and improvements.

=3D Xen 4.2.5 =3D 

Xen 4.2.5 is = available immediately from its git repository http://xenbits.xen.org/gitweb/?p=3Dxen.git;a=3Dshortlog;h= =3Drefs/heads/stable-4.2
(tag RELEASE-4.2.5) or from the = XenProject download pagehttp://www.xenproject.org/downloads/xen-archives/supp= orted-xen-42-series/xen-425.html

Note that this is expected = to be the last release of the 4.2 stable series. The tree will be = switched to security only maintenance mode after this = release.

This fixes the following critical vulnerabilities (also = see http://xenbits.xen.org/xsa/):
=
* CVE-2014-2599 / XSA-89: HVMOP_set_mem_access is not = preemptible
* CVE-2014-3124 / XSA-92: HVMOP_set_mem_type allows = invalid P2M entries to be created
* CVE-2014-3967,CVE-2014-3968 / = XSA-96: Vulnerabilities in HVM MSI injection
* CVE-2014-4021 / = XSA-100: Hypervisor heap contents leaked to guests

Apart from = those there are many further bug fixes and improvements.= --Apple-Mail=_9DE4C3B4-67C4-4B53-A8B3-70F709B4AA13-- --===============6491937359104331650== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --===============6491937359104331650==-- From xen-announce-bounces@lists.xen.org Fri Sep 05 16:13:01 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Sep 2014 16:13:01 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XPw6p-0000CK-R9; Fri, 05 Sep 2014 16:11:35 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XPw2B-0008FP-Ru for xen-announce@lists.xenproject.org; Fri, 05 Sep 2014 16:06:47 +0000 Received: from [85.158.143.35:22022] by server-1.bemta-4.messagelabs.com id 02/91-05872-79FD9045; Fri, 05 Sep 2014 16:06:47 +0000 X-Env-Sender: russell.pavlicek.xen@gmail.com X-Msg-Ref: server-12.tower-21.messagelabs.com!1409933205!11960958!1 X-Originating-IP: [209.85.217.175] X-SpamReason: No, hits=0.8 required=7.0 tests=BODY_RANDOM_LONG, RCVD_BY_IP X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 21212 invoked from network); 5 Sep 2014 16:06:46 -0000 Received: from mail-lb0-f175.google.com (HELO mail-lb0-f175.google.com) (209.85.217.175) by server-12.tower-21.messagelabs.com with RC4-SHA encrypted SMTP; 5 Sep 2014 16:06:46 -0000 Received: by mail-lb0-f175.google.com with SMTP id u10so13971647lbd.34 for ; Fri, 05 Sep 2014 09:06:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=wjcwNktI8iMYu8DY/5zrMiBF+PEAfONVqMMELkvTtJI=; b=QtwtVxsOrExau/g9Qeq4UPzrZtQzBf6P72IdeD7JrfKSBj3PlSnLd4h/L9LIfcKplV vhjW+mr9TJww+i41An/aINJUZO8e1HXW6fInc4vzHk/KNrmkhLzagbuCKEUbIwbLNO3A VvPMLZ/MWG8fHt/sxhbaLEEY0HE3JEFJGVmaas1EsiXx/900nB3bqa4LB7VnROrh8x93 oaakukm3Z3WLcIpG9+uuJI6Qo393gpPU6JGFCHuf6/SH3ZJmeHfToLIDzPMxOVoWncsF 9Q7IsTonueyqT5cTJ6a/6ItU3ZGjlj53uLzajBe+0aS1uucCo8DjZj5D6uQ2psJwfTO1 gIcg== MIME-Version: 1.0 X-Received: by 10.112.57.195 with SMTP id k3mr11918194lbq.48.1409933205557; Fri, 05 Sep 2014 09:06:45 -0700 (PDT) Received: by 10.112.85.7 with HTTP; Fri, 5 Sep 2014 09:06:45 -0700 (PDT) Date: Fri, 5 Sep 2014 12:06:45 -0400 X-Google-Sender-Auth: I2PuGo3HJd9faryArhESCJbWBWE Message-ID: From: Russ Pavlicek To: xen-announce@lists.xenproject.org X-Mailman-Approved-At: Fri, 05 Sep 2014 16:11:35 +0000 Subject: [Xen-announce] Register now for Xen Project User Summit, Sept 15 in New York City and Save 50%! X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org In just a few days, we will meet in New York City at this year's Xen Project User Summit. On September 15, we will gather at the Lighthouse Executive Conference Center in midtown Manhattan to learn about the latest and greatest advances from the Xen Project. Haven't registered yet? You can save 50% by using the special discount code: XenUser50off This year's event focuses on a number timely topics, including: - The New World of Unikernels Some of the hottest technologies in the world of virtualization are the unikernels. Small, lightweight, and secure, unikernels will power a new type of cloud. Allowing for hundreds, or even thousands, of VMs per host, unikernels will allow us to develop exciting new visions of the cloud. Hear from the creators of such notable entries like OSv and HaLVM. - The Latest about Xen Project in OpenStack and SUSE Cloud Many organizations are making plans for clouds based on OpenStack. Now is an excellent time to see how SUSE Cloud can leverage Xen Project software to make those plans become a reality. - New Features Coming in Xen Project 4.5 Some mature projects slow down development as they age. But not Xen Project! Our upcoming release has the longest list of new features we've seen in years! Get the lowdown on what changes are coming, so you can start making plans. Plus, we'll hear about the latest news from the Board of Advisors. - Improving Security You can't get serious about the cloud without addressing security. Learn about the Advanced Security features of Xen Project as well as the Zazen security architecture. And hear about the case study describing the deployment of Xen Project-powered security devices. - Upcoming From the XenServer Project Last summer marked the birth of the Open Source XenServer project. For years, XenServer has been a very popular commercial product which leverages Xen Project software. Now learn what's planned in the next iteration of XenServer. - The Newest From Xen Orchestra There are a number of other software projects in the Xen Project ecosystem. One of the most exciting is Xen Orchestra, a web-based GUI for XAPI and XenServer. - The Latest from Xen4CentOS Last year, Xen Project was re-integrated into CentOS 6 via the Xen4CentOS effort. Learn how to use Xen4CentOS and hear what's coming in the new CentOS Virtualization SIG. - And the Future Development for High Availability There's plenty more in development at Xen Project. Still under development is COLO, an effort to bring high availability to VMs using lock-step failover. Hear about the status of this project while it is still cooking. - All From the Mouths of Industry Leaders and Innovators Many of our presenters are from industry leaders like Oracle, Intel, Citrix, Red Hat, and SUSE. But we also have people from up-and-coming organizations like Cloudius Systems, Galois, Vates, Zentific, and Sound Linux Training. For the schedule and registration information, please visit the Linux Foundation Events website: http://events.linuxfoundation.org/events/xen-project-user-summit/program/schedule And we hope to see you in New York! _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce From xen-announce-bounces@lists.xen.org Fri Sep 05 16:13:01 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Sep 2014 16:13:01 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XPw6p-0000CK-R9; Fri, 05 Sep 2014 16:11:35 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XPw2B-0008FP-Ru for xen-announce@lists.xenproject.org; Fri, 05 Sep 2014 16:06:47 +0000 Received: from [85.158.143.35:22022] by server-1.bemta-4.messagelabs.com id 02/91-05872-79FD9045; Fri, 05 Sep 2014 16:06:47 +0000 X-Env-Sender: russell.pavlicek.xen@gmail.com X-Msg-Ref: server-12.tower-21.messagelabs.com!1409933205!11960958!1 X-Originating-IP: [209.85.217.175] X-SpamReason: No, hits=0.8 required=7.0 tests=BODY_RANDOM_LONG, RCVD_BY_IP X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 21212 invoked from network); 5 Sep 2014 16:06:46 -0000 Received: from mail-lb0-f175.google.com (HELO mail-lb0-f175.google.com) (209.85.217.175) by server-12.tower-21.messagelabs.com with RC4-SHA encrypted SMTP; 5 Sep 2014 16:06:46 -0000 Received: by mail-lb0-f175.google.com with SMTP id u10so13971647lbd.34 for ; Fri, 05 Sep 2014 09:06:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=wjcwNktI8iMYu8DY/5zrMiBF+PEAfONVqMMELkvTtJI=; b=QtwtVxsOrExau/g9Qeq4UPzrZtQzBf6P72IdeD7JrfKSBj3PlSnLd4h/L9LIfcKplV vhjW+mr9TJww+i41An/aINJUZO8e1HXW6fInc4vzHk/KNrmkhLzagbuCKEUbIwbLNO3A VvPMLZ/MWG8fHt/sxhbaLEEY0HE3JEFJGVmaas1EsiXx/900nB3bqa4LB7VnROrh8x93 oaakukm3Z3WLcIpG9+uuJI6Qo393gpPU6JGFCHuf6/SH3ZJmeHfToLIDzPMxOVoWncsF 9Q7IsTonueyqT5cTJ6a/6ItU3ZGjlj53uLzajBe+0aS1uucCo8DjZj5D6uQ2psJwfTO1 gIcg== MIME-Version: 1.0 X-Received: by 10.112.57.195 with SMTP id k3mr11918194lbq.48.1409933205557; Fri, 05 Sep 2014 09:06:45 -0700 (PDT) Received: by 10.112.85.7 with HTTP; Fri, 5 Sep 2014 09:06:45 -0700 (PDT) Date: Fri, 5 Sep 2014 12:06:45 -0400 X-Google-Sender-Auth: I2PuGo3HJd9faryArhESCJbWBWE Message-ID: From: Russ Pavlicek To: xen-announce@lists.xenproject.org X-Mailman-Approved-At: Fri, 05 Sep 2014 16:11:35 +0000 Subject: [Xen-announce] Register now for Xen Project User Summit, Sept 15 in New York City and Save 50%! X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org In just a few days, we will meet in New York City at this year's Xen Project User Summit. On September 15, we will gather at the Lighthouse Executive Conference Center in midtown Manhattan to learn about the latest and greatest advances from the Xen Project. Haven't registered yet? You can save 50% by using the special discount code: XenUser50off This year's event focuses on a number timely topics, including: - The New World of Unikernels Some of the hottest technologies in the world of virtualization are the unikernels. Small, lightweight, and secure, unikernels will power a new type of cloud. Allowing for hundreds, or even thousands, of VMs per host, unikernels will allow us to develop exciting new visions of the cloud. Hear from the creators of such notable entries like OSv and HaLVM. - The Latest about Xen Project in OpenStack and SUSE Cloud Many organizations are making plans for clouds based on OpenStack. Now is an excellent time to see how SUSE Cloud can leverage Xen Project software to make those plans become a reality. - New Features Coming in Xen Project 4.5 Some mature projects slow down development as they age. But not Xen Project! Our upcoming release has the longest list of new features we've seen in years! Get the lowdown on what changes are coming, so you can start making plans. Plus, we'll hear about the latest news from the Board of Advisors. - Improving Security You can't get serious about the cloud without addressing security. Learn about the Advanced Security features of Xen Project as well as the Zazen security architecture. And hear about the case study describing the deployment of Xen Project-powered security devices. - Upcoming From the XenServer Project Last summer marked the birth of the Open Source XenServer project. For years, XenServer has been a very popular commercial product which leverages Xen Project software. Now learn what's planned in the next iteration of XenServer. - The Newest From Xen Orchestra There are a number of other software projects in the Xen Project ecosystem. One of the most exciting is Xen Orchestra, a web-based GUI for XAPI and XenServer. - The Latest from Xen4CentOS Last year, Xen Project was re-integrated into CentOS 6 via the Xen4CentOS effort. Learn how to use Xen4CentOS and hear what's coming in the new CentOS Virtualization SIG. - And the Future Development for High Availability There's plenty more in development at Xen Project. Still under development is COLO, an effort to bring high availability to VMs using lock-step failover. Hear about the status of this project while it is still cooking. - All From the Mouths of Industry Leaders and Innovators Many of our presenters are from industry leaders like Oracle, Intel, Citrix, Red Hat, and SUSE. But we also have people from up-and-coming organizations like Cloudius Systems, Galois, Vates, Zentific, and Sound Linux Training. For the schedule and registration information, please visit the Linux Foundation Events website: http://events.linuxfoundation.org/events/xen-project-user-summit/program/schedule And we hope to see you in New York! _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce From xen-announce-bounces@lists.xen.org Tue Sep 09 12:33:47 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Sep 2014 12:33:47 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XRKb0-0007nG-7o; Tue, 09 Sep 2014 12:32:30 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XRKay-0007mx-Pl; Tue, 09 Sep 2014 12:32:28 +0000 Received: from [85.158.139.211:57134] by server-12.bemta-5.messagelabs.com id 7C/C7-22251-B53FE045; Tue, 09 Sep 2014 12:32:27 +0000 X-Env-Sender: ianc@xenbits.xen.org X-Msg-Ref: server-15.tower-206.messagelabs.com!1410265945!10016282!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 4192 invoked from network); 9 Sep 2014 12:32:26 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-15.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 9 Sep 2014 12:32:26 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XRKas-0003vn-0c; Tue, 09 Sep 2014 12:32:22 +0000 Received: from ianc by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1XRKar-0006Os-UL; Tue, 09 Sep 2014 12:32:21 +0000 Date: Tue, 09 Sep 2014 12:32:21 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 107 - Mishandling of uninitialised FIFO-based event channel control blocks X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-107 Mishandling of uninitialised FIFO-based event channel control blocks ISSUE DESCRIPTION ================= When using the FIFO-based event channels, there are no checks for the existence of a control block when binding an event or moving it to a different VCPU. This is because events may be bound when the ABI is in 2-level mode (e.g., by the toolstack before the domain is started). The guest may trigger a Xen crash in evtchn_fifo_set_pending() if: a) the event is bound to a VCPU without a control block; or b) VCPU 0 does not have a control block. In case (a), Xen will crash when looking up the current queue. In (b), Xen will crash when looking up the old queue (which defaults to a queue on VCPU 0). IMPACT ====== A buggy or malicious guest can crash the host. VULNERABLE SYSTEMS ================== Xen 4.4 and onward are vulnerable. MITIGATION ========== None. CREDITS ======= This issue was originally reported by Vitaly Kuznetsov at Red Hat and diagnosed as a security issue by David Vrabel at Citrix. NOTE REGARDING LACK OF EMBARGO ============================== This bug was publicly reported on xen-devel, before it was appreciated that there was a security problem. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa107-unstable.patch xen-unstable xsa107-4.4.patch Xen 4.4.x $ sha256sum xsa107*.patch b92ba8085b6684abbc8b012ae1a580b9e7ed7c8e67071a9e70381d4c1009638b xsa107-4.4.patch cd954a5bd742c751f8db884a3f31bd636a8c5850acddf5f1160dd6be1f706a09 xsa107-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUDsJxAAoJEIP+FMlX6CvZrs8H/ixMJYY0qJHbmPuCLxUDK+pz nrZ1mvqTfpN+M31GtHGKNFOBMUe7SaeQe7SJ8ucXwy8vqSwzzydWcu0ctjrLzyh9 cxnTx5Yu5yLHVWRlFT1ZI2+XnxuCLfW3xwXfZIQkSKWAHfCv78uvdc8u8nB8cdPy 8WiwJ77tNLtQXz8Jv5k8znIXLiLoCG3gO7TB7KwhZq1DeY8mL63N16CC3Eohu/1e pNYGO6KjWSwFLqh/dPaorqHD+IXQUwCosLnqah1/+Qh3L97UB3j779lv3+YHakmZ Ryu3OxqcjeuMTj4K2Iz2SeXixBz7YXl71zVnZlAq5jEasOA6xjTPFN7f8mUt34k= =MQuU -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa107-4.4.patch" Content-Disposition: attachment; filename="xsa107-4.4.patch" Content-Transfer-Encoding: base64 ZXZ0Y2huOiBjaGVjayBjb250cm9sIGJsb2NrIGV4aXN0cyB3aGVuIHVzaW5n IEZJRk8tYmFzZWQgZXZlbnRzCgpXaGVuIHVzaW5nIHRoZSBGSUZPLWJhc2Vk IGV2ZW50IGNoYW5uZWxzLCB0aGVyZSBhcmUgbm8gY2hlY2tzIGZvciB0aGUK ZXhpc3RhbmNlIG9mIGEgY29udHJvbCBibG9jayB3aGVuIGJpbmRpbmcgYW4g ZXZlbnQgb3IgbW92aW5nIGl0IHRvIGEKZGlmZmVyZW50IFZDUFUuICBUaGlz IGlzIGJlY2F1c2UgZXZlbnRzIG1heSBiZSBib3VuZCB3aGVuIHRoZSBBQkkg aXMKaW4gMi1sZXZlbCBtb2RlIChlLmcuLCBieSB0aGUgdG9vbHN0YWNrIGJl Zm9yZSB0aGUgZG9tYWluIGlzIHN0YXJ0ZWQpLgoKVGhlIGd1ZXN0IG1heSB0 cmlnZ2VyIGEgWGVuIGNyYXNoIGluIGV2dGNobl9maWZvX3NldF9wZW5kaW5n KCkgaWY6CgogIGEpIHRoZSBldmVudCBpcyBib3VuZCB0byBhIFZDUFUgd2l0 aG91dCBhIGNvbnRyb2wgYmxvY2s7IG9yCiAgYikgVkNQVSAwIGRvZXMgbm90 IGhhdmUgYSBjb250cm9sIGJsb2NrLgoKSW4gY2FzZSAoYSksIFhlbiB3aWxs IGNyYXNoIHdoZW4gbG9va2luZyB1cCB0aGUgY3VycmVudCBxdWV1ZS4gIElu CihiKSwgWGVuIHdpbGwgY3Jhc2ggd2hlbiBsb29raW5nIHVwIHRoZSBvbGQg cXVldWUgKHdoaWNoIGRlZmF1bHRzIHRvIGEKcXVldWUgb24gVkNQVSAwKS4K CkJ5IGFsbG9jYXRpbmcgYWxsIHRoZSBwZXItVkNQVSBzdHJ1Y3R1cmVzIHdo ZW4gZW5hYmxpbmcgdGhlIEZJRk8gQUJJLAp3ZSBjYW4gYmUgc3VyZSB0aGF0 IHYtPmV2dGNobl9maWZvIGlzIGFsd2F5cyB2YWxpZC4KCkVWVENITk9QX2lu aXRfY29udHJvbF9ibG9jayBmb3IgYWxsIHRoZSBvdGhlciBDUFVzIG5lZWQg b25seSBtYXAgdGhlCnNoYXJlZCBjb250cm9sIGJsb2NrLgoKQSBzaW5nbGUg Y2hlY2sgaW4gZXZ0Y2huX2ZpZm9fc2V0X3BlbmRpbmcoKSBiZWZvcmUgYWNj ZXNzaW5nIHRoZQpjb250cm9sIGJsb2NrIGZpeGVzIGFsbCBjYXNlcyB3aGVy ZSB0aGUgZ3Vlc3QgaGFzIG5vdCBpbml0aWFsaXplZCBzb21lCmNvbnRyb2wg YmxvY2tzLgoKVGhpcyBpcyBYU0EtMTA3LgoKUmVwb3J0ZWQtYnk6IFZpdGFs eSBLdXpuZXRzb3YgPHZrdXpuZXRzQHJlZGhhdC5jb20+ClNpZ25lZC1vZmYt Ynk6IERhdmlkIFZyYWJlbCA8ZGF2aWQudnJhYmVsQGNpdHJpeC5jb20+ClJl dmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+Cgot LS0gYS94ZW4vY29tbW9uL2V2ZW50X2ZpZm8uYworKysgYi94ZW4vY29tbW9u L2V2ZW50X2ZpZm8uYwpAQCAtMTc4LDYgKzE3OCwxOSBAQCBzdGF0aWMgdm9p ZCBldnRjaG5fZmlmb19zZXRfcGVuZGluZyhzdHJ1CiAgICAgICAgIGJvb2xf dCBsaW5rZWQgPSAwOwogCiAgICAgICAgIC8qCisgICAgICAgICAqIENvbnRy b2wgYmxvY2sgbm90IG1hcHBlZC4gIFRoZSBndWVzdCBtdXN0IG5vdCB1bm1h c2sgYW4KKyAgICAgICAgICogZXZlbnQgdW50aWwgdGhlIGNvbnRyb2wgYmxv Y2sgaXMgaW5pdGlhbGl6ZWQsIHNvIHdlIGNhbgorICAgICAgICAgKiBqdXN0 IGRyb3AgdGhlIGV2ZW50LgorICAgICAgICAgKi8KKyAgICAgICAgaWYgKCB1 bmxpa2VseSghdi0+ZXZ0Y2huX2ZpZm8tPmNvbnRyb2xfYmxvY2spICkKKyAg ICAgICAgeworICAgICAgICAgICAgcHJpbnRrKFhFTkxPR19HX1dBUk5JTkcK KyAgICAgICAgICAgICAgICAgICAiZCVkdiVkIGhhcyBubyBGSUZPIGV2ZW50 IGNoYW5uZWwgY29udHJvbCBibG9ja1xuIiwKKyAgICAgICAgICAgICAgICAg ICBkLT5kb21haW5faWQsIHYtPnZjcHVfaWQpOworICAgICAgICAgICAgZ290 byBkb25lOworICAgICAgICB9CisKKyAgICAgICAgLyoKICAgICAgICAgICog Tm8gbG9ja2luZyBhcm91bmQgZ2V0dGluZyB0aGUgcXVldWUuIFRoaXMgbWF5 IHJhY2Ugd2l0aAogICAgICAgICAgKiBjaGFuZ2luZyB0aGUgcHJpb3JpdHkg YnV0IHdlIGFyZSBhbGxvd2VkIHRvIHNpZ25hbCB0aGUKICAgICAgICAgICog ZXZlbnQgb25jZSBvbiB0aGUgb2xkIHByaW9yaXR5LgpAQCAtMzg1LDM2ICsz OTgsNDIgQEAgc3RhdGljIHZvaWQgaW5pdF9xdWV1ZShzdHJ1Y3QgdmNwdSAq diwgcwogewogICAgIHNwaW5fbG9ja19pbml0KCZxLT5sb2NrKTsKICAgICBx LT5wcmlvcml0eSA9IGk7Ci0gICAgcS0+aGVhZCA9ICZ2LT5ldnRjaG5fZmlm by0+Y29udHJvbF9ibG9jay0+aGVhZFtpXTsKIH0KIAotc3RhdGljIGludCBz ZXR1cF9jb250cm9sX2Jsb2NrKHN0cnVjdCB2Y3B1ICp2LCB1aW50NjRfdCBn Zm4sIHVpbnQzMl90IG9mZnNldCkKK3N0YXRpYyBpbnQgc2V0dXBfY29udHJv bF9ibG9jayhzdHJ1Y3QgdmNwdSAqdikKIHsKLSAgICBzdHJ1Y3QgZG9tYWlu ICpkID0gdi0+ZG9tYWluOwogICAgIHN0cnVjdCBldnRjaG5fZmlmb192Y3B1 ICplZnY7Ci0gICAgdm9pZCAqdmlydDsKICAgICB1bnNpZ25lZCBpbnQgaTsK LSAgICBpbnQgcmM7Ci0KLSAgICBpZiAoIHYtPmV2dGNobl9maWZvICkKLSAg ICAgICAgcmV0dXJuIC1FSU5WQUw7CiAKICAgICBlZnYgPSB4emFsbG9jKHN0 cnVjdCBldnRjaG5fZmlmb192Y3B1KTsKICAgICBpZiAoICFlZnYgKQogICAg ICAgICByZXR1cm4gLUVOT01FTTsKIAotICAgIHJjID0gbWFwX2d1ZXN0X3Bh Z2UoZCwgZ2ZuLCAmdmlydCk7CisgICAgZm9yICggaSA9IDA7IGkgPD0gRVZU Q0hOX0ZJRk9fUFJJT1JJVFlfTUlOOyBpKysgKQorICAgICAgICBpbml0X3F1 ZXVlKHYsICZlZnYtPnF1ZXVlW2ldLCBpKTsKKworICAgIHYtPmV2dGNobl9m aWZvID0gZWZ2OworCisgICAgcmV0dXJuIDA7Cit9CisKK3N0YXRpYyBpbnQg bWFwX2NvbnRyb2xfYmxvY2soc3RydWN0IHZjcHUgKnYsIHVpbnQ2NF90IGdm biwgdWludDMyX3Qgb2Zmc2V0KQoreworICAgIHZvaWQgKnZpcnQ7CisgICAg dW5zaWduZWQgaW50IGk7CisgICAgaW50IHJjOworCisgICAgaWYgKCB2LT5l dnRjaG5fZmlmby0+Y29udHJvbF9ibG9jayApCisgICAgICAgIHJldHVybiAt RUlOVkFMOworCisgICAgcmMgPSBtYXBfZ3Vlc3RfcGFnZSh2LT5kb21haW4s IGdmbiwgJnZpcnQpOwogICAgIGlmICggcmMgPCAwICkKLSAgICB7Ci0gICAg ICAgIHhmcmVlKGVmdik7CiAgICAgICAgIHJldHVybiByYzsKLSAgICB9CiAK LSAgICB2LT5ldnRjaG5fZmlmbyA9IGVmdjsKICAgICB2LT5ldnRjaG5fZmlm by0+Y29udHJvbF9ibG9jayA9IHZpcnQgKyBvZmZzZXQ7CiAKICAgICBmb3Ig KCBpID0gMDsgaSA8PSBFVlRDSE5fRklGT19QUklPUklUWV9NSU47IGkrKyAp Ci0gICAgICAgIGluaXRfcXVldWUodiwgJnYtPmV2dGNobl9maWZvLT5xdWV1 ZVtpXSwgaSk7CisgICAgICAgIHYtPmV2dGNobl9maWZvLT5xdWV1ZVtpXS5o ZWFkID0gJnYtPmV2dGNobl9maWZvLT5jb250cm9sX2Jsb2NrLT5oZWFkW2ld OwogCiAgICAgcmV0dXJuIDA7CiB9CkBAIC01MDgsMjggKzUyNyw0MyBAQCBp bnQgZXZ0Y2huX2ZpZm9faW5pdF9jb250cm9sKHN0cnVjdCBldnRjCiAKICAg ICBzcGluX2xvY2soJmQtPmV2ZW50X2xvY2spOwogCi0gICAgcmMgPSBzZXR1 cF9jb250cm9sX2Jsb2NrKHYsIGdmbiwgb2Zmc2V0KTsKLQogICAgIC8qCiAg ICAgICogSWYgdGhpcyBpcyB0aGUgZmlyc3QgY29udHJvbCBibG9jaywgc2V0 dXAgYW4gZW1wdHkgZXZlbnQgYXJyYXkKICAgICAgKiBhbmQgc3dpdGNoIHRv IHRoZSBmaWZvIHBvcnQgb3BzLgogICAgICAqLwotICAgIGlmICggcmMgPT0g MCAmJiAhZC0+ZXZ0Y2huX2ZpZm8gKQorICAgIGlmICggIWQtPmV2dGNobl9m aWZvICkKICAgICB7CisgICAgICAgIHN0cnVjdCB2Y3B1ICp2Y2I7CisKKyAg ICAgICAgZm9yX2VhY2hfdmNwdSAoIGQsIHZjYiApIHsKKyAgICAgICAgICAg IHJjID0gc2V0dXBfY29udHJvbF9ibG9jayh2Y2IpOworICAgICAgICAgICAg aWYgKCByYyA8IDAgKQorICAgICAgICAgICAgICAgIGdvdG8gZXJyb3I7Cisg ICAgICAgIH0KKwogICAgICAgICByYyA9IHNldHVwX2V2ZW50X2FycmF5KGQp OwogICAgICAgICBpZiAoIHJjIDwgMCApCi0gICAgICAgICAgICBjbGVhbnVw X2NvbnRyb2xfYmxvY2sodik7Ci0gICAgICAgIGVsc2UKLSAgICAgICAgewot ICAgICAgICAgICAgZC0+ZXZ0Y2huX3BvcnRfb3BzID0gJmV2dGNobl9wb3J0 X29wc19maWZvOwotICAgICAgICAgICAgZC0+bWF4X2V2dGNobnMgPSBFVlRD SE5fRklGT19OUl9DSEFOTkVMUzsKLSAgICAgICAgICAgIHNldHVwX3BvcnRz KGQpOwotICAgICAgICB9CisgICAgICAgICAgICBnb3RvIGVycm9yOworCisg ICAgICAgIHJjID0gbWFwX2NvbnRyb2xfYmxvY2sodiwgZ2ZuLCBvZmZzZXQp OworICAgICAgICBpZiAoIHJjIDwgMCApCisgICAgICAgICAgICBnb3RvIGVy cm9yOworCisgICAgICAgIGQtPmV2dGNobl9wb3J0X29wcyA9ICZldnRjaG5f cG9ydF9vcHNfZmlmbzsKKyAgICAgICAgZC0+bWF4X2V2dGNobnMgPSBFVlRD SE5fRklGT19OUl9DSEFOTkVMUzsKKyAgICAgICAgc2V0dXBfcG9ydHMoZCk7 CiAgICAgfQorICAgIGVsc2UKKyAgICAgICAgcmMgPSBtYXBfY29udHJvbF9i bG9jayh2LCBnZm4sIG9mZnNldCk7CiAKICAgICBzcGluX3VubG9jaygmZC0+ ZXZlbnRfbG9jayk7CiAKICAgICByZXR1cm4gcmM7CisKKyBlcnJvcjoKKyAg ICBldnRjaG5fZmlmb19kZXN0cm95KGQpOworICAgIHNwaW5fdW5sb2NrKCZk LT5ldmVudF9sb2NrKTsKKyAgICByZXR1cm4gcmM7CiB9CiAKIHN0YXRpYyBp bnQgYWRkX3BhZ2VfdG9fZXZlbnRfYXJyYXkoc3RydWN0IGRvbWFpbiAqZCwg dW5zaWduZWQgbG9uZyBnZm4pCg== --=separator Content-Type: application/octet-stream; name="xsa107-unstable.patch" Content-Disposition: attachment; filename="xsa107-unstable.patch" Content-Transfer-Encoding: base64 ZXZ0Y2huOiBjaGVjayBjb250cm9sIGJsb2NrIGV4aXN0cyB3aGVuIHVzaW5n IEZJRk8tYmFzZWQgZXZlbnRzCgpXaGVuIHVzaW5nIHRoZSBGSUZPLWJhc2Vk IGV2ZW50IGNoYW5uZWxzLCB0aGVyZSBhcmUgbm8gY2hlY2tzIGZvciB0aGUK ZXhpc3RhbmNlIG9mIGEgY29udHJvbCBibG9jayB3aGVuIGJpbmRpbmcgYW4g ZXZlbnQgb3IgbW92aW5nIGl0IHRvIGEKZGlmZmVyZW50IFZDUFUuICBUaGlz IGlzIGJlY2F1c2UgZXZlbnRzIG1heSBiZSBib3VuZCB3aGVuIHRoZSBBQkkg aXMKaW4gMi1sZXZlbCBtb2RlIChlLmcuLCBieSB0aGUgdG9vbHN0YWNrIGJl Zm9yZSB0aGUgZG9tYWluIGlzIHN0YXJ0ZWQpLgoKVGhlIGd1ZXN0IG1heSB0 cmlnZ2VyIGEgWGVuIGNyYXNoIGluIGV2dGNobl9maWZvX3NldF9wZW5kaW5n KCkgaWY6CgogIGEpIHRoZSBldmVudCBpcyBib3VuZCB0byBhIFZDUFUgd2l0 aG91dCBhIGNvbnRyb2wgYmxvY2s7IG9yCiAgYikgVkNQVSAwIGRvZXMgbm90 IGhhdmUgYSBjb250cm9sIGJsb2NrLgoKSW4gY2FzZSAoYSksIFhlbiB3aWxs IGNyYXNoIHdoZW4gbG9va2luZyB1cCB0aGUgY3VycmVudCBxdWV1ZS4gIElu CihiKSwgWGVuIHdpbGwgY3Jhc2ggd2hlbiBsb29raW5nIHVwIHRoZSBvbGQg cXVldWUgKHdoaWNoIGRlZmF1bHRzIHRvIGEKcXVldWUgb24gVkNQVSAwKS4K CkJ5IGFsbG9jYXRpbmcgYWxsIHRoZSBwZXItVkNQVSBzdHJ1Y3R1cmVzIHdo ZW4gZW5hYmxpbmcgdGhlIEZJRk8gQUJJLAp3ZSBjYW4gYmUgc3VyZSB0aGF0 IHYtPmV2dGNobl9maWZvIGlzIGFsd2F5cyB2YWxpZC4KCkVWVENITk9QX2lu aXRfY29udHJvbF9ibG9jayBmb3IgYWxsIHRoZSBvdGhlciBDUFVzIG5lZWQg b25seSBtYXAgdGhlCnNoYXJlZCBjb250cm9sIGJsb2NrLgoKQSBzaW5nbGUg Y2hlY2sgaW4gZXZ0Y2huX2ZpZm9fc2V0X3BlbmRpbmcoKSBiZWZvcmUgYWNj ZXNzaW5nIHRoZQpjb250cm9sIGJsb2NrIGZpeGVzIGFsbCBjYXNlcyB3aGVy ZSB0aGUgZ3Vlc3QgaGFzIG5vdCBpbml0aWFsaXplZCBzb21lCmNvbnRyb2wg YmxvY2tzLgoKVGhpcyBpcyBYU0EtMTA3LgoKUmVwb3J0ZWQtYnk6IFZpdGFs eSBLdXpuZXRzb3YgPHZrdXpuZXRzQHJlZGhhdC5jb20+ClNpZ25lZC1vZmYt Ynk6IERhdmlkIFZyYWJlbCA8ZGF2aWQudnJhYmVsQGNpdHJpeC5jb20+ClJl dmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+Cgot LS0gYS94ZW4vY29tbW9uL2V2ZW50X2ZpZm8uYworKysgYi94ZW4vY29tbW9u L2V2ZW50X2ZpZm8uYwpAQCAtMTc4LDYgKzE3OCwxOCBAQCBzdGF0aWMgdm9p ZCBldnRjaG5fZmlmb19zZXRfcGVuZGluZyhzdHJ1CiAgICAgICAgIGJvb2xf dCBsaW5rZWQgPSAwOwogCiAgICAgICAgIC8qCisgICAgICAgICAqIENvbnRy b2wgYmxvY2sgbm90IG1hcHBlZC4gIFRoZSBndWVzdCBtdXN0IG5vdCB1bm1h c2sgYW4KKyAgICAgICAgICogZXZlbnQgdW50aWwgdGhlIGNvbnRyb2wgYmxv Y2sgaXMgaW5pdGlhbGl6ZWQsIHNvIHdlIGNhbgorICAgICAgICAgKiBqdXN0 IGRyb3AgdGhlIGV2ZW50LgorICAgICAgICAgKi8KKyAgICAgICAgaWYgKCB1 bmxpa2VseSghdi0+ZXZ0Y2huX2ZpZm8tPmNvbnRyb2xfYmxvY2spICkKKyAg ICAgICAgeworICAgICAgICAgICAgcHJpbnRrKFhFTkxPR19HX1dBUk5JTkcK KyAgICAgICAgICAgICAgICAgICAiJXB2IGhhcyBubyBGSUZPIGV2ZW50IGNo YW5uZWwgY29udHJvbCBibG9ja1xuIiwgdik7CisgICAgICAgICAgICBnb3Rv IGRvbmU7CisgICAgICAgIH0KKworICAgICAgICAvKgogICAgICAgICAgKiBO byBsb2NraW5nIGFyb3VuZCBnZXR0aW5nIHRoZSBxdWV1ZS4gVGhpcyBtYXkg cmFjZSB3aXRoCiAgICAgICAgICAqIGNoYW5naW5nIHRoZSBwcmlvcml0eSBi dXQgd2UgYXJlIGFsbG93ZWQgdG8gc2lnbmFsIHRoZQogICAgICAgICAgKiBl dmVudCBvbmNlIG9uIHRoZSBvbGQgcHJpb3JpdHkuCkBAIC0zODUsMzYgKzM5 Nyw0MiBAQCBzdGF0aWMgdm9pZCBpbml0X3F1ZXVlKHN0cnVjdCB2Y3B1ICp2 LCBzCiB7CiAgICAgc3Bpbl9sb2NrX2luaXQoJnEtPmxvY2spOwogICAgIHEt PnByaW9yaXR5ID0gaTsKLSAgICBxLT5oZWFkID0gJnYtPmV2dGNobl9maWZv LT5jb250cm9sX2Jsb2NrLT5oZWFkW2ldOwogfQogCi1zdGF0aWMgaW50IHNl dHVwX2NvbnRyb2xfYmxvY2soc3RydWN0IHZjcHUgKnYsIHVpbnQ2NF90IGdm biwgdWludDMyX3Qgb2Zmc2V0KQorc3RhdGljIGludCBzZXR1cF9jb250cm9s X2Jsb2NrKHN0cnVjdCB2Y3B1ICp2KQogewotICAgIHN0cnVjdCBkb21haW4g KmQgPSB2LT5kb21haW47CiAgICAgc3RydWN0IGV2dGNobl9maWZvX3ZjcHUg KmVmdjsKLSAgICB2b2lkICp2aXJ0OwogICAgIHVuc2lnbmVkIGludCBpOwot ICAgIGludCByYzsKLQotICAgIGlmICggdi0+ZXZ0Y2huX2ZpZm8gKQotICAg ICAgICByZXR1cm4gLUVJTlZBTDsKIAogICAgIGVmdiA9IHh6YWxsb2Moc3Ry dWN0IGV2dGNobl9maWZvX3ZjcHUpOwogICAgIGlmICggIWVmdiApCiAgICAg ICAgIHJldHVybiAtRU5PTUVNOwogCi0gICAgcmMgPSBtYXBfZ3Vlc3RfcGFn ZShkLCBnZm4sICZ2aXJ0KTsKKyAgICBmb3IgKCBpID0gMDsgaSA8PSBFVlRD SE5fRklGT19QUklPUklUWV9NSU47IGkrKyApCisgICAgICAgIGluaXRfcXVl dWUodiwgJmVmdi0+cXVldWVbaV0sIGkpOworCisgICAgdi0+ZXZ0Y2huX2Zp Zm8gPSBlZnY7CisKKyAgICByZXR1cm4gMDsKK30KKworc3RhdGljIGludCBt YXBfY29udHJvbF9ibG9jayhzdHJ1Y3QgdmNwdSAqdiwgdWludDY0X3QgZ2Zu LCB1aW50MzJfdCBvZmZzZXQpCit7CisgICAgdm9pZCAqdmlydDsKKyAgICB1 bnNpZ25lZCBpbnQgaTsKKyAgICBpbnQgcmM7CisKKyAgICBpZiAoIHYtPmV2 dGNobl9maWZvLT5jb250cm9sX2Jsb2NrICkKKyAgICAgICAgcmV0dXJuIC1F SU5WQUw7CisKKyAgICByYyA9IG1hcF9ndWVzdF9wYWdlKHYtPmRvbWFpbiwg Z2ZuLCAmdmlydCk7CiAgICAgaWYgKCByYyA8IDAgKQotICAgIHsKLSAgICAg ICAgeGZyZWUoZWZ2KTsKICAgICAgICAgcmV0dXJuIHJjOwotICAgIH0KIAot ICAgIHYtPmV2dGNobl9maWZvID0gZWZ2OwogICAgIHYtPmV2dGNobl9maWZv LT5jb250cm9sX2Jsb2NrID0gdmlydCArIG9mZnNldDsKIAogICAgIGZvciAo IGkgPSAwOyBpIDw9IEVWVENITl9GSUZPX1BSSU9SSVRZX01JTjsgaSsrICkK LSAgICAgICAgaW5pdF9xdWV1ZSh2LCAmdi0+ZXZ0Y2huX2ZpZm8tPnF1ZXVl W2ldLCBpKTsKKyAgICAgICAgdi0+ZXZ0Y2huX2ZpZm8tPnF1ZXVlW2ldLmhl YWQgPSAmdi0+ZXZ0Y2huX2ZpZm8tPmNvbnRyb2xfYmxvY2stPmhlYWRbaV07 CiAKICAgICByZXR1cm4gMDsKIH0KQEAgLTUwOSwyOCArNTI3LDQzIEBAIGlu dCBldnRjaG5fZmlmb19pbml0X2NvbnRyb2woc3RydWN0IGV2dGMKIAogICAg IHNwaW5fbG9jaygmZC0+ZXZlbnRfbG9jayk7CiAKLSAgICByYyA9IHNldHVw X2NvbnRyb2xfYmxvY2sodiwgZ2ZuLCBvZmZzZXQpOwotCiAgICAgLyoKICAg ICAgKiBJZiB0aGlzIGlzIHRoZSBmaXJzdCBjb250cm9sIGJsb2NrLCBzZXR1 cCBhbiBlbXB0eSBldmVudCBhcnJheQogICAgICAqIGFuZCBzd2l0Y2ggdG8g dGhlIGZpZm8gcG9ydCBvcHMuCiAgICAgICovCi0gICAgaWYgKCByYyA9PSAw ICYmICFkLT5ldnRjaG5fZmlmbyApCisgICAgaWYgKCAhZC0+ZXZ0Y2huX2Zp Zm8gKQogICAgIHsKKyAgICAgICAgc3RydWN0IHZjcHUgKnZjYjsKKworICAg ICAgICBmb3JfZWFjaF92Y3B1ICggZCwgdmNiICkgeworICAgICAgICAgICAg cmMgPSBzZXR1cF9jb250cm9sX2Jsb2NrKHZjYik7CisgICAgICAgICAgICBp ZiAoIHJjIDwgMCApCisgICAgICAgICAgICAgICAgZ290byBlcnJvcjsKKyAg ICAgICAgfQorCiAgICAgICAgIHJjID0gc2V0dXBfZXZlbnRfYXJyYXkoZCk7 CiAgICAgICAgIGlmICggcmMgPCAwICkKLSAgICAgICAgICAgIGNsZWFudXBf Y29udHJvbF9ibG9jayh2KTsKLSAgICAgICAgZWxzZQotICAgICAgICB7Ci0g ICAgICAgICAgICBkLT5ldnRjaG5fcG9ydF9vcHMgPSAmZXZ0Y2huX3BvcnRf b3BzX2ZpZm87Ci0gICAgICAgICAgICBkLT5tYXhfZXZ0Y2hucyA9IEVWVENI Tl9GSUZPX05SX0NIQU5ORUxTOwotICAgICAgICAgICAgc2V0dXBfcG9ydHMo ZCk7Ci0gICAgICAgIH0KKyAgICAgICAgICAgIGdvdG8gZXJyb3I7CisKKyAg ICAgICAgcmMgPSBtYXBfY29udHJvbF9ibG9jayh2LCBnZm4sIG9mZnNldCk7 CisgICAgICAgIGlmICggcmMgPCAwICkKKyAgICAgICAgICAgIGdvdG8gZXJy b3I7CisKKyAgICAgICAgZC0+ZXZ0Y2huX3BvcnRfb3BzID0gJmV2dGNobl9w b3J0X29wc19maWZvOworICAgICAgICBkLT5tYXhfZXZ0Y2hucyA9IEVWVENI Tl9GSUZPX05SX0NIQU5ORUxTOworICAgICAgICBzZXR1cF9wb3J0cyhkKTsK ICAgICB9CisgICAgZWxzZQorICAgICAgICByYyA9IG1hcF9jb250cm9sX2Js b2NrKHYsIGdmbiwgb2Zmc2V0KTsKIAogICAgIHNwaW5fdW5sb2NrKCZkLT5l dmVudF9sb2NrKTsKIAogICAgIHJldHVybiByYzsKKworIGVycm9yOgorICAg IGV2dGNobl9maWZvX2Rlc3Ryb3koZCk7CisgICAgc3Bpbl91bmxvY2soJmQt PmV2ZW50X2xvY2spOworICAgIHJldHVybiByYzsKIH0KIAogc3RhdGljIGlu dCBhZGRfcGFnZV90b19ldmVudF9hcnJheShzdHJ1Y3QgZG9tYWluICpkLCB1 bnNpZ25lZCBsb25nIGdmbikK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Sep 09 12:33:47 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Sep 2014 12:33:47 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XRKb0-0007nG-7o; Tue, 09 Sep 2014 12:32:30 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XRKay-0007mx-Pl; Tue, 09 Sep 2014 12:32:28 +0000 Received: from [85.158.139.211:57134] by server-12.bemta-5.messagelabs.com id 7C/C7-22251-B53FE045; Tue, 09 Sep 2014 12:32:27 +0000 X-Env-Sender: ianc@xenbits.xen.org X-Msg-Ref: server-15.tower-206.messagelabs.com!1410265945!10016282!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 4192 invoked from network); 9 Sep 2014 12:32:26 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-15.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 9 Sep 2014 12:32:26 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XRKas-0003vn-0c; Tue, 09 Sep 2014 12:32:22 +0000 Received: from ianc by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1XRKar-0006Os-UL; Tue, 09 Sep 2014 12:32:21 +0000 Date: Tue, 09 Sep 2014 12:32:21 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 107 - Mishandling of uninitialised FIFO-based event channel control blocks X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-107 Mishandling of uninitialised FIFO-based event channel control blocks ISSUE DESCRIPTION ================= When using the FIFO-based event channels, there are no checks for the existence of a control block when binding an event or moving it to a different VCPU. This is because events may be bound when the ABI is in 2-level mode (e.g., by the toolstack before the domain is started). The guest may trigger a Xen crash in evtchn_fifo_set_pending() if: a) the event is bound to a VCPU without a control block; or b) VCPU 0 does not have a control block. In case (a), Xen will crash when looking up the current queue. In (b), Xen will crash when looking up the old queue (which defaults to a queue on VCPU 0). IMPACT ====== A buggy or malicious guest can crash the host. VULNERABLE SYSTEMS ================== Xen 4.4 and onward are vulnerable. MITIGATION ========== None. CREDITS ======= This issue was originally reported by Vitaly Kuznetsov at Red Hat and diagnosed as a security issue by David Vrabel at Citrix. NOTE REGARDING LACK OF EMBARGO ============================== This bug was publicly reported on xen-devel, before it was appreciated that there was a security problem. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa107-unstable.patch xen-unstable xsa107-4.4.patch Xen 4.4.x $ sha256sum xsa107*.patch b92ba8085b6684abbc8b012ae1a580b9e7ed7c8e67071a9e70381d4c1009638b xsa107-4.4.patch cd954a5bd742c751f8db884a3f31bd636a8c5850acddf5f1160dd6be1f706a09 xsa107-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUDsJxAAoJEIP+FMlX6CvZrs8H/ixMJYY0qJHbmPuCLxUDK+pz nrZ1mvqTfpN+M31GtHGKNFOBMUe7SaeQe7SJ8ucXwy8vqSwzzydWcu0ctjrLzyh9 cxnTx5Yu5yLHVWRlFT1ZI2+XnxuCLfW3xwXfZIQkSKWAHfCv78uvdc8u8nB8cdPy 8WiwJ77tNLtQXz8Jv5k8znIXLiLoCG3gO7TB7KwhZq1DeY8mL63N16CC3Eohu/1e pNYGO6KjWSwFLqh/dPaorqHD+IXQUwCosLnqah1/+Qh3L97UB3j779lv3+YHakmZ Ryu3OxqcjeuMTj4K2Iz2SeXixBz7YXl71zVnZlAq5jEasOA6xjTPFN7f8mUt34k= =MQuU -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa107-4.4.patch" Content-Disposition: attachment; filename="xsa107-4.4.patch" Content-Transfer-Encoding: base64 ZXZ0Y2huOiBjaGVjayBjb250cm9sIGJsb2NrIGV4aXN0cyB3aGVuIHVzaW5n IEZJRk8tYmFzZWQgZXZlbnRzCgpXaGVuIHVzaW5nIHRoZSBGSUZPLWJhc2Vk IGV2ZW50IGNoYW5uZWxzLCB0aGVyZSBhcmUgbm8gY2hlY2tzIGZvciB0aGUK ZXhpc3RhbmNlIG9mIGEgY29udHJvbCBibG9jayB3aGVuIGJpbmRpbmcgYW4g ZXZlbnQgb3IgbW92aW5nIGl0IHRvIGEKZGlmZmVyZW50IFZDUFUuICBUaGlz IGlzIGJlY2F1c2UgZXZlbnRzIG1heSBiZSBib3VuZCB3aGVuIHRoZSBBQkkg aXMKaW4gMi1sZXZlbCBtb2RlIChlLmcuLCBieSB0aGUgdG9vbHN0YWNrIGJl Zm9yZSB0aGUgZG9tYWluIGlzIHN0YXJ0ZWQpLgoKVGhlIGd1ZXN0IG1heSB0 cmlnZ2VyIGEgWGVuIGNyYXNoIGluIGV2dGNobl9maWZvX3NldF9wZW5kaW5n KCkgaWY6CgogIGEpIHRoZSBldmVudCBpcyBib3VuZCB0byBhIFZDUFUgd2l0 aG91dCBhIGNvbnRyb2wgYmxvY2s7IG9yCiAgYikgVkNQVSAwIGRvZXMgbm90 IGhhdmUgYSBjb250cm9sIGJsb2NrLgoKSW4gY2FzZSAoYSksIFhlbiB3aWxs IGNyYXNoIHdoZW4gbG9va2luZyB1cCB0aGUgY3VycmVudCBxdWV1ZS4gIElu CihiKSwgWGVuIHdpbGwgY3Jhc2ggd2hlbiBsb29raW5nIHVwIHRoZSBvbGQg cXVldWUgKHdoaWNoIGRlZmF1bHRzIHRvIGEKcXVldWUgb24gVkNQVSAwKS4K CkJ5IGFsbG9jYXRpbmcgYWxsIHRoZSBwZXItVkNQVSBzdHJ1Y3R1cmVzIHdo ZW4gZW5hYmxpbmcgdGhlIEZJRk8gQUJJLAp3ZSBjYW4gYmUgc3VyZSB0aGF0 IHYtPmV2dGNobl9maWZvIGlzIGFsd2F5cyB2YWxpZC4KCkVWVENITk9QX2lu aXRfY29udHJvbF9ibG9jayBmb3IgYWxsIHRoZSBvdGhlciBDUFVzIG5lZWQg b25seSBtYXAgdGhlCnNoYXJlZCBjb250cm9sIGJsb2NrLgoKQSBzaW5nbGUg Y2hlY2sgaW4gZXZ0Y2huX2ZpZm9fc2V0X3BlbmRpbmcoKSBiZWZvcmUgYWNj ZXNzaW5nIHRoZQpjb250cm9sIGJsb2NrIGZpeGVzIGFsbCBjYXNlcyB3aGVy ZSB0aGUgZ3Vlc3QgaGFzIG5vdCBpbml0aWFsaXplZCBzb21lCmNvbnRyb2wg YmxvY2tzLgoKVGhpcyBpcyBYU0EtMTA3LgoKUmVwb3J0ZWQtYnk6IFZpdGFs eSBLdXpuZXRzb3YgPHZrdXpuZXRzQHJlZGhhdC5jb20+ClNpZ25lZC1vZmYt Ynk6IERhdmlkIFZyYWJlbCA8ZGF2aWQudnJhYmVsQGNpdHJpeC5jb20+ClJl dmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+Cgot LS0gYS94ZW4vY29tbW9uL2V2ZW50X2ZpZm8uYworKysgYi94ZW4vY29tbW9u L2V2ZW50X2ZpZm8uYwpAQCAtMTc4LDYgKzE3OCwxOSBAQCBzdGF0aWMgdm9p ZCBldnRjaG5fZmlmb19zZXRfcGVuZGluZyhzdHJ1CiAgICAgICAgIGJvb2xf dCBsaW5rZWQgPSAwOwogCiAgICAgICAgIC8qCisgICAgICAgICAqIENvbnRy b2wgYmxvY2sgbm90IG1hcHBlZC4gIFRoZSBndWVzdCBtdXN0IG5vdCB1bm1h c2sgYW4KKyAgICAgICAgICogZXZlbnQgdW50aWwgdGhlIGNvbnRyb2wgYmxv Y2sgaXMgaW5pdGlhbGl6ZWQsIHNvIHdlIGNhbgorICAgICAgICAgKiBqdXN0 IGRyb3AgdGhlIGV2ZW50LgorICAgICAgICAgKi8KKyAgICAgICAgaWYgKCB1 bmxpa2VseSghdi0+ZXZ0Y2huX2ZpZm8tPmNvbnRyb2xfYmxvY2spICkKKyAg ICAgICAgeworICAgICAgICAgICAgcHJpbnRrKFhFTkxPR19HX1dBUk5JTkcK KyAgICAgICAgICAgICAgICAgICAiZCVkdiVkIGhhcyBubyBGSUZPIGV2ZW50 IGNoYW5uZWwgY29udHJvbCBibG9ja1xuIiwKKyAgICAgICAgICAgICAgICAg ICBkLT5kb21haW5faWQsIHYtPnZjcHVfaWQpOworICAgICAgICAgICAgZ290 byBkb25lOworICAgICAgICB9CisKKyAgICAgICAgLyoKICAgICAgICAgICog Tm8gbG9ja2luZyBhcm91bmQgZ2V0dGluZyB0aGUgcXVldWUuIFRoaXMgbWF5 IHJhY2Ugd2l0aAogICAgICAgICAgKiBjaGFuZ2luZyB0aGUgcHJpb3JpdHkg YnV0IHdlIGFyZSBhbGxvd2VkIHRvIHNpZ25hbCB0aGUKICAgICAgICAgICog ZXZlbnQgb25jZSBvbiB0aGUgb2xkIHByaW9yaXR5LgpAQCAtMzg1LDM2ICsz OTgsNDIgQEAgc3RhdGljIHZvaWQgaW5pdF9xdWV1ZShzdHJ1Y3QgdmNwdSAq diwgcwogewogICAgIHNwaW5fbG9ja19pbml0KCZxLT5sb2NrKTsKICAgICBx LT5wcmlvcml0eSA9IGk7Ci0gICAgcS0+aGVhZCA9ICZ2LT5ldnRjaG5fZmlm by0+Y29udHJvbF9ibG9jay0+aGVhZFtpXTsKIH0KIAotc3RhdGljIGludCBz ZXR1cF9jb250cm9sX2Jsb2NrKHN0cnVjdCB2Y3B1ICp2LCB1aW50NjRfdCBn Zm4sIHVpbnQzMl90IG9mZnNldCkKK3N0YXRpYyBpbnQgc2V0dXBfY29udHJv bF9ibG9jayhzdHJ1Y3QgdmNwdSAqdikKIHsKLSAgICBzdHJ1Y3QgZG9tYWlu ICpkID0gdi0+ZG9tYWluOwogICAgIHN0cnVjdCBldnRjaG5fZmlmb192Y3B1 ICplZnY7Ci0gICAgdm9pZCAqdmlydDsKICAgICB1bnNpZ25lZCBpbnQgaTsK LSAgICBpbnQgcmM7Ci0KLSAgICBpZiAoIHYtPmV2dGNobl9maWZvICkKLSAg ICAgICAgcmV0dXJuIC1FSU5WQUw7CiAKICAgICBlZnYgPSB4emFsbG9jKHN0 cnVjdCBldnRjaG5fZmlmb192Y3B1KTsKICAgICBpZiAoICFlZnYgKQogICAg ICAgICByZXR1cm4gLUVOT01FTTsKIAotICAgIHJjID0gbWFwX2d1ZXN0X3Bh Z2UoZCwgZ2ZuLCAmdmlydCk7CisgICAgZm9yICggaSA9IDA7IGkgPD0gRVZU Q0hOX0ZJRk9fUFJJT1JJVFlfTUlOOyBpKysgKQorICAgICAgICBpbml0X3F1 ZXVlKHYsICZlZnYtPnF1ZXVlW2ldLCBpKTsKKworICAgIHYtPmV2dGNobl9m aWZvID0gZWZ2OworCisgICAgcmV0dXJuIDA7Cit9CisKK3N0YXRpYyBpbnQg bWFwX2NvbnRyb2xfYmxvY2soc3RydWN0IHZjcHUgKnYsIHVpbnQ2NF90IGdm biwgdWludDMyX3Qgb2Zmc2V0KQoreworICAgIHZvaWQgKnZpcnQ7CisgICAg dW5zaWduZWQgaW50IGk7CisgICAgaW50IHJjOworCisgICAgaWYgKCB2LT5l dnRjaG5fZmlmby0+Y29udHJvbF9ibG9jayApCisgICAgICAgIHJldHVybiAt RUlOVkFMOworCisgICAgcmMgPSBtYXBfZ3Vlc3RfcGFnZSh2LT5kb21haW4s IGdmbiwgJnZpcnQpOwogICAgIGlmICggcmMgPCAwICkKLSAgICB7Ci0gICAg ICAgIHhmcmVlKGVmdik7CiAgICAgICAgIHJldHVybiByYzsKLSAgICB9CiAK LSAgICB2LT5ldnRjaG5fZmlmbyA9IGVmdjsKICAgICB2LT5ldnRjaG5fZmlm by0+Y29udHJvbF9ibG9jayA9IHZpcnQgKyBvZmZzZXQ7CiAKICAgICBmb3Ig KCBpID0gMDsgaSA8PSBFVlRDSE5fRklGT19QUklPUklUWV9NSU47IGkrKyAp Ci0gICAgICAgIGluaXRfcXVldWUodiwgJnYtPmV2dGNobl9maWZvLT5xdWV1 ZVtpXSwgaSk7CisgICAgICAgIHYtPmV2dGNobl9maWZvLT5xdWV1ZVtpXS5o ZWFkID0gJnYtPmV2dGNobl9maWZvLT5jb250cm9sX2Jsb2NrLT5oZWFkW2ld OwogCiAgICAgcmV0dXJuIDA7CiB9CkBAIC01MDgsMjggKzUyNyw0MyBAQCBp bnQgZXZ0Y2huX2ZpZm9faW5pdF9jb250cm9sKHN0cnVjdCBldnRjCiAKICAg ICBzcGluX2xvY2soJmQtPmV2ZW50X2xvY2spOwogCi0gICAgcmMgPSBzZXR1 cF9jb250cm9sX2Jsb2NrKHYsIGdmbiwgb2Zmc2V0KTsKLQogICAgIC8qCiAg ICAgICogSWYgdGhpcyBpcyB0aGUgZmlyc3QgY29udHJvbCBibG9jaywgc2V0 dXAgYW4gZW1wdHkgZXZlbnQgYXJyYXkKICAgICAgKiBhbmQgc3dpdGNoIHRv IHRoZSBmaWZvIHBvcnQgb3BzLgogICAgICAqLwotICAgIGlmICggcmMgPT0g MCAmJiAhZC0+ZXZ0Y2huX2ZpZm8gKQorICAgIGlmICggIWQtPmV2dGNobl9m aWZvICkKICAgICB7CisgICAgICAgIHN0cnVjdCB2Y3B1ICp2Y2I7CisKKyAg ICAgICAgZm9yX2VhY2hfdmNwdSAoIGQsIHZjYiApIHsKKyAgICAgICAgICAg IHJjID0gc2V0dXBfY29udHJvbF9ibG9jayh2Y2IpOworICAgICAgICAgICAg aWYgKCByYyA8IDAgKQorICAgICAgICAgICAgICAgIGdvdG8gZXJyb3I7Cisg ICAgICAgIH0KKwogICAgICAgICByYyA9IHNldHVwX2V2ZW50X2FycmF5KGQp OwogICAgICAgICBpZiAoIHJjIDwgMCApCi0gICAgICAgICAgICBjbGVhbnVw X2NvbnRyb2xfYmxvY2sodik7Ci0gICAgICAgIGVsc2UKLSAgICAgICAgewot ICAgICAgICAgICAgZC0+ZXZ0Y2huX3BvcnRfb3BzID0gJmV2dGNobl9wb3J0 X29wc19maWZvOwotICAgICAgICAgICAgZC0+bWF4X2V2dGNobnMgPSBFVlRD SE5fRklGT19OUl9DSEFOTkVMUzsKLSAgICAgICAgICAgIHNldHVwX3BvcnRz KGQpOwotICAgICAgICB9CisgICAgICAgICAgICBnb3RvIGVycm9yOworCisg ICAgICAgIHJjID0gbWFwX2NvbnRyb2xfYmxvY2sodiwgZ2ZuLCBvZmZzZXQp OworICAgICAgICBpZiAoIHJjIDwgMCApCisgICAgICAgICAgICBnb3RvIGVy cm9yOworCisgICAgICAgIGQtPmV2dGNobl9wb3J0X29wcyA9ICZldnRjaG5f cG9ydF9vcHNfZmlmbzsKKyAgICAgICAgZC0+bWF4X2V2dGNobnMgPSBFVlRD SE5fRklGT19OUl9DSEFOTkVMUzsKKyAgICAgICAgc2V0dXBfcG9ydHMoZCk7 CiAgICAgfQorICAgIGVsc2UKKyAgICAgICAgcmMgPSBtYXBfY29udHJvbF9i bG9jayh2LCBnZm4sIG9mZnNldCk7CiAKICAgICBzcGluX3VubG9jaygmZC0+ ZXZlbnRfbG9jayk7CiAKICAgICByZXR1cm4gcmM7CisKKyBlcnJvcjoKKyAg ICBldnRjaG5fZmlmb19kZXN0cm95KGQpOworICAgIHNwaW5fdW5sb2NrKCZk LT5ldmVudF9sb2NrKTsKKyAgICByZXR1cm4gcmM7CiB9CiAKIHN0YXRpYyBp bnQgYWRkX3BhZ2VfdG9fZXZlbnRfYXJyYXkoc3RydWN0IGRvbWFpbiAqZCwg dW5zaWduZWQgbG9uZyBnZm4pCg== --=separator Content-Type: application/octet-stream; name="xsa107-unstable.patch" Content-Disposition: attachment; filename="xsa107-unstable.patch" Content-Transfer-Encoding: base64 ZXZ0Y2huOiBjaGVjayBjb250cm9sIGJsb2NrIGV4aXN0cyB3aGVuIHVzaW5n IEZJRk8tYmFzZWQgZXZlbnRzCgpXaGVuIHVzaW5nIHRoZSBGSUZPLWJhc2Vk IGV2ZW50IGNoYW5uZWxzLCB0aGVyZSBhcmUgbm8gY2hlY2tzIGZvciB0aGUK ZXhpc3RhbmNlIG9mIGEgY29udHJvbCBibG9jayB3aGVuIGJpbmRpbmcgYW4g ZXZlbnQgb3IgbW92aW5nIGl0IHRvIGEKZGlmZmVyZW50IFZDUFUuICBUaGlz IGlzIGJlY2F1c2UgZXZlbnRzIG1heSBiZSBib3VuZCB3aGVuIHRoZSBBQkkg aXMKaW4gMi1sZXZlbCBtb2RlIChlLmcuLCBieSB0aGUgdG9vbHN0YWNrIGJl Zm9yZSB0aGUgZG9tYWluIGlzIHN0YXJ0ZWQpLgoKVGhlIGd1ZXN0IG1heSB0 cmlnZ2VyIGEgWGVuIGNyYXNoIGluIGV2dGNobl9maWZvX3NldF9wZW5kaW5n KCkgaWY6CgogIGEpIHRoZSBldmVudCBpcyBib3VuZCB0byBhIFZDUFUgd2l0 aG91dCBhIGNvbnRyb2wgYmxvY2s7IG9yCiAgYikgVkNQVSAwIGRvZXMgbm90 IGhhdmUgYSBjb250cm9sIGJsb2NrLgoKSW4gY2FzZSAoYSksIFhlbiB3aWxs IGNyYXNoIHdoZW4gbG9va2luZyB1cCB0aGUgY3VycmVudCBxdWV1ZS4gIElu CihiKSwgWGVuIHdpbGwgY3Jhc2ggd2hlbiBsb29raW5nIHVwIHRoZSBvbGQg cXVldWUgKHdoaWNoIGRlZmF1bHRzIHRvIGEKcXVldWUgb24gVkNQVSAwKS4K CkJ5IGFsbG9jYXRpbmcgYWxsIHRoZSBwZXItVkNQVSBzdHJ1Y3R1cmVzIHdo ZW4gZW5hYmxpbmcgdGhlIEZJRk8gQUJJLAp3ZSBjYW4gYmUgc3VyZSB0aGF0 IHYtPmV2dGNobl9maWZvIGlzIGFsd2F5cyB2YWxpZC4KCkVWVENITk9QX2lu aXRfY29udHJvbF9ibG9jayBmb3IgYWxsIHRoZSBvdGhlciBDUFVzIG5lZWQg b25seSBtYXAgdGhlCnNoYXJlZCBjb250cm9sIGJsb2NrLgoKQSBzaW5nbGUg Y2hlY2sgaW4gZXZ0Y2huX2ZpZm9fc2V0X3BlbmRpbmcoKSBiZWZvcmUgYWNj ZXNzaW5nIHRoZQpjb250cm9sIGJsb2NrIGZpeGVzIGFsbCBjYXNlcyB3aGVy ZSB0aGUgZ3Vlc3QgaGFzIG5vdCBpbml0aWFsaXplZCBzb21lCmNvbnRyb2wg YmxvY2tzLgoKVGhpcyBpcyBYU0EtMTA3LgoKUmVwb3J0ZWQtYnk6IFZpdGFs eSBLdXpuZXRzb3YgPHZrdXpuZXRzQHJlZGhhdC5jb20+ClNpZ25lZC1vZmYt Ynk6IERhdmlkIFZyYWJlbCA8ZGF2aWQudnJhYmVsQGNpdHJpeC5jb20+ClJl dmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+Cgot LS0gYS94ZW4vY29tbW9uL2V2ZW50X2ZpZm8uYworKysgYi94ZW4vY29tbW9u L2V2ZW50X2ZpZm8uYwpAQCAtMTc4LDYgKzE3OCwxOCBAQCBzdGF0aWMgdm9p ZCBldnRjaG5fZmlmb19zZXRfcGVuZGluZyhzdHJ1CiAgICAgICAgIGJvb2xf dCBsaW5rZWQgPSAwOwogCiAgICAgICAgIC8qCisgICAgICAgICAqIENvbnRy b2wgYmxvY2sgbm90IG1hcHBlZC4gIFRoZSBndWVzdCBtdXN0IG5vdCB1bm1h c2sgYW4KKyAgICAgICAgICogZXZlbnQgdW50aWwgdGhlIGNvbnRyb2wgYmxv Y2sgaXMgaW5pdGlhbGl6ZWQsIHNvIHdlIGNhbgorICAgICAgICAgKiBqdXN0 IGRyb3AgdGhlIGV2ZW50LgorICAgICAgICAgKi8KKyAgICAgICAgaWYgKCB1 bmxpa2VseSghdi0+ZXZ0Y2huX2ZpZm8tPmNvbnRyb2xfYmxvY2spICkKKyAg ICAgICAgeworICAgICAgICAgICAgcHJpbnRrKFhFTkxPR19HX1dBUk5JTkcK KyAgICAgICAgICAgICAgICAgICAiJXB2IGhhcyBubyBGSUZPIGV2ZW50IGNo YW5uZWwgY29udHJvbCBibG9ja1xuIiwgdik7CisgICAgICAgICAgICBnb3Rv IGRvbmU7CisgICAgICAgIH0KKworICAgICAgICAvKgogICAgICAgICAgKiBO byBsb2NraW5nIGFyb3VuZCBnZXR0aW5nIHRoZSBxdWV1ZS4gVGhpcyBtYXkg cmFjZSB3aXRoCiAgICAgICAgICAqIGNoYW5naW5nIHRoZSBwcmlvcml0eSBi dXQgd2UgYXJlIGFsbG93ZWQgdG8gc2lnbmFsIHRoZQogICAgICAgICAgKiBl dmVudCBvbmNlIG9uIHRoZSBvbGQgcHJpb3JpdHkuCkBAIC0zODUsMzYgKzM5 Nyw0MiBAQCBzdGF0aWMgdm9pZCBpbml0X3F1ZXVlKHN0cnVjdCB2Y3B1ICp2 LCBzCiB7CiAgICAgc3Bpbl9sb2NrX2luaXQoJnEtPmxvY2spOwogICAgIHEt PnByaW9yaXR5ID0gaTsKLSAgICBxLT5oZWFkID0gJnYtPmV2dGNobl9maWZv LT5jb250cm9sX2Jsb2NrLT5oZWFkW2ldOwogfQogCi1zdGF0aWMgaW50IHNl dHVwX2NvbnRyb2xfYmxvY2soc3RydWN0IHZjcHUgKnYsIHVpbnQ2NF90IGdm biwgdWludDMyX3Qgb2Zmc2V0KQorc3RhdGljIGludCBzZXR1cF9jb250cm9s X2Jsb2NrKHN0cnVjdCB2Y3B1ICp2KQogewotICAgIHN0cnVjdCBkb21haW4g KmQgPSB2LT5kb21haW47CiAgICAgc3RydWN0IGV2dGNobl9maWZvX3ZjcHUg KmVmdjsKLSAgICB2b2lkICp2aXJ0OwogICAgIHVuc2lnbmVkIGludCBpOwot ICAgIGludCByYzsKLQotICAgIGlmICggdi0+ZXZ0Y2huX2ZpZm8gKQotICAg ICAgICByZXR1cm4gLUVJTlZBTDsKIAogICAgIGVmdiA9IHh6YWxsb2Moc3Ry dWN0IGV2dGNobl9maWZvX3ZjcHUpOwogICAgIGlmICggIWVmdiApCiAgICAg ICAgIHJldHVybiAtRU5PTUVNOwogCi0gICAgcmMgPSBtYXBfZ3Vlc3RfcGFn ZShkLCBnZm4sICZ2aXJ0KTsKKyAgICBmb3IgKCBpID0gMDsgaSA8PSBFVlRD SE5fRklGT19QUklPUklUWV9NSU47IGkrKyApCisgICAgICAgIGluaXRfcXVl dWUodiwgJmVmdi0+cXVldWVbaV0sIGkpOworCisgICAgdi0+ZXZ0Y2huX2Zp Zm8gPSBlZnY7CisKKyAgICByZXR1cm4gMDsKK30KKworc3RhdGljIGludCBt YXBfY29udHJvbF9ibG9jayhzdHJ1Y3QgdmNwdSAqdiwgdWludDY0X3QgZ2Zu LCB1aW50MzJfdCBvZmZzZXQpCit7CisgICAgdm9pZCAqdmlydDsKKyAgICB1 bnNpZ25lZCBpbnQgaTsKKyAgICBpbnQgcmM7CisKKyAgICBpZiAoIHYtPmV2 dGNobl9maWZvLT5jb250cm9sX2Jsb2NrICkKKyAgICAgICAgcmV0dXJuIC1F SU5WQUw7CisKKyAgICByYyA9IG1hcF9ndWVzdF9wYWdlKHYtPmRvbWFpbiwg Z2ZuLCAmdmlydCk7CiAgICAgaWYgKCByYyA8IDAgKQotICAgIHsKLSAgICAg ICAgeGZyZWUoZWZ2KTsKICAgICAgICAgcmV0dXJuIHJjOwotICAgIH0KIAot ICAgIHYtPmV2dGNobl9maWZvID0gZWZ2OwogICAgIHYtPmV2dGNobl9maWZv LT5jb250cm9sX2Jsb2NrID0gdmlydCArIG9mZnNldDsKIAogICAgIGZvciAo IGkgPSAwOyBpIDw9IEVWVENITl9GSUZPX1BSSU9SSVRZX01JTjsgaSsrICkK LSAgICAgICAgaW5pdF9xdWV1ZSh2LCAmdi0+ZXZ0Y2huX2ZpZm8tPnF1ZXVl W2ldLCBpKTsKKyAgICAgICAgdi0+ZXZ0Y2huX2ZpZm8tPnF1ZXVlW2ldLmhl YWQgPSAmdi0+ZXZ0Y2huX2ZpZm8tPmNvbnRyb2xfYmxvY2stPmhlYWRbaV07 CiAKICAgICByZXR1cm4gMDsKIH0KQEAgLTUwOSwyOCArNTI3LDQzIEBAIGlu dCBldnRjaG5fZmlmb19pbml0X2NvbnRyb2woc3RydWN0IGV2dGMKIAogICAg IHNwaW5fbG9jaygmZC0+ZXZlbnRfbG9jayk7CiAKLSAgICByYyA9IHNldHVw X2NvbnRyb2xfYmxvY2sodiwgZ2ZuLCBvZmZzZXQpOwotCiAgICAgLyoKICAg ICAgKiBJZiB0aGlzIGlzIHRoZSBmaXJzdCBjb250cm9sIGJsb2NrLCBzZXR1 cCBhbiBlbXB0eSBldmVudCBhcnJheQogICAgICAqIGFuZCBzd2l0Y2ggdG8g dGhlIGZpZm8gcG9ydCBvcHMuCiAgICAgICovCi0gICAgaWYgKCByYyA9PSAw ICYmICFkLT5ldnRjaG5fZmlmbyApCisgICAgaWYgKCAhZC0+ZXZ0Y2huX2Zp Zm8gKQogICAgIHsKKyAgICAgICAgc3RydWN0IHZjcHUgKnZjYjsKKworICAg ICAgICBmb3JfZWFjaF92Y3B1ICggZCwgdmNiICkgeworICAgICAgICAgICAg cmMgPSBzZXR1cF9jb250cm9sX2Jsb2NrKHZjYik7CisgICAgICAgICAgICBp ZiAoIHJjIDwgMCApCisgICAgICAgICAgICAgICAgZ290byBlcnJvcjsKKyAg ICAgICAgfQorCiAgICAgICAgIHJjID0gc2V0dXBfZXZlbnRfYXJyYXkoZCk7 CiAgICAgICAgIGlmICggcmMgPCAwICkKLSAgICAgICAgICAgIGNsZWFudXBf Y29udHJvbF9ibG9jayh2KTsKLSAgICAgICAgZWxzZQotICAgICAgICB7Ci0g ICAgICAgICAgICBkLT5ldnRjaG5fcG9ydF9vcHMgPSAmZXZ0Y2huX3BvcnRf b3BzX2ZpZm87Ci0gICAgICAgICAgICBkLT5tYXhfZXZ0Y2hucyA9IEVWVENI Tl9GSUZPX05SX0NIQU5ORUxTOwotICAgICAgICAgICAgc2V0dXBfcG9ydHMo ZCk7Ci0gICAgICAgIH0KKyAgICAgICAgICAgIGdvdG8gZXJyb3I7CisKKyAg ICAgICAgcmMgPSBtYXBfY29udHJvbF9ibG9jayh2LCBnZm4sIG9mZnNldCk7 CisgICAgICAgIGlmICggcmMgPCAwICkKKyAgICAgICAgICAgIGdvdG8gZXJy b3I7CisKKyAgICAgICAgZC0+ZXZ0Y2huX3BvcnRfb3BzID0gJmV2dGNobl9w b3J0X29wc19maWZvOworICAgICAgICBkLT5tYXhfZXZ0Y2hucyA9IEVWVENI Tl9GSUZPX05SX0NIQU5ORUxTOworICAgICAgICBzZXR1cF9wb3J0cyhkKTsK ICAgICB9CisgICAgZWxzZQorICAgICAgICByYyA9IG1hcF9jb250cm9sX2Js b2NrKHYsIGdmbiwgb2Zmc2V0KTsKIAogICAgIHNwaW5fdW5sb2NrKCZkLT5l dmVudF9sb2NrKTsKIAogICAgIHJldHVybiByYzsKKworIGVycm9yOgorICAg IGV2dGNobl9maWZvX2Rlc3Ryb3koZCk7CisgICAgc3Bpbl91bmxvY2soJmQt PmV2ZW50X2xvY2spOworICAgIHJldHVybiByYzsKIH0KIAogc3RhdGljIGlu dCBhZGRfcGFnZV90b19ldmVudF9hcnJheShzdHJ1Y3QgZG9tYWluICpkLCB1 bnNpZ25lZCBsb25nIGdmbikK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Sep 11 13:02:08 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 11 Sep 2014 13:02:08 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XS3zE-0003BT-Om; Thu, 11 Sep 2014 13:00:32 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XS3zD-0003BF-Di; Thu, 11 Sep 2014 13:00:31 +0000 Received: from [85.158.137.68:17354] by server-17.bemta-3.messagelabs.com id 50/05-01689-EEC91145; Thu, 11 Sep 2014 13:00:30 +0000 X-Env-Sender: ianc@xenbits.xen.org X-Msg-Ref: server-6.tower-31.messagelabs.com!1410440428!9417804!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 16254 invoked from network); 11 Sep 2014 13:00:29 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-6.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 11 Sep 2014 13:00:29 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XS3yw-0001Yo-9z; Thu, 11 Sep 2014 13:00:14 +0000 Received: from ianc by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1XS3yv-0000pi-6I; Thu, 11 Sep 2014 13:00:13 +0000 Date: Thu, 11 Sep 2014 13:00:13 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 107 (CVE-2014-6268) - Mishandling of uninitialised FIFO-based event channel control blocks X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-6268 / XSA-107 version 2 Mishandling of uninitialised FIFO-based event channel control blocks UPDATES IN VERSION 2 ==================== CVE assigned. ISSUE DESCRIPTION ================= When using the FIFO-based event channels, there are no checks for the existence of a control block when binding an event or moving it to a different VCPU. This is because events may be bound when the ABI is in 2-level mode (e.g., by the toolstack before the domain is started). The guest may trigger a Xen crash in evtchn_fifo_set_pending() if: a) the event is bound to a VCPU without a control block; or b) VCPU 0 does not have a control block. In case (a), Xen will crash when looking up the current queue. In (b), Xen will crash when looking up the old queue (which defaults to a queue on VCPU 0). IMPACT ====== A buggy or malicious guest can crash the host. VULNERABLE SYSTEMS ================== Xen 4.4 and onward are vulnerable. MITIGATION ========== None. CREDITS ======= This issue was originally reported by Vitaly Kuznetsov at Red Hat and diagnosed as a security issue by David Vrabel at Citrix. NOTE REGARDING LACK OF EMBARGO ============================== This bug was publicly reported on xen-devel, before it was appreciated that there was a security problem. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa107-unstable.patch xen-unstable xsa107-4.4.patch Xen 4.4.x $ sha256sum xsa107*.patch b92ba8085b6684abbc8b012ae1a580b9e7ed7c8e67071a9e70381d4c1009638b xsa107-4.4.patch cd954a5bd742c751f8db884a3f31bd636a8c5850acddf5f1160dd6be1f706a09 xsa107-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUEXRHAAoJEIP+FMlX6CvZknQIAIzPCOwG07XrKR7yu00lhCin TSppBKJ3y7XkIdmBF/3QSnev61yJ4MYdpWl7qiK4xpDP3IyH0mrtIYBQVwxKCV/R l/E2ztiEMugq86eCwvX5p/fAoyfqf1pBoVplqwcarS4vcmnnkOpK278TD2dPdw69 G5VaFxOqVo4Z6xQyFIGHtinN00tbb/lVQTpldah7ZfqXknPAcSeZqEBuqmVSLGIo o9EgTAQm1wbh4tNn+O2KHeAbejjOTM7NYoidRqQY3qfN4m13MdAKliUbXIRdGggQ aMKU2n7eNga4Aly720cD6hkJAOKxG/dGUb8lm1qHsG01VjhP2zqGn41tkqsiSAs= =cld0 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa107-4.4.patch" Content-Disposition: attachment; filename="xsa107-4.4.patch" Content-Transfer-Encoding: base64 ZXZ0Y2huOiBjaGVjayBjb250cm9sIGJsb2NrIGV4aXN0cyB3aGVuIHVzaW5n IEZJRk8tYmFzZWQgZXZlbnRzCgpXaGVuIHVzaW5nIHRoZSBGSUZPLWJhc2Vk IGV2ZW50IGNoYW5uZWxzLCB0aGVyZSBhcmUgbm8gY2hlY2tzIGZvciB0aGUK ZXhpc3RhbmNlIG9mIGEgY29udHJvbCBibG9jayB3aGVuIGJpbmRpbmcgYW4g ZXZlbnQgb3IgbW92aW5nIGl0IHRvIGEKZGlmZmVyZW50IFZDUFUuICBUaGlz IGlzIGJlY2F1c2UgZXZlbnRzIG1heSBiZSBib3VuZCB3aGVuIHRoZSBBQkkg aXMKaW4gMi1sZXZlbCBtb2RlIChlLmcuLCBieSB0aGUgdG9vbHN0YWNrIGJl Zm9yZSB0aGUgZG9tYWluIGlzIHN0YXJ0ZWQpLgoKVGhlIGd1ZXN0IG1heSB0 cmlnZ2VyIGEgWGVuIGNyYXNoIGluIGV2dGNobl9maWZvX3NldF9wZW5kaW5n KCkgaWY6CgogIGEpIHRoZSBldmVudCBpcyBib3VuZCB0byBhIFZDUFUgd2l0 aG91dCBhIGNvbnRyb2wgYmxvY2s7IG9yCiAgYikgVkNQVSAwIGRvZXMgbm90 IGhhdmUgYSBjb250cm9sIGJsb2NrLgoKSW4gY2FzZSAoYSksIFhlbiB3aWxs IGNyYXNoIHdoZW4gbG9va2luZyB1cCB0aGUgY3VycmVudCBxdWV1ZS4gIElu CihiKSwgWGVuIHdpbGwgY3Jhc2ggd2hlbiBsb29raW5nIHVwIHRoZSBvbGQg cXVldWUgKHdoaWNoIGRlZmF1bHRzIHRvIGEKcXVldWUgb24gVkNQVSAwKS4K CkJ5IGFsbG9jYXRpbmcgYWxsIHRoZSBwZXItVkNQVSBzdHJ1Y3R1cmVzIHdo ZW4gZW5hYmxpbmcgdGhlIEZJRk8gQUJJLAp3ZSBjYW4gYmUgc3VyZSB0aGF0 IHYtPmV2dGNobl9maWZvIGlzIGFsd2F5cyB2YWxpZC4KCkVWVENITk9QX2lu aXRfY29udHJvbF9ibG9jayBmb3IgYWxsIHRoZSBvdGhlciBDUFVzIG5lZWQg b25seSBtYXAgdGhlCnNoYXJlZCBjb250cm9sIGJsb2NrLgoKQSBzaW5nbGUg Y2hlY2sgaW4gZXZ0Y2huX2ZpZm9fc2V0X3BlbmRpbmcoKSBiZWZvcmUgYWNj ZXNzaW5nIHRoZQpjb250cm9sIGJsb2NrIGZpeGVzIGFsbCBjYXNlcyB3aGVy ZSB0aGUgZ3Vlc3QgaGFzIG5vdCBpbml0aWFsaXplZCBzb21lCmNvbnRyb2wg YmxvY2tzLgoKVGhpcyBpcyBYU0EtMTA3LgoKUmVwb3J0ZWQtYnk6IFZpdGFs eSBLdXpuZXRzb3YgPHZrdXpuZXRzQHJlZGhhdC5jb20+ClNpZ25lZC1vZmYt Ynk6IERhdmlkIFZyYWJlbCA8ZGF2aWQudnJhYmVsQGNpdHJpeC5jb20+ClJl dmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+Cgot LS0gYS94ZW4vY29tbW9uL2V2ZW50X2ZpZm8uYworKysgYi94ZW4vY29tbW9u L2V2ZW50X2ZpZm8uYwpAQCAtMTc4LDYgKzE3OCwxOSBAQCBzdGF0aWMgdm9p ZCBldnRjaG5fZmlmb19zZXRfcGVuZGluZyhzdHJ1CiAgICAgICAgIGJvb2xf dCBsaW5rZWQgPSAwOwogCiAgICAgICAgIC8qCisgICAgICAgICAqIENvbnRy b2wgYmxvY2sgbm90IG1hcHBlZC4gIFRoZSBndWVzdCBtdXN0IG5vdCB1bm1h c2sgYW4KKyAgICAgICAgICogZXZlbnQgdW50aWwgdGhlIGNvbnRyb2wgYmxv Y2sgaXMgaW5pdGlhbGl6ZWQsIHNvIHdlIGNhbgorICAgICAgICAgKiBqdXN0 IGRyb3AgdGhlIGV2ZW50LgorICAgICAgICAgKi8KKyAgICAgICAgaWYgKCB1 bmxpa2VseSghdi0+ZXZ0Y2huX2ZpZm8tPmNvbnRyb2xfYmxvY2spICkKKyAg ICAgICAgeworICAgICAgICAgICAgcHJpbnRrKFhFTkxPR19HX1dBUk5JTkcK KyAgICAgICAgICAgICAgICAgICAiZCVkdiVkIGhhcyBubyBGSUZPIGV2ZW50 IGNoYW5uZWwgY29udHJvbCBibG9ja1xuIiwKKyAgICAgICAgICAgICAgICAg ICBkLT5kb21haW5faWQsIHYtPnZjcHVfaWQpOworICAgICAgICAgICAgZ290 byBkb25lOworICAgICAgICB9CisKKyAgICAgICAgLyoKICAgICAgICAgICog Tm8gbG9ja2luZyBhcm91bmQgZ2V0dGluZyB0aGUgcXVldWUuIFRoaXMgbWF5 IHJhY2Ugd2l0aAogICAgICAgICAgKiBjaGFuZ2luZyB0aGUgcHJpb3JpdHkg YnV0IHdlIGFyZSBhbGxvd2VkIHRvIHNpZ25hbCB0aGUKICAgICAgICAgICog ZXZlbnQgb25jZSBvbiB0aGUgb2xkIHByaW9yaXR5LgpAQCAtMzg1LDM2ICsz OTgsNDIgQEAgc3RhdGljIHZvaWQgaW5pdF9xdWV1ZShzdHJ1Y3QgdmNwdSAq diwgcwogewogICAgIHNwaW5fbG9ja19pbml0KCZxLT5sb2NrKTsKICAgICBx LT5wcmlvcml0eSA9IGk7Ci0gICAgcS0+aGVhZCA9ICZ2LT5ldnRjaG5fZmlm by0+Y29udHJvbF9ibG9jay0+aGVhZFtpXTsKIH0KIAotc3RhdGljIGludCBz ZXR1cF9jb250cm9sX2Jsb2NrKHN0cnVjdCB2Y3B1ICp2LCB1aW50NjRfdCBn Zm4sIHVpbnQzMl90IG9mZnNldCkKK3N0YXRpYyBpbnQgc2V0dXBfY29udHJv bF9ibG9jayhzdHJ1Y3QgdmNwdSAqdikKIHsKLSAgICBzdHJ1Y3QgZG9tYWlu ICpkID0gdi0+ZG9tYWluOwogICAgIHN0cnVjdCBldnRjaG5fZmlmb192Y3B1 ICplZnY7Ci0gICAgdm9pZCAqdmlydDsKICAgICB1bnNpZ25lZCBpbnQgaTsK LSAgICBpbnQgcmM7Ci0KLSAgICBpZiAoIHYtPmV2dGNobl9maWZvICkKLSAg ICAgICAgcmV0dXJuIC1FSU5WQUw7CiAKICAgICBlZnYgPSB4emFsbG9jKHN0 cnVjdCBldnRjaG5fZmlmb192Y3B1KTsKICAgICBpZiAoICFlZnYgKQogICAg ICAgICByZXR1cm4gLUVOT01FTTsKIAotICAgIHJjID0gbWFwX2d1ZXN0X3Bh Z2UoZCwgZ2ZuLCAmdmlydCk7CisgICAgZm9yICggaSA9IDA7IGkgPD0gRVZU Q0hOX0ZJRk9fUFJJT1JJVFlfTUlOOyBpKysgKQorICAgICAgICBpbml0X3F1 ZXVlKHYsICZlZnYtPnF1ZXVlW2ldLCBpKTsKKworICAgIHYtPmV2dGNobl9m aWZvID0gZWZ2OworCisgICAgcmV0dXJuIDA7Cit9CisKK3N0YXRpYyBpbnQg bWFwX2NvbnRyb2xfYmxvY2soc3RydWN0IHZjcHUgKnYsIHVpbnQ2NF90IGdm biwgdWludDMyX3Qgb2Zmc2V0KQoreworICAgIHZvaWQgKnZpcnQ7CisgICAg dW5zaWduZWQgaW50IGk7CisgICAgaW50IHJjOworCisgICAgaWYgKCB2LT5l dnRjaG5fZmlmby0+Y29udHJvbF9ibG9jayApCisgICAgICAgIHJldHVybiAt RUlOVkFMOworCisgICAgcmMgPSBtYXBfZ3Vlc3RfcGFnZSh2LT5kb21haW4s IGdmbiwgJnZpcnQpOwogICAgIGlmICggcmMgPCAwICkKLSAgICB7Ci0gICAg ICAgIHhmcmVlKGVmdik7CiAgICAgICAgIHJldHVybiByYzsKLSAgICB9CiAK LSAgICB2LT5ldnRjaG5fZmlmbyA9IGVmdjsKICAgICB2LT5ldnRjaG5fZmlm by0+Y29udHJvbF9ibG9jayA9IHZpcnQgKyBvZmZzZXQ7CiAKICAgICBmb3Ig KCBpID0gMDsgaSA8PSBFVlRDSE5fRklGT19QUklPUklUWV9NSU47IGkrKyAp Ci0gICAgICAgIGluaXRfcXVldWUodiwgJnYtPmV2dGNobl9maWZvLT5xdWV1 ZVtpXSwgaSk7CisgICAgICAgIHYtPmV2dGNobl9maWZvLT5xdWV1ZVtpXS5o ZWFkID0gJnYtPmV2dGNobl9maWZvLT5jb250cm9sX2Jsb2NrLT5oZWFkW2ld OwogCiAgICAgcmV0dXJuIDA7CiB9CkBAIC01MDgsMjggKzUyNyw0MyBAQCBp bnQgZXZ0Y2huX2ZpZm9faW5pdF9jb250cm9sKHN0cnVjdCBldnRjCiAKICAg ICBzcGluX2xvY2soJmQtPmV2ZW50X2xvY2spOwogCi0gICAgcmMgPSBzZXR1 cF9jb250cm9sX2Jsb2NrKHYsIGdmbiwgb2Zmc2V0KTsKLQogICAgIC8qCiAg ICAgICogSWYgdGhpcyBpcyB0aGUgZmlyc3QgY29udHJvbCBibG9jaywgc2V0 dXAgYW4gZW1wdHkgZXZlbnQgYXJyYXkKICAgICAgKiBhbmQgc3dpdGNoIHRv IHRoZSBmaWZvIHBvcnQgb3BzLgogICAgICAqLwotICAgIGlmICggcmMgPT0g MCAmJiAhZC0+ZXZ0Y2huX2ZpZm8gKQorICAgIGlmICggIWQtPmV2dGNobl9m aWZvICkKICAgICB7CisgICAgICAgIHN0cnVjdCB2Y3B1ICp2Y2I7CisKKyAg ICAgICAgZm9yX2VhY2hfdmNwdSAoIGQsIHZjYiApIHsKKyAgICAgICAgICAg IHJjID0gc2V0dXBfY29udHJvbF9ibG9jayh2Y2IpOworICAgICAgICAgICAg aWYgKCByYyA8IDAgKQorICAgICAgICAgICAgICAgIGdvdG8gZXJyb3I7Cisg ICAgICAgIH0KKwogICAgICAgICByYyA9IHNldHVwX2V2ZW50X2FycmF5KGQp OwogICAgICAgICBpZiAoIHJjIDwgMCApCi0gICAgICAgICAgICBjbGVhbnVw X2NvbnRyb2xfYmxvY2sodik7Ci0gICAgICAgIGVsc2UKLSAgICAgICAgewot ICAgICAgICAgICAgZC0+ZXZ0Y2huX3BvcnRfb3BzID0gJmV2dGNobl9wb3J0 X29wc19maWZvOwotICAgICAgICAgICAgZC0+bWF4X2V2dGNobnMgPSBFVlRD SE5fRklGT19OUl9DSEFOTkVMUzsKLSAgICAgICAgICAgIHNldHVwX3BvcnRz KGQpOwotICAgICAgICB9CisgICAgICAgICAgICBnb3RvIGVycm9yOworCisg ICAgICAgIHJjID0gbWFwX2NvbnRyb2xfYmxvY2sodiwgZ2ZuLCBvZmZzZXQp OworICAgICAgICBpZiAoIHJjIDwgMCApCisgICAgICAgICAgICBnb3RvIGVy cm9yOworCisgICAgICAgIGQtPmV2dGNobl9wb3J0X29wcyA9ICZldnRjaG5f cG9ydF9vcHNfZmlmbzsKKyAgICAgICAgZC0+bWF4X2V2dGNobnMgPSBFVlRD SE5fRklGT19OUl9DSEFOTkVMUzsKKyAgICAgICAgc2V0dXBfcG9ydHMoZCk7 CiAgICAgfQorICAgIGVsc2UKKyAgICAgICAgcmMgPSBtYXBfY29udHJvbF9i bG9jayh2LCBnZm4sIG9mZnNldCk7CiAKICAgICBzcGluX3VubG9jaygmZC0+ ZXZlbnRfbG9jayk7CiAKICAgICByZXR1cm4gcmM7CisKKyBlcnJvcjoKKyAg ICBldnRjaG5fZmlmb19kZXN0cm95KGQpOworICAgIHNwaW5fdW5sb2NrKCZk LT5ldmVudF9sb2NrKTsKKyAgICByZXR1cm4gcmM7CiB9CiAKIHN0YXRpYyBp bnQgYWRkX3BhZ2VfdG9fZXZlbnRfYXJyYXkoc3RydWN0IGRvbWFpbiAqZCwg dW5zaWduZWQgbG9uZyBnZm4pCg== --=separator Content-Type: application/octet-stream; name="xsa107-unstable.patch" Content-Disposition: attachment; filename="xsa107-unstable.patch" Content-Transfer-Encoding: base64 ZXZ0Y2huOiBjaGVjayBjb250cm9sIGJsb2NrIGV4aXN0cyB3aGVuIHVzaW5n IEZJRk8tYmFzZWQgZXZlbnRzCgpXaGVuIHVzaW5nIHRoZSBGSUZPLWJhc2Vk IGV2ZW50IGNoYW5uZWxzLCB0aGVyZSBhcmUgbm8gY2hlY2tzIGZvciB0aGUK ZXhpc3RhbmNlIG9mIGEgY29udHJvbCBibG9jayB3aGVuIGJpbmRpbmcgYW4g ZXZlbnQgb3IgbW92aW5nIGl0IHRvIGEKZGlmZmVyZW50IFZDUFUuICBUaGlz IGlzIGJlY2F1c2UgZXZlbnRzIG1heSBiZSBib3VuZCB3aGVuIHRoZSBBQkkg aXMKaW4gMi1sZXZlbCBtb2RlIChlLmcuLCBieSB0aGUgdG9vbHN0YWNrIGJl Zm9yZSB0aGUgZG9tYWluIGlzIHN0YXJ0ZWQpLgoKVGhlIGd1ZXN0IG1heSB0 cmlnZ2VyIGEgWGVuIGNyYXNoIGluIGV2dGNobl9maWZvX3NldF9wZW5kaW5n KCkgaWY6CgogIGEpIHRoZSBldmVudCBpcyBib3VuZCB0byBhIFZDUFUgd2l0 aG91dCBhIGNvbnRyb2wgYmxvY2s7IG9yCiAgYikgVkNQVSAwIGRvZXMgbm90 IGhhdmUgYSBjb250cm9sIGJsb2NrLgoKSW4gY2FzZSAoYSksIFhlbiB3aWxs IGNyYXNoIHdoZW4gbG9va2luZyB1cCB0aGUgY3VycmVudCBxdWV1ZS4gIElu CihiKSwgWGVuIHdpbGwgY3Jhc2ggd2hlbiBsb29raW5nIHVwIHRoZSBvbGQg cXVldWUgKHdoaWNoIGRlZmF1bHRzIHRvIGEKcXVldWUgb24gVkNQVSAwKS4K CkJ5IGFsbG9jYXRpbmcgYWxsIHRoZSBwZXItVkNQVSBzdHJ1Y3R1cmVzIHdo ZW4gZW5hYmxpbmcgdGhlIEZJRk8gQUJJLAp3ZSBjYW4gYmUgc3VyZSB0aGF0 IHYtPmV2dGNobl9maWZvIGlzIGFsd2F5cyB2YWxpZC4KCkVWVENITk9QX2lu aXRfY29udHJvbF9ibG9jayBmb3IgYWxsIHRoZSBvdGhlciBDUFVzIG5lZWQg b25seSBtYXAgdGhlCnNoYXJlZCBjb250cm9sIGJsb2NrLgoKQSBzaW5nbGUg Y2hlY2sgaW4gZXZ0Y2huX2ZpZm9fc2V0X3BlbmRpbmcoKSBiZWZvcmUgYWNj ZXNzaW5nIHRoZQpjb250cm9sIGJsb2NrIGZpeGVzIGFsbCBjYXNlcyB3aGVy ZSB0aGUgZ3Vlc3QgaGFzIG5vdCBpbml0aWFsaXplZCBzb21lCmNvbnRyb2wg YmxvY2tzLgoKVGhpcyBpcyBYU0EtMTA3LgoKUmVwb3J0ZWQtYnk6IFZpdGFs eSBLdXpuZXRzb3YgPHZrdXpuZXRzQHJlZGhhdC5jb20+ClNpZ25lZC1vZmYt Ynk6IERhdmlkIFZyYWJlbCA8ZGF2aWQudnJhYmVsQGNpdHJpeC5jb20+ClJl dmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+Cgot LS0gYS94ZW4vY29tbW9uL2V2ZW50X2ZpZm8uYworKysgYi94ZW4vY29tbW9u L2V2ZW50X2ZpZm8uYwpAQCAtMTc4LDYgKzE3OCwxOCBAQCBzdGF0aWMgdm9p ZCBldnRjaG5fZmlmb19zZXRfcGVuZGluZyhzdHJ1CiAgICAgICAgIGJvb2xf dCBsaW5rZWQgPSAwOwogCiAgICAgICAgIC8qCisgICAgICAgICAqIENvbnRy b2wgYmxvY2sgbm90IG1hcHBlZC4gIFRoZSBndWVzdCBtdXN0IG5vdCB1bm1h c2sgYW4KKyAgICAgICAgICogZXZlbnQgdW50aWwgdGhlIGNvbnRyb2wgYmxv Y2sgaXMgaW5pdGlhbGl6ZWQsIHNvIHdlIGNhbgorICAgICAgICAgKiBqdXN0 IGRyb3AgdGhlIGV2ZW50LgorICAgICAgICAgKi8KKyAgICAgICAgaWYgKCB1 bmxpa2VseSghdi0+ZXZ0Y2huX2ZpZm8tPmNvbnRyb2xfYmxvY2spICkKKyAg ICAgICAgeworICAgICAgICAgICAgcHJpbnRrKFhFTkxPR19HX1dBUk5JTkcK KyAgICAgICAgICAgICAgICAgICAiJXB2IGhhcyBubyBGSUZPIGV2ZW50IGNo YW5uZWwgY29udHJvbCBibG9ja1xuIiwgdik7CisgICAgICAgICAgICBnb3Rv IGRvbmU7CisgICAgICAgIH0KKworICAgICAgICAvKgogICAgICAgICAgKiBO byBsb2NraW5nIGFyb3VuZCBnZXR0aW5nIHRoZSBxdWV1ZS4gVGhpcyBtYXkg cmFjZSB3aXRoCiAgICAgICAgICAqIGNoYW5naW5nIHRoZSBwcmlvcml0eSBi dXQgd2UgYXJlIGFsbG93ZWQgdG8gc2lnbmFsIHRoZQogICAgICAgICAgKiBl dmVudCBvbmNlIG9uIHRoZSBvbGQgcHJpb3JpdHkuCkBAIC0zODUsMzYgKzM5 Nyw0MiBAQCBzdGF0aWMgdm9pZCBpbml0X3F1ZXVlKHN0cnVjdCB2Y3B1ICp2 LCBzCiB7CiAgICAgc3Bpbl9sb2NrX2luaXQoJnEtPmxvY2spOwogICAgIHEt PnByaW9yaXR5ID0gaTsKLSAgICBxLT5oZWFkID0gJnYtPmV2dGNobl9maWZv LT5jb250cm9sX2Jsb2NrLT5oZWFkW2ldOwogfQogCi1zdGF0aWMgaW50IHNl dHVwX2NvbnRyb2xfYmxvY2soc3RydWN0IHZjcHUgKnYsIHVpbnQ2NF90IGdm biwgdWludDMyX3Qgb2Zmc2V0KQorc3RhdGljIGludCBzZXR1cF9jb250cm9s X2Jsb2NrKHN0cnVjdCB2Y3B1ICp2KQogewotICAgIHN0cnVjdCBkb21haW4g KmQgPSB2LT5kb21haW47CiAgICAgc3RydWN0IGV2dGNobl9maWZvX3ZjcHUg KmVmdjsKLSAgICB2b2lkICp2aXJ0OwogICAgIHVuc2lnbmVkIGludCBpOwot ICAgIGludCByYzsKLQotICAgIGlmICggdi0+ZXZ0Y2huX2ZpZm8gKQotICAg ICAgICByZXR1cm4gLUVJTlZBTDsKIAogICAgIGVmdiA9IHh6YWxsb2Moc3Ry dWN0IGV2dGNobl9maWZvX3ZjcHUpOwogICAgIGlmICggIWVmdiApCiAgICAg ICAgIHJldHVybiAtRU5PTUVNOwogCi0gICAgcmMgPSBtYXBfZ3Vlc3RfcGFn ZShkLCBnZm4sICZ2aXJ0KTsKKyAgICBmb3IgKCBpID0gMDsgaSA8PSBFVlRD SE5fRklGT19QUklPUklUWV9NSU47IGkrKyApCisgICAgICAgIGluaXRfcXVl dWUodiwgJmVmdi0+cXVldWVbaV0sIGkpOworCisgICAgdi0+ZXZ0Y2huX2Zp Zm8gPSBlZnY7CisKKyAgICByZXR1cm4gMDsKK30KKworc3RhdGljIGludCBt YXBfY29udHJvbF9ibG9jayhzdHJ1Y3QgdmNwdSAqdiwgdWludDY0X3QgZ2Zu LCB1aW50MzJfdCBvZmZzZXQpCit7CisgICAgdm9pZCAqdmlydDsKKyAgICB1 bnNpZ25lZCBpbnQgaTsKKyAgICBpbnQgcmM7CisKKyAgICBpZiAoIHYtPmV2 dGNobl9maWZvLT5jb250cm9sX2Jsb2NrICkKKyAgICAgICAgcmV0dXJuIC1F SU5WQUw7CisKKyAgICByYyA9IG1hcF9ndWVzdF9wYWdlKHYtPmRvbWFpbiwg Z2ZuLCAmdmlydCk7CiAgICAgaWYgKCByYyA8IDAgKQotICAgIHsKLSAgICAg ICAgeGZyZWUoZWZ2KTsKICAgICAgICAgcmV0dXJuIHJjOwotICAgIH0KIAot ICAgIHYtPmV2dGNobl9maWZvID0gZWZ2OwogICAgIHYtPmV2dGNobl9maWZv LT5jb250cm9sX2Jsb2NrID0gdmlydCArIG9mZnNldDsKIAogICAgIGZvciAo IGkgPSAwOyBpIDw9IEVWVENITl9GSUZPX1BSSU9SSVRZX01JTjsgaSsrICkK LSAgICAgICAgaW5pdF9xdWV1ZSh2LCAmdi0+ZXZ0Y2huX2ZpZm8tPnF1ZXVl W2ldLCBpKTsKKyAgICAgICAgdi0+ZXZ0Y2huX2ZpZm8tPnF1ZXVlW2ldLmhl YWQgPSAmdi0+ZXZ0Y2huX2ZpZm8tPmNvbnRyb2xfYmxvY2stPmhlYWRbaV07 CiAKICAgICByZXR1cm4gMDsKIH0KQEAgLTUwOSwyOCArNTI3LDQzIEBAIGlu dCBldnRjaG5fZmlmb19pbml0X2NvbnRyb2woc3RydWN0IGV2dGMKIAogICAg IHNwaW5fbG9jaygmZC0+ZXZlbnRfbG9jayk7CiAKLSAgICByYyA9IHNldHVw X2NvbnRyb2xfYmxvY2sodiwgZ2ZuLCBvZmZzZXQpOwotCiAgICAgLyoKICAg ICAgKiBJZiB0aGlzIGlzIHRoZSBmaXJzdCBjb250cm9sIGJsb2NrLCBzZXR1 cCBhbiBlbXB0eSBldmVudCBhcnJheQogICAgICAqIGFuZCBzd2l0Y2ggdG8g dGhlIGZpZm8gcG9ydCBvcHMuCiAgICAgICovCi0gICAgaWYgKCByYyA9PSAw ICYmICFkLT5ldnRjaG5fZmlmbyApCisgICAgaWYgKCAhZC0+ZXZ0Y2huX2Zp Zm8gKQogICAgIHsKKyAgICAgICAgc3RydWN0IHZjcHUgKnZjYjsKKworICAg ICAgICBmb3JfZWFjaF92Y3B1ICggZCwgdmNiICkgeworICAgICAgICAgICAg cmMgPSBzZXR1cF9jb250cm9sX2Jsb2NrKHZjYik7CisgICAgICAgICAgICBp ZiAoIHJjIDwgMCApCisgICAgICAgICAgICAgICAgZ290byBlcnJvcjsKKyAg ICAgICAgfQorCiAgICAgICAgIHJjID0gc2V0dXBfZXZlbnRfYXJyYXkoZCk7 CiAgICAgICAgIGlmICggcmMgPCAwICkKLSAgICAgICAgICAgIGNsZWFudXBf Y29udHJvbF9ibG9jayh2KTsKLSAgICAgICAgZWxzZQotICAgICAgICB7Ci0g ICAgICAgICAgICBkLT5ldnRjaG5fcG9ydF9vcHMgPSAmZXZ0Y2huX3BvcnRf b3BzX2ZpZm87Ci0gICAgICAgICAgICBkLT5tYXhfZXZ0Y2hucyA9IEVWVENI Tl9GSUZPX05SX0NIQU5ORUxTOwotICAgICAgICAgICAgc2V0dXBfcG9ydHMo ZCk7Ci0gICAgICAgIH0KKyAgICAgICAgICAgIGdvdG8gZXJyb3I7CisKKyAg ICAgICAgcmMgPSBtYXBfY29udHJvbF9ibG9jayh2LCBnZm4sIG9mZnNldCk7 CisgICAgICAgIGlmICggcmMgPCAwICkKKyAgICAgICAgICAgIGdvdG8gZXJy b3I7CisKKyAgICAgICAgZC0+ZXZ0Y2huX3BvcnRfb3BzID0gJmV2dGNobl9w b3J0X29wc19maWZvOworICAgICAgICBkLT5tYXhfZXZ0Y2hucyA9IEVWVENI Tl9GSUZPX05SX0NIQU5ORUxTOworICAgICAgICBzZXR1cF9wb3J0cyhkKTsK ICAgICB9CisgICAgZWxzZQorICAgICAgICByYyA9IG1hcF9jb250cm9sX2Js b2NrKHYsIGdmbiwgb2Zmc2V0KTsKIAogICAgIHNwaW5fdW5sb2NrKCZkLT5l dmVudF9sb2NrKTsKIAogICAgIHJldHVybiByYzsKKworIGVycm9yOgorICAg IGV2dGNobl9maWZvX2Rlc3Ryb3koZCk7CisgICAgc3Bpbl91bmxvY2soJmQt PmV2ZW50X2xvY2spOworICAgIHJldHVybiByYzsKIH0KIAogc3RhdGljIGlu dCBhZGRfcGFnZV90b19ldmVudF9hcnJheShzdHJ1Y3QgZG9tYWluICpkLCB1 bnNpZ25lZCBsb25nIGdmbikK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Sep 11 13:02:08 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 11 Sep 2014 13:02:08 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XS3zE-0003BT-Om; Thu, 11 Sep 2014 13:00:32 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XS3zD-0003BF-Di; Thu, 11 Sep 2014 13:00:31 +0000 Received: from [85.158.137.68:17354] by server-17.bemta-3.messagelabs.com id 50/05-01689-EEC91145; Thu, 11 Sep 2014 13:00:30 +0000 X-Env-Sender: ianc@xenbits.xen.org X-Msg-Ref: server-6.tower-31.messagelabs.com!1410440428!9417804!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 16254 invoked from network); 11 Sep 2014 13:00:29 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-6.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 11 Sep 2014 13:00:29 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XS3yw-0001Yo-9z; Thu, 11 Sep 2014 13:00:14 +0000 Received: from ianc by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1XS3yv-0000pi-6I; Thu, 11 Sep 2014 13:00:13 +0000 Date: Thu, 11 Sep 2014 13:00:13 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 107 (CVE-2014-6268) - Mishandling of uninitialised FIFO-based event channel control blocks X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-6268 / XSA-107 version 2 Mishandling of uninitialised FIFO-based event channel control blocks UPDATES IN VERSION 2 ==================== CVE assigned. ISSUE DESCRIPTION ================= When using the FIFO-based event channels, there are no checks for the existence of a control block when binding an event or moving it to a different VCPU. This is because events may be bound when the ABI is in 2-level mode (e.g., by the toolstack before the domain is started). The guest may trigger a Xen crash in evtchn_fifo_set_pending() if: a) the event is bound to a VCPU without a control block; or b) VCPU 0 does not have a control block. In case (a), Xen will crash when looking up the current queue. In (b), Xen will crash when looking up the old queue (which defaults to a queue on VCPU 0). IMPACT ====== A buggy or malicious guest can crash the host. VULNERABLE SYSTEMS ================== Xen 4.4 and onward are vulnerable. MITIGATION ========== None. CREDITS ======= This issue was originally reported by Vitaly Kuznetsov at Red Hat and diagnosed as a security issue by David Vrabel at Citrix. NOTE REGARDING LACK OF EMBARGO ============================== This bug was publicly reported on xen-devel, before it was appreciated that there was a security problem. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa107-unstable.patch xen-unstable xsa107-4.4.patch Xen 4.4.x $ sha256sum xsa107*.patch b92ba8085b6684abbc8b012ae1a580b9e7ed7c8e67071a9e70381d4c1009638b xsa107-4.4.patch cd954a5bd742c751f8db884a3f31bd636a8c5850acddf5f1160dd6be1f706a09 xsa107-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUEXRHAAoJEIP+FMlX6CvZknQIAIzPCOwG07XrKR7yu00lhCin TSppBKJ3y7XkIdmBF/3QSnev61yJ4MYdpWl7qiK4xpDP3IyH0mrtIYBQVwxKCV/R l/E2ztiEMugq86eCwvX5p/fAoyfqf1pBoVplqwcarS4vcmnnkOpK278TD2dPdw69 G5VaFxOqVo4Z6xQyFIGHtinN00tbb/lVQTpldah7ZfqXknPAcSeZqEBuqmVSLGIo o9EgTAQm1wbh4tNn+O2KHeAbejjOTM7NYoidRqQY3qfN4m13MdAKliUbXIRdGggQ aMKU2n7eNga4Aly720cD6hkJAOKxG/dGUb8lm1qHsG01VjhP2zqGn41tkqsiSAs= =cld0 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa107-4.4.patch" Content-Disposition: attachment; filename="xsa107-4.4.patch" Content-Transfer-Encoding: base64 ZXZ0Y2huOiBjaGVjayBjb250cm9sIGJsb2NrIGV4aXN0cyB3aGVuIHVzaW5n IEZJRk8tYmFzZWQgZXZlbnRzCgpXaGVuIHVzaW5nIHRoZSBGSUZPLWJhc2Vk IGV2ZW50IGNoYW5uZWxzLCB0aGVyZSBhcmUgbm8gY2hlY2tzIGZvciB0aGUK ZXhpc3RhbmNlIG9mIGEgY29udHJvbCBibG9jayB3aGVuIGJpbmRpbmcgYW4g ZXZlbnQgb3IgbW92aW5nIGl0IHRvIGEKZGlmZmVyZW50IFZDUFUuICBUaGlz IGlzIGJlY2F1c2UgZXZlbnRzIG1heSBiZSBib3VuZCB3aGVuIHRoZSBBQkkg aXMKaW4gMi1sZXZlbCBtb2RlIChlLmcuLCBieSB0aGUgdG9vbHN0YWNrIGJl Zm9yZSB0aGUgZG9tYWluIGlzIHN0YXJ0ZWQpLgoKVGhlIGd1ZXN0IG1heSB0 cmlnZ2VyIGEgWGVuIGNyYXNoIGluIGV2dGNobl9maWZvX3NldF9wZW5kaW5n KCkgaWY6CgogIGEpIHRoZSBldmVudCBpcyBib3VuZCB0byBhIFZDUFUgd2l0 aG91dCBhIGNvbnRyb2wgYmxvY2s7IG9yCiAgYikgVkNQVSAwIGRvZXMgbm90 IGhhdmUgYSBjb250cm9sIGJsb2NrLgoKSW4gY2FzZSAoYSksIFhlbiB3aWxs IGNyYXNoIHdoZW4gbG9va2luZyB1cCB0aGUgY3VycmVudCBxdWV1ZS4gIElu CihiKSwgWGVuIHdpbGwgY3Jhc2ggd2hlbiBsb29raW5nIHVwIHRoZSBvbGQg cXVldWUgKHdoaWNoIGRlZmF1bHRzIHRvIGEKcXVldWUgb24gVkNQVSAwKS4K CkJ5IGFsbG9jYXRpbmcgYWxsIHRoZSBwZXItVkNQVSBzdHJ1Y3R1cmVzIHdo ZW4gZW5hYmxpbmcgdGhlIEZJRk8gQUJJLAp3ZSBjYW4gYmUgc3VyZSB0aGF0 IHYtPmV2dGNobl9maWZvIGlzIGFsd2F5cyB2YWxpZC4KCkVWVENITk9QX2lu aXRfY29udHJvbF9ibG9jayBmb3IgYWxsIHRoZSBvdGhlciBDUFVzIG5lZWQg b25seSBtYXAgdGhlCnNoYXJlZCBjb250cm9sIGJsb2NrLgoKQSBzaW5nbGUg Y2hlY2sgaW4gZXZ0Y2huX2ZpZm9fc2V0X3BlbmRpbmcoKSBiZWZvcmUgYWNj ZXNzaW5nIHRoZQpjb250cm9sIGJsb2NrIGZpeGVzIGFsbCBjYXNlcyB3aGVy ZSB0aGUgZ3Vlc3QgaGFzIG5vdCBpbml0aWFsaXplZCBzb21lCmNvbnRyb2wg YmxvY2tzLgoKVGhpcyBpcyBYU0EtMTA3LgoKUmVwb3J0ZWQtYnk6IFZpdGFs eSBLdXpuZXRzb3YgPHZrdXpuZXRzQHJlZGhhdC5jb20+ClNpZ25lZC1vZmYt Ynk6IERhdmlkIFZyYWJlbCA8ZGF2aWQudnJhYmVsQGNpdHJpeC5jb20+ClJl dmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+Cgot LS0gYS94ZW4vY29tbW9uL2V2ZW50X2ZpZm8uYworKysgYi94ZW4vY29tbW9u L2V2ZW50X2ZpZm8uYwpAQCAtMTc4LDYgKzE3OCwxOSBAQCBzdGF0aWMgdm9p ZCBldnRjaG5fZmlmb19zZXRfcGVuZGluZyhzdHJ1CiAgICAgICAgIGJvb2xf dCBsaW5rZWQgPSAwOwogCiAgICAgICAgIC8qCisgICAgICAgICAqIENvbnRy b2wgYmxvY2sgbm90IG1hcHBlZC4gIFRoZSBndWVzdCBtdXN0IG5vdCB1bm1h c2sgYW4KKyAgICAgICAgICogZXZlbnQgdW50aWwgdGhlIGNvbnRyb2wgYmxv Y2sgaXMgaW5pdGlhbGl6ZWQsIHNvIHdlIGNhbgorICAgICAgICAgKiBqdXN0 IGRyb3AgdGhlIGV2ZW50LgorICAgICAgICAgKi8KKyAgICAgICAgaWYgKCB1 bmxpa2VseSghdi0+ZXZ0Y2huX2ZpZm8tPmNvbnRyb2xfYmxvY2spICkKKyAg ICAgICAgeworICAgICAgICAgICAgcHJpbnRrKFhFTkxPR19HX1dBUk5JTkcK KyAgICAgICAgICAgICAgICAgICAiZCVkdiVkIGhhcyBubyBGSUZPIGV2ZW50 IGNoYW5uZWwgY29udHJvbCBibG9ja1xuIiwKKyAgICAgICAgICAgICAgICAg ICBkLT5kb21haW5faWQsIHYtPnZjcHVfaWQpOworICAgICAgICAgICAgZ290 byBkb25lOworICAgICAgICB9CisKKyAgICAgICAgLyoKICAgICAgICAgICog Tm8gbG9ja2luZyBhcm91bmQgZ2V0dGluZyB0aGUgcXVldWUuIFRoaXMgbWF5 IHJhY2Ugd2l0aAogICAgICAgICAgKiBjaGFuZ2luZyB0aGUgcHJpb3JpdHkg YnV0IHdlIGFyZSBhbGxvd2VkIHRvIHNpZ25hbCB0aGUKICAgICAgICAgICog ZXZlbnQgb25jZSBvbiB0aGUgb2xkIHByaW9yaXR5LgpAQCAtMzg1LDM2ICsz OTgsNDIgQEAgc3RhdGljIHZvaWQgaW5pdF9xdWV1ZShzdHJ1Y3QgdmNwdSAq diwgcwogewogICAgIHNwaW5fbG9ja19pbml0KCZxLT5sb2NrKTsKICAgICBx LT5wcmlvcml0eSA9IGk7Ci0gICAgcS0+aGVhZCA9ICZ2LT5ldnRjaG5fZmlm by0+Y29udHJvbF9ibG9jay0+aGVhZFtpXTsKIH0KIAotc3RhdGljIGludCBz ZXR1cF9jb250cm9sX2Jsb2NrKHN0cnVjdCB2Y3B1ICp2LCB1aW50NjRfdCBn Zm4sIHVpbnQzMl90IG9mZnNldCkKK3N0YXRpYyBpbnQgc2V0dXBfY29udHJv bF9ibG9jayhzdHJ1Y3QgdmNwdSAqdikKIHsKLSAgICBzdHJ1Y3QgZG9tYWlu ICpkID0gdi0+ZG9tYWluOwogICAgIHN0cnVjdCBldnRjaG5fZmlmb192Y3B1 ICplZnY7Ci0gICAgdm9pZCAqdmlydDsKICAgICB1bnNpZ25lZCBpbnQgaTsK LSAgICBpbnQgcmM7Ci0KLSAgICBpZiAoIHYtPmV2dGNobl9maWZvICkKLSAg ICAgICAgcmV0dXJuIC1FSU5WQUw7CiAKICAgICBlZnYgPSB4emFsbG9jKHN0 cnVjdCBldnRjaG5fZmlmb192Y3B1KTsKICAgICBpZiAoICFlZnYgKQogICAg ICAgICByZXR1cm4gLUVOT01FTTsKIAotICAgIHJjID0gbWFwX2d1ZXN0X3Bh Z2UoZCwgZ2ZuLCAmdmlydCk7CisgICAgZm9yICggaSA9IDA7IGkgPD0gRVZU Q0hOX0ZJRk9fUFJJT1JJVFlfTUlOOyBpKysgKQorICAgICAgICBpbml0X3F1 ZXVlKHYsICZlZnYtPnF1ZXVlW2ldLCBpKTsKKworICAgIHYtPmV2dGNobl9m aWZvID0gZWZ2OworCisgICAgcmV0dXJuIDA7Cit9CisKK3N0YXRpYyBpbnQg bWFwX2NvbnRyb2xfYmxvY2soc3RydWN0IHZjcHUgKnYsIHVpbnQ2NF90IGdm biwgdWludDMyX3Qgb2Zmc2V0KQoreworICAgIHZvaWQgKnZpcnQ7CisgICAg dW5zaWduZWQgaW50IGk7CisgICAgaW50IHJjOworCisgICAgaWYgKCB2LT5l dnRjaG5fZmlmby0+Y29udHJvbF9ibG9jayApCisgICAgICAgIHJldHVybiAt RUlOVkFMOworCisgICAgcmMgPSBtYXBfZ3Vlc3RfcGFnZSh2LT5kb21haW4s IGdmbiwgJnZpcnQpOwogICAgIGlmICggcmMgPCAwICkKLSAgICB7Ci0gICAg ICAgIHhmcmVlKGVmdik7CiAgICAgICAgIHJldHVybiByYzsKLSAgICB9CiAK LSAgICB2LT5ldnRjaG5fZmlmbyA9IGVmdjsKICAgICB2LT5ldnRjaG5fZmlm by0+Y29udHJvbF9ibG9jayA9IHZpcnQgKyBvZmZzZXQ7CiAKICAgICBmb3Ig KCBpID0gMDsgaSA8PSBFVlRDSE5fRklGT19QUklPUklUWV9NSU47IGkrKyAp Ci0gICAgICAgIGluaXRfcXVldWUodiwgJnYtPmV2dGNobl9maWZvLT5xdWV1 ZVtpXSwgaSk7CisgICAgICAgIHYtPmV2dGNobl9maWZvLT5xdWV1ZVtpXS5o ZWFkID0gJnYtPmV2dGNobl9maWZvLT5jb250cm9sX2Jsb2NrLT5oZWFkW2ld OwogCiAgICAgcmV0dXJuIDA7CiB9CkBAIC01MDgsMjggKzUyNyw0MyBAQCBp bnQgZXZ0Y2huX2ZpZm9faW5pdF9jb250cm9sKHN0cnVjdCBldnRjCiAKICAg ICBzcGluX2xvY2soJmQtPmV2ZW50X2xvY2spOwogCi0gICAgcmMgPSBzZXR1 cF9jb250cm9sX2Jsb2NrKHYsIGdmbiwgb2Zmc2V0KTsKLQogICAgIC8qCiAg ICAgICogSWYgdGhpcyBpcyB0aGUgZmlyc3QgY29udHJvbCBibG9jaywgc2V0 dXAgYW4gZW1wdHkgZXZlbnQgYXJyYXkKICAgICAgKiBhbmQgc3dpdGNoIHRv IHRoZSBmaWZvIHBvcnQgb3BzLgogICAgICAqLwotICAgIGlmICggcmMgPT0g MCAmJiAhZC0+ZXZ0Y2huX2ZpZm8gKQorICAgIGlmICggIWQtPmV2dGNobl9m aWZvICkKICAgICB7CisgICAgICAgIHN0cnVjdCB2Y3B1ICp2Y2I7CisKKyAg ICAgICAgZm9yX2VhY2hfdmNwdSAoIGQsIHZjYiApIHsKKyAgICAgICAgICAg IHJjID0gc2V0dXBfY29udHJvbF9ibG9jayh2Y2IpOworICAgICAgICAgICAg aWYgKCByYyA8IDAgKQorICAgICAgICAgICAgICAgIGdvdG8gZXJyb3I7Cisg ICAgICAgIH0KKwogICAgICAgICByYyA9IHNldHVwX2V2ZW50X2FycmF5KGQp OwogICAgICAgICBpZiAoIHJjIDwgMCApCi0gICAgICAgICAgICBjbGVhbnVw X2NvbnRyb2xfYmxvY2sodik7Ci0gICAgICAgIGVsc2UKLSAgICAgICAgewot ICAgICAgICAgICAgZC0+ZXZ0Y2huX3BvcnRfb3BzID0gJmV2dGNobl9wb3J0 X29wc19maWZvOwotICAgICAgICAgICAgZC0+bWF4X2V2dGNobnMgPSBFVlRD SE5fRklGT19OUl9DSEFOTkVMUzsKLSAgICAgICAgICAgIHNldHVwX3BvcnRz KGQpOwotICAgICAgICB9CisgICAgICAgICAgICBnb3RvIGVycm9yOworCisg ICAgICAgIHJjID0gbWFwX2NvbnRyb2xfYmxvY2sodiwgZ2ZuLCBvZmZzZXQp OworICAgICAgICBpZiAoIHJjIDwgMCApCisgICAgICAgICAgICBnb3RvIGVy cm9yOworCisgICAgICAgIGQtPmV2dGNobl9wb3J0X29wcyA9ICZldnRjaG5f cG9ydF9vcHNfZmlmbzsKKyAgICAgICAgZC0+bWF4X2V2dGNobnMgPSBFVlRD SE5fRklGT19OUl9DSEFOTkVMUzsKKyAgICAgICAgc2V0dXBfcG9ydHMoZCk7 CiAgICAgfQorICAgIGVsc2UKKyAgICAgICAgcmMgPSBtYXBfY29udHJvbF9i bG9jayh2LCBnZm4sIG9mZnNldCk7CiAKICAgICBzcGluX3VubG9jaygmZC0+ ZXZlbnRfbG9jayk7CiAKICAgICByZXR1cm4gcmM7CisKKyBlcnJvcjoKKyAg ICBldnRjaG5fZmlmb19kZXN0cm95KGQpOworICAgIHNwaW5fdW5sb2NrKCZk LT5ldmVudF9sb2NrKTsKKyAgICByZXR1cm4gcmM7CiB9CiAKIHN0YXRpYyBp bnQgYWRkX3BhZ2VfdG9fZXZlbnRfYXJyYXkoc3RydWN0IGRvbWFpbiAqZCwg dW5zaWduZWQgbG9uZyBnZm4pCg== --=separator Content-Type: application/octet-stream; name="xsa107-unstable.patch" Content-Disposition: attachment; filename="xsa107-unstable.patch" Content-Transfer-Encoding: base64 ZXZ0Y2huOiBjaGVjayBjb250cm9sIGJsb2NrIGV4aXN0cyB3aGVuIHVzaW5n IEZJRk8tYmFzZWQgZXZlbnRzCgpXaGVuIHVzaW5nIHRoZSBGSUZPLWJhc2Vk IGV2ZW50IGNoYW5uZWxzLCB0aGVyZSBhcmUgbm8gY2hlY2tzIGZvciB0aGUK ZXhpc3RhbmNlIG9mIGEgY29udHJvbCBibG9jayB3aGVuIGJpbmRpbmcgYW4g ZXZlbnQgb3IgbW92aW5nIGl0IHRvIGEKZGlmZmVyZW50IFZDUFUuICBUaGlz IGlzIGJlY2F1c2UgZXZlbnRzIG1heSBiZSBib3VuZCB3aGVuIHRoZSBBQkkg aXMKaW4gMi1sZXZlbCBtb2RlIChlLmcuLCBieSB0aGUgdG9vbHN0YWNrIGJl Zm9yZSB0aGUgZG9tYWluIGlzIHN0YXJ0ZWQpLgoKVGhlIGd1ZXN0IG1heSB0 cmlnZ2VyIGEgWGVuIGNyYXNoIGluIGV2dGNobl9maWZvX3NldF9wZW5kaW5n KCkgaWY6CgogIGEpIHRoZSBldmVudCBpcyBib3VuZCB0byBhIFZDUFUgd2l0 aG91dCBhIGNvbnRyb2wgYmxvY2s7IG9yCiAgYikgVkNQVSAwIGRvZXMgbm90 IGhhdmUgYSBjb250cm9sIGJsb2NrLgoKSW4gY2FzZSAoYSksIFhlbiB3aWxs IGNyYXNoIHdoZW4gbG9va2luZyB1cCB0aGUgY3VycmVudCBxdWV1ZS4gIElu CihiKSwgWGVuIHdpbGwgY3Jhc2ggd2hlbiBsb29raW5nIHVwIHRoZSBvbGQg cXVldWUgKHdoaWNoIGRlZmF1bHRzIHRvIGEKcXVldWUgb24gVkNQVSAwKS4K CkJ5IGFsbG9jYXRpbmcgYWxsIHRoZSBwZXItVkNQVSBzdHJ1Y3R1cmVzIHdo ZW4gZW5hYmxpbmcgdGhlIEZJRk8gQUJJLAp3ZSBjYW4gYmUgc3VyZSB0aGF0 IHYtPmV2dGNobl9maWZvIGlzIGFsd2F5cyB2YWxpZC4KCkVWVENITk9QX2lu aXRfY29udHJvbF9ibG9jayBmb3IgYWxsIHRoZSBvdGhlciBDUFVzIG5lZWQg b25seSBtYXAgdGhlCnNoYXJlZCBjb250cm9sIGJsb2NrLgoKQSBzaW5nbGUg Y2hlY2sgaW4gZXZ0Y2huX2ZpZm9fc2V0X3BlbmRpbmcoKSBiZWZvcmUgYWNj ZXNzaW5nIHRoZQpjb250cm9sIGJsb2NrIGZpeGVzIGFsbCBjYXNlcyB3aGVy ZSB0aGUgZ3Vlc3QgaGFzIG5vdCBpbml0aWFsaXplZCBzb21lCmNvbnRyb2wg YmxvY2tzLgoKVGhpcyBpcyBYU0EtMTA3LgoKUmVwb3J0ZWQtYnk6IFZpdGFs eSBLdXpuZXRzb3YgPHZrdXpuZXRzQHJlZGhhdC5jb20+ClNpZ25lZC1vZmYt Ynk6IERhdmlkIFZyYWJlbCA8ZGF2aWQudnJhYmVsQGNpdHJpeC5jb20+ClJl dmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+Cgot LS0gYS94ZW4vY29tbW9uL2V2ZW50X2ZpZm8uYworKysgYi94ZW4vY29tbW9u L2V2ZW50X2ZpZm8uYwpAQCAtMTc4LDYgKzE3OCwxOCBAQCBzdGF0aWMgdm9p ZCBldnRjaG5fZmlmb19zZXRfcGVuZGluZyhzdHJ1CiAgICAgICAgIGJvb2xf dCBsaW5rZWQgPSAwOwogCiAgICAgICAgIC8qCisgICAgICAgICAqIENvbnRy b2wgYmxvY2sgbm90IG1hcHBlZC4gIFRoZSBndWVzdCBtdXN0IG5vdCB1bm1h c2sgYW4KKyAgICAgICAgICogZXZlbnQgdW50aWwgdGhlIGNvbnRyb2wgYmxv Y2sgaXMgaW5pdGlhbGl6ZWQsIHNvIHdlIGNhbgorICAgICAgICAgKiBqdXN0 IGRyb3AgdGhlIGV2ZW50LgorICAgICAgICAgKi8KKyAgICAgICAgaWYgKCB1 bmxpa2VseSghdi0+ZXZ0Y2huX2ZpZm8tPmNvbnRyb2xfYmxvY2spICkKKyAg ICAgICAgeworICAgICAgICAgICAgcHJpbnRrKFhFTkxPR19HX1dBUk5JTkcK KyAgICAgICAgICAgICAgICAgICAiJXB2IGhhcyBubyBGSUZPIGV2ZW50IGNo YW5uZWwgY29udHJvbCBibG9ja1xuIiwgdik7CisgICAgICAgICAgICBnb3Rv IGRvbmU7CisgICAgICAgIH0KKworICAgICAgICAvKgogICAgICAgICAgKiBO byBsb2NraW5nIGFyb3VuZCBnZXR0aW5nIHRoZSBxdWV1ZS4gVGhpcyBtYXkg cmFjZSB3aXRoCiAgICAgICAgICAqIGNoYW5naW5nIHRoZSBwcmlvcml0eSBi dXQgd2UgYXJlIGFsbG93ZWQgdG8gc2lnbmFsIHRoZQogICAgICAgICAgKiBl dmVudCBvbmNlIG9uIHRoZSBvbGQgcHJpb3JpdHkuCkBAIC0zODUsMzYgKzM5 Nyw0MiBAQCBzdGF0aWMgdm9pZCBpbml0X3F1ZXVlKHN0cnVjdCB2Y3B1ICp2 LCBzCiB7CiAgICAgc3Bpbl9sb2NrX2luaXQoJnEtPmxvY2spOwogICAgIHEt PnByaW9yaXR5ID0gaTsKLSAgICBxLT5oZWFkID0gJnYtPmV2dGNobl9maWZv LT5jb250cm9sX2Jsb2NrLT5oZWFkW2ldOwogfQogCi1zdGF0aWMgaW50IHNl dHVwX2NvbnRyb2xfYmxvY2soc3RydWN0IHZjcHUgKnYsIHVpbnQ2NF90IGdm biwgdWludDMyX3Qgb2Zmc2V0KQorc3RhdGljIGludCBzZXR1cF9jb250cm9s X2Jsb2NrKHN0cnVjdCB2Y3B1ICp2KQogewotICAgIHN0cnVjdCBkb21haW4g KmQgPSB2LT5kb21haW47CiAgICAgc3RydWN0IGV2dGNobl9maWZvX3ZjcHUg KmVmdjsKLSAgICB2b2lkICp2aXJ0OwogICAgIHVuc2lnbmVkIGludCBpOwot ICAgIGludCByYzsKLQotICAgIGlmICggdi0+ZXZ0Y2huX2ZpZm8gKQotICAg ICAgICByZXR1cm4gLUVJTlZBTDsKIAogICAgIGVmdiA9IHh6YWxsb2Moc3Ry dWN0IGV2dGNobl9maWZvX3ZjcHUpOwogICAgIGlmICggIWVmdiApCiAgICAg ICAgIHJldHVybiAtRU5PTUVNOwogCi0gICAgcmMgPSBtYXBfZ3Vlc3RfcGFn ZShkLCBnZm4sICZ2aXJ0KTsKKyAgICBmb3IgKCBpID0gMDsgaSA8PSBFVlRD SE5fRklGT19QUklPUklUWV9NSU47IGkrKyApCisgICAgICAgIGluaXRfcXVl dWUodiwgJmVmdi0+cXVldWVbaV0sIGkpOworCisgICAgdi0+ZXZ0Y2huX2Zp Zm8gPSBlZnY7CisKKyAgICByZXR1cm4gMDsKK30KKworc3RhdGljIGludCBt YXBfY29udHJvbF9ibG9jayhzdHJ1Y3QgdmNwdSAqdiwgdWludDY0X3QgZ2Zu LCB1aW50MzJfdCBvZmZzZXQpCit7CisgICAgdm9pZCAqdmlydDsKKyAgICB1 bnNpZ25lZCBpbnQgaTsKKyAgICBpbnQgcmM7CisKKyAgICBpZiAoIHYtPmV2 dGNobl9maWZvLT5jb250cm9sX2Jsb2NrICkKKyAgICAgICAgcmV0dXJuIC1F SU5WQUw7CisKKyAgICByYyA9IG1hcF9ndWVzdF9wYWdlKHYtPmRvbWFpbiwg Z2ZuLCAmdmlydCk7CiAgICAgaWYgKCByYyA8IDAgKQotICAgIHsKLSAgICAg ICAgeGZyZWUoZWZ2KTsKICAgICAgICAgcmV0dXJuIHJjOwotICAgIH0KIAot ICAgIHYtPmV2dGNobl9maWZvID0gZWZ2OwogICAgIHYtPmV2dGNobl9maWZv LT5jb250cm9sX2Jsb2NrID0gdmlydCArIG9mZnNldDsKIAogICAgIGZvciAo IGkgPSAwOyBpIDw9IEVWVENITl9GSUZPX1BSSU9SSVRZX01JTjsgaSsrICkK LSAgICAgICAgaW5pdF9xdWV1ZSh2LCAmdi0+ZXZ0Y2huX2ZpZm8tPnF1ZXVl W2ldLCBpKTsKKyAgICAgICAgdi0+ZXZ0Y2huX2ZpZm8tPnF1ZXVlW2ldLmhl YWQgPSAmdi0+ZXZ0Y2huX2ZpZm8tPmNvbnRyb2xfYmxvY2stPmhlYWRbaV07 CiAKICAgICByZXR1cm4gMDsKIH0KQEAgLTUwOSwyOCArNTI3LDQzIEBAIGlu dCBldnRjaG5fZmlmb19pbml0X2NvbnRyb2woc3RydWN0IGV2dGMKIAogICAg IHNwaW5fbG9jaygmZC0+ZXZlbnRfbG9jayk7CiAKLSAgICByYyA9IHNldHVw X2NvbnRyb2xfYmxvY2sodiwgZ2ZuLCBvZmZzZXQpOwotCiAgICAgLyoKICAg ICAgKiBJZiB0aGlzIGlzIHRoZSBmaXJzdCBjb250cm9sIGJsb2NrLCBzZXR1 cCBhbiBlbXB0eSBldmVudCBhcnJheQogICAgICAqIGFuZCBzd2l0Y2ggdG8g dGhlIGZpZm8gcG9ydCBvcHMuCiAgICAgICovCi0gICAgaWYgKCByYyA9PSAw ICYmICFkLT5ldnRjaG5fZmlmbyApCisgICAgaWYgKCAhZC0+ZXZ0Y2huX2Zp Zm8gKQogICAgIHsKKyAgICAgICAgc3RydWN0IHZjcHUgKnZjYjsKKworICAg ICAgICBmb3JfZWFjaF92Y3B1ICggZCwgdmNiICkgeworICAgICAgICAgICAg cmMgPSBzZXR1cF9jb250cm9sX2Jsb2NrKHZjYik7CisgICAgICAgICAgICBp ZiAoIHJjIDwgMCApCisgICAgICAgICAgICAgICAgZ290byBlcnJvcjsKKyAg ICAgICAgfQorCiAgICAgICAgIHJjID0gc2V0dXBfZXZlbnRfYXJyYXkoZCk7 CiAgICAgICAgIGlmICggcmMgPCAwICkKLSAgICAgICAgICAgIGNsZWFudXBf Y29udHJvbF9ibG9jayh2KTsKLSAgICAgICAgZWxzZQotICAgICAgICB7Ci0g ICAgICAgICAgICBkLT5ldnRjaG5fcG9ydF9vcHMgPSAmZXZ0Y2huX3BvcnRf b3BzX2ZpZm87Ci0gICAgICAgICAgICBkLT5tYXhfZXZ0Y2hucyA9IEVWVENI Tl9GSUZPX05SX0NIQU5ORUxTOwotICAgICAgICAgICAgc2V0dXBfcG9ydHMo ZCk7Ci0gICAgICAgIH0KKyAgICAgICAgICAgIGdvdG8gZXJyb3I7CisKKyAg ICAgICAgcmMgPSBtYXBfY29udHJvbF9ibG9jayh2LCBnZm4sIG9mZnNldCk7 CisgICAgICAgIGlmICggcmMgPCAwICkKKyAgICAgICAgICAgIGdvdG8gZXJy b3I7CisKKyAgICAgICAgZC0+ZXZ0Y2huX3BvcnRfb3BzID0gJmV2dGNobl9w b3J0X29wc19maWZvOworICAgICAgICBkLT5tYXhfZXZ0Y2hucyA9IEVWVENI Tl9GSUZPX05SX0NIQU5ORUxTOworICAgICAgICBzZXR1cF9wb3J0cyhkKTsK ICAgICB9CisgICAgZWxzZQorICAgICAgICByYyA9IG1hcF9jb250cm9sX2Js b2NrKHYsIGdmbiwgb2Zmc2V0KTsKIAogICAgIHNwaW5fdW5sb2NrKCZkLT5l dmVudF9sb2NrKTsKIAogICAgIHJldHVybiByYzsKKworIGVycm9yOgorICAg IGV2dGNobl9maWZvX2Rlc3Ryb3koZCk7CisgICAgc3Bpbl91bmxvY2soJmQt PmV2ZW50X2xvY2spOworICAgIHJldHVybiByYzsKIH0KIAogc3RhdGljIGlu dCBhZGRfcGFnZV90b19ldmVudF9hcnJheShzdHJ1Y3QgZG9tYWluICpkLCB1 bnNpZ25lZCBsb25nIGdmbikK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Sep 23 12:15:42 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 23 Sep 2014 12:15:42 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWOzP-00084E-3H; Tue, 23 Sep 2014 12:14:39 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWOzN-000839-9C; Tue, 23 Sep 2014 12:14:37 +0000 Received: from [85.158.143.35:17423] by server-2.bemta-4.messagelabs.com id 0D/65-04525-C2461245; Tue, 23 Sep 2014 12:14:36 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-8.tower-21.messagelabs.com!1411474474!12643543!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 25243 invoked from network); 23 Sep 2014 12:14:35 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-8.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 23 Sep 2014 12:14:35 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWOzE-0007Eu-Q4; Tue, 23 Sep 2014 12:14:28 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1XWOzE-0000wc-M4; Tue, 23 Sep 2014 12:14:28 +0000 Date: Tue, 23 Sep 2014 12:14:28 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 105 - Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-105 version 2 Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation UPDATES IN VERSION 2 ==================== Public Release. Convert patch line endings from DOS to Unix style. ISSUE DESCRIPTION ================= The emulation of the instructions HLT, LGDT, LIDT, and LMSW fails to perform supervisor mode permission checks. However these instructions are not usually handled by the emulator. Exceptions to this are - - when the instruction's memory operand (if any) lives in (emulated or passed through) memory mapped IO space, - - in the case of guests running in 32-bit PAE mode, when such an instruction is (in execution flow) within four instructions of one doing a page table update, - - when an Invalid Opcode exception gets raised by a guest instruction, and the guest then (likely maliciously) alters the instruction to become one of the affected ones. Malicious guest user mode code may be able to leverage this to install e.g. its own Interrupt Descriptor Table (IDT). IMPACT ====== Malicious HVM guest user mode code may be able to crash the guest or escalate its own privilege to guest kernel mode. VULNERABLE SYSTEMS ================== Xen versions from at least 3.2.x onwards are vulnerable. Older versions have not been inspected. Only user processes in HVM guests can take advantage of this vulnerability. MITIGATION ========== Running only PV guests will avoid this issue. There is no mitigation available for HVM guests. CREDITS ======= This issue was discovered Andrei Lutas at BitDefender and analyzed by Andrew Cooper at Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa105.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa105*.patch dfb5ede7cc5609a812a7b1239479cefd387f9f9c8c25e11e64199bc592ad7e39 xsa105.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUIWPjAAoJEIP+FMlX6CvZu8UIAIQ9G7ms9bLRy75r3tYBTaW4 /Gwc3jYWy5rBsDF8gwtbMfVCVFqLXJbzb3RzTuQqCI/3D3F5s1VgMEm9rrG6DK+R e+czy4ceT1jTbWvSO1xGOY/eRHCY88PQ0BAQqBCMjurLXc25oUFiP0WogOX5Kwpu 1ASU6nQjZYjHruohHzgY0L6GJL27Ik1/4jNG/Min52dMxzp92Kn9rRtYR2kjwNin 20mftHsuzD3YpNIoAdcgBLx8A611ISkvia2uFXZyJEDLsDVqhdNUSGH3Qo0d1ISO eFVL3X6WDYPZuJhNPbPfT93GeMI73b+ryFovYggPEZ/to9D0hrf4KaQmnbbqch8= =OoOJ -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa105.patch" Content-Disposition: attachment; filename="xsa105.patch" Content-Transfer-Encoding: base64 eDg2L2VtdWxhdGU6IGNoZWNrIGNwbCBmb3IgYWxsIHByaXZpbGVnZWQgaW5z dHJ1Y3Rpb25zCgpXaXRob3V0IHRoaXMsIGl0IGlzIHBvc3NpYmxlIGZvciB1 c2Vyc3BhY2UgdG8gbG9hZCBpdHMgb3duIElEVCBvciBHRFQuCgpUaGlzIGlz IFhTQS0xMDUuCgpSZXBvcnRlZC1ieTogQW5kcmVpIExVVEFTIDx2bHV0YXNA Yml0ZGVmZW5kZXIuY29tPgpTaWduZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpSZXZpZXdlZC1ieTogSmFu IEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpUZXN0ZWQtYnk6IEFuZHJl aSBMVVRBUyA8dmx1dGFzQGJpdGRlZmVuZGVyLmNvbT4KCi0tLSBhL3hlbi9h cmNoL3g4Ni94ODZfZW11bGF0ZS94ODZfZW11bGF0ZS5jCisrKyBiL3hlbi9h cmNoL3g4Ni94ODZfZW11bGF0ZS94ODZfZW11bGF0ZS5jCkBAIC0zMzE0LDYg KzMzMTQsNyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAgZ290byBzd2ludDsK IAogICAgIGNhc2UgMHhmNDogLyogaGx0ICovCisgICAgICAgIGdlbmVyYXRl X2V4Y2VwdGlvbl9pZighbW9kZV9yaW5nMCgpLCBFWENfR1AsIDApOwogICAg ICAgICBjdHh0LT5yZXRpcmUuZmxhZ3MuaGx0ID0gMTsKICAgICAgICAgYnJl YWs7CiAKQEAgLTM3MTAsNiArMzcxMSw3IEBAIHg4Nl9lbXVsYXRlKAogICAg ICAgICAgICAgYnJlYWs7CiAgICAgICAgIGNhc2UgMjogLyogbGdkdCAqLwog ICAgICAgICBjYXNlIDM6IC8qIGxpZHQgKi8KKyAgICAgICAgICAgIGdlbmVy YXRlX2V4Y2VwdGlvbl9pZighbW9kZV9yaW5nMCgpLCBFWENfR1AsIDApOwog ICAgICAgICAgICAgZ2VuZXJhdGVfZXhjZXB0aW9uX2lmKGVhLnR5cGUgIT0g T1BfTUVNLCBFWENfVUQsIC0xKTsKICAgICAgICAgICAgIGZhaWxfaWYob3Bz LT53cml0ZV9zZWdtZW50ID09IE5VTEwpOwogICAgICAgICAgICAgbWVtc2V0 KCZyZWcsIDAsIHNpemVvZihyZWcpKTsKQEAgLTM3MzgsNiArMzc0MCw3IEBA IHg4Nl9lbXVsYXRlKAogICAgICAgICBjYXNlIDY6IC8qIGxtc3cgKi8KICAg ICAgICAgICAgIGZhaWxfaWYob3BzLT5yZWFkX2NyID09IE5VTEwpOwogICAg ICAgICAgICAgZmFpbF9pZihvcHMtPndyaXRlX2NyID09IE5VTEwpOworICAg ICAgICAgICAgZ2VuZXJhdGVfZXhjZXB0aW9uX2lmKCFtb2RlX3JpbmcwKCks IEVYQ19HUCwgMCk7CiAgICAgICAgICAgICBpZiAoIChyYyA9IG9wcy0+cmVh ZF9jcigwLCAmY3IwLCBjdHh0KSkgKQogICAgICAgICAgICAgICAgIGdvdG8g ZG9uZTsKICAgICAgICAgICAgIGlmICggZWEudHlwZSA9PSBPUF9SRUcgKQo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Sep 23 12:15:42 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 23 Sep 2014 12:15:42 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWOzQ-00085F-K0; Tue, 23 Sep 2014 12:14:40 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWOzP-00084G-Me; Tue, 23 Sep 2014 12:14:39 +0000 Received: from [85.158.143.35:21589] by server-3.bemta-4.messagelabs.com id C5/97-06192-E2461245; Tue, 23 Sep 2014 12:14:38 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-13.tower-21.messagelabs.com!1411474477!5338546!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 17527 invoked from network); 23 Sep 2014 12:14:38 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-13.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 23 Sep 2014 12:14:38 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWOzI-0007F9-EJ; Tue, 23 Sep 2014 12:14:32 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1XWOzI-0000xa-CH; Tue, 23 Sep 2014 12:14:32 +0000 Date: Tue, 23 Sep 2014 12:14:32 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 106 - Missing privilege level checks in x86 emulation of software interrupts X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-106 version 2 Missing privilege level checks in x86 emulation of software interrupts UPDATES IN VERSION 2 ==================== Public Release. ISSUE DESCRIPTION ================= The emulation of instructions which generate software interrupts fails to perform supervisor mode permission checks. However these instructions are not usually handled by the emulator. Exceptions to this are - - when a memory operand (implicit for the affected instructions) lives in (emulated or passed through) memory mapped IO space, - - in the case of guests running in 32-bit PAE mode, when such an instruction is (in execution flow) within four instructions of one doing a page table update, - - when an Invalid Opcode exception gets raised by a guest instruction, and the guest then (likely maliciously) alters the instruction to become one of the affected ones, - - when the guest is in real mode (in which case there are no privilege checks anyway). IMPACT ====== Malicious HVM guest user mode code may be able to crash the guest. VULNERABLE SYSTEMS ================== Xen versions from 3.3 onwards are vulnerable. Only user processes in HVM guests can take advantage of this vulnerability. MITIGATION ========== Running only PV guests will avoid this issue. There is no mitigation available for HVM guests. CREDITS ======= This issue was discovered Andrei Lutas at BitDefender and analyzed by Andrew Cooper at Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa106.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa106*.patch 301060f801ab39c15ac773e1bcc250f0e6bf30d748007a96173459b83afc9270 xsa106.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUIWPoAAoJEIP+FMlX6CvZeUAIAIV9TvZK3c6ffMYcWOaeRa+s bSZiFhIzMumnxpJTgCBjqOsQHT5bw1CTf3iW49SBsHly5X/oWJg0ys+shWjBXKl0 SwAkJcywOG3c2ZdxyCJdSM2eQbOhDgympqde7GTTkG29uoqAyAa0kDXn9lBllJPY H7ZIB7K+EA77yxgADH/YO4ZGFWelnUaOb+3qorw3GtdWAVHhhXr4Gnq98vOFnRlU 7JI71KH647gjiBQgdy6Wmkn7q7xsLfpYkxs9YronwyjxxHnEOO3Gx3zkEHHIaio/ YzqQPh96d1FZaO5La8ddhlBDyulDDMVKwLg82rtICD8kWwTtqZHuSFHbTmvC+qs= =rTiy -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa106.patch" Content-Disposition: attachment; filename="xsa106.patch" Content-Transfer-Encoding: base64 eDg2ZW11bDogb25seSBlbXVsYXRlIHNvZnR3YXJlIGludGVycnVwdCBpbmpl Y3Rpb24gZm9yIHJlYWwgbW9kZQoKUHJvdGVjdGVkIG1vZGUgZW11bGF0aW9u IGN1cnJlbnRseSBsYWNrcyBwcm9wZXIgcHJpdmlsZWdlIGNoZWNraW5nIG9m CnRoZSByZWZlcmVuY2VkIElEVCBlbnRyeSwgYW5kIHRoZXJlJ3MgY3VycmVu dGx5IG5vIGxlZ2l0aW1hdGUgd2F5IGZvcgphbnkgb2YgdGhlIHJlc3BlY3Rp dmUgaW5zdHJ1Y3Rpb25zIHRvIHJlYWNoIHRoZSBlbXVsYXRvciB3aGVuIHRo ZSBndWVzdAppcyBpbiBwcm90ZWN0ZWQgbW9kZS4KClRoaXMgaXMgWFNBLTEw Ni4KClJlcG9ydGVkLWJ5OiBBbmRyZWkgTFVUQVMgPHZsdXRhc0BiaXRkZWZl bmRlci5jb20+ClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGlj aEBzdXNlLmNvbT4KQWNrZWQtYnk6IEtlaXIgRnJhc2VyIDxrZWlyQHhlbi5v cmc+CgotLS0gYS94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxh dGUuYworKysgYi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxh dGUuYwpAQCAtMjYzNCw2ICsyNjM0LDcgQEAgeDg2X2VtdWxhdGUoCiAgICAg Y2FzZSAweGNkOiAvKiBpbnQgaW1tOCAqLwogICAgICAgICBzcmMudmFsID0g aW5zbl9mZXRjaF90eXBlKHVpbnQ4X3QpOwogICAgIHN3aW50OgorICAgICAg ICBmYWlsX2lmKCFpbl9yZWFsbW9kZShjdHh0LCBvcHMpKTsgLyogWFNBLTEw NiAqLwogICAgICAgICBmYWlsX2lmKG9wcy0+aW5qZWN0X3N3X2ludGVycnVw dCA9PSBOVUxMKTsKICAgICAgICAgcmMgPSBvcHMtPmluamVjdF9zd19pbnRl cnJ1cHQoc3JjLnZhbCwgX3JlZ3MuZWlwIC0gY3R4dC0+cmVncy0+ZWlwLAog ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjdHh0KSA/ IDogWDg2RU1VTF9FWENFUFRJT047Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Sep 23 12:15:42 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 23 Sep 2014 12:15:42 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWOzP-00084E-3H; Tue, 23 Sep 2014 12:14:39 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWOzN-000839-9C; Tue, 23 Sep 2014 12:14:37 +0000 Received: from [85.158.143.35:17423] by server-2.bemta-4.messagelabs.com id 0D/65-04525-C2461245; Tue, 23 Sep 2014 12:14:36 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-8.tower-21.messagelabs.com!1411474474!12643543!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 25243 invoked from network); 23 Sep 2014 12:14:35 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-8.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 23 Sep 2014 12:14:35 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWOzE-0007Eu-Q4; Tue, 23 Sep 2014 12:14:28 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1XWOzE-0000wc-M4; Tue, 23 Sep 2014 12:14:28 +0000 Date: Tue, 23 Sep 2014 12:14:28 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 105 - Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-105 version 2 Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation UPDATES IN VERSION 2 ==================== Public Release. Convert patch line endings from DOS to Unix style. ISSUE DESCRIPTION ================= The emulation of the instructions HLT, LGDT, LIDT, and LMSW fails to perform supervisor mode permission checks. However these instructions are not usually handled by the emulator. Exceptions to this are - - when the instruction's memory operand (if any) lives in (emulated or passed through) memory mapped IO space, - - in the case of guests running in 32-bit PAE mode, when such an instruction is (in execution flow) within four instructions of one doing a page table update, - - when an Invalid Opcode exception gets raised by a guest instruction, and the guest then (likely maliciously) alters the instruction to become one of the affected ones. Malicious guest user mode code may be able to leverage this to install e.g. its own Interrupt Descriptor Table (IDT). IMPACT ====== Malicious HVM guest user mode code may be able to crash the guest or escalate its own privilege to guest kernel mode. VULNERABLE SYSTEMS ================== Xen versions from at least 3.2.x onwards are vulnerable. Older versions have not been inspected. Only user processes in HVM guests can take advantage of this vulnerability. MITIGATION ========== Running only PV guests will avoid this issue. There is no mitigation available for HVM guests. CREDITS ======= This issue was discovered Andrei Lutas at BitDefender and analyzed by Andrew Cooper at Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa105.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa105*.patch dfb5ede7cc5609a812a7b1239479cefd387f9f9c8c25e11e64199bc592ad7e39 xsa105.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUIWPjAAoJEIP+FMlX6CvZu8UIAIQ9G7ms9bLRy75r3tYBTaW4 /Gwc3jYWy5rBsDF8gwtbMfVCVFqLXJbzb3RzTuQqCI/3D3F5s1VgMEm9rrG6DK+R e+czy4ceT1jTbWvSO1xGOY/eRHCY88PQ0BAQqBCMjurLXc25oUFiP0WogOX5Kwpu 1ASU6nQjZYjHruohHzgY0L6GJL27Ik1/4jNG/Min52dMxzp92Kn9rRtYR2kjwNin 20mftHsuzD3YpNIoAdcgBLx8A611ISkvia2uFXZyJEDLsDVqhdNUSGH3Qo0d1ISO eFVL3X6WDYPZuJhNPbPfT93GeMI73b+ryFovYggPEZ/to9D0hrf4KaQmnbbqch8= =OoOJ -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa105.patch" Content-Disposition: attachment; filename="xsa105.patch" Content-Transfer-Encoding: base64 eDg2L2VtdWxhdGU6IGNoZWNrIGNwbCBmb3IgYWxsIHByaXZpbGVnZWQgaW5z dHJ1Y3Rpb25zCgpXaXRob3V0IHRoaXMsIGl0IGlzIHBvc3NpYmxlIGZvciB1 c2Vyc3BhY2UgdG8gbG9hZCBpdHMgb3duIElEVCBvciBHRFQuCgpUaGlzIGlz IFhTQS0xMDUuCgpSZXBvcnRlZC1ieTogQW5kcmVpIExVVEFTIDx2bHV0YXNA Yml0ZGVmZW5kZXIuY29tPgpTaWduZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpSZXZpZXdlZC1ieTogSmFu IEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpUZXN0ZWQtYnk6IEFuZHJl aSBMVVRBUyA8dmx1dGFzQGJpdGRlZmVuZGVyLmNvbT4KCi0tLSBhL3hlbi9h cmNoL3g4Ni94ODZfZW11bGF0ZS94ODZfZW11bGF0ZS5jCisrKyBiL3hlbi9h cmNoL3g4Ni94ODZfZW11bGF0ZS94ODZfZW11bGF0ZS5jCkBAIC0zMzE0LDYg KzMzMTQsNyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAgZ290byBzd2ludDsK IAogICAgIGNhc2UgMHhmNDogLyogaGx0ICovCisgICAgICAgIGdlbmVyYXRl X2V4Y2VwdGlvbl9pZighbW9kZV9yaW5nMCgpLCBFWENfR1AsIDApOwogICAg ICAgICBjdHh0LT5yZXRpcmUuZmxhZ3MuaGx0ID0gMTsKICAgICAgICAgYnJl YWs7CiAKQEAgLTM3MTAsNiArMzcxMSw3IEBAIHg4Nl9lbXVsYXRlKAogICAg ICAgICAgICAgYnJlYWs7CiAgICAgICAgIGNhc2UgMjogLyogbGdkdCAqLwog ICAgICAgICBjYXNlIDM6IC8qIGxpZHQgKi8KKyAgICAgICAgICAgIGdlbmVy YXRlX2V4Y2VwdGlvbl9pZighbW9kZV9yaW5nMCgpLCBFWENfR1AsIDApOwog ICAgICAgICAgICAgZ2VuZXJhdGVfZXhjZXB0aW9uX2lmKGVhLnR5cGUgIT0g T1BfTUVNLCBFWENfVUQsIC0xKTsKICAgICAgICAgICAgIGZhaWxfaWYob3Bz LT53cml0ZV9zZWdtZW50ID09IE5VTEwpOwogICAgICAgICAgICAgbWVtc2V0 KCZyZWcsIDAsIHNpemVvZihyZWcpKTsKQEAgLTM3MzgsNiArMzc0MCw3IEBA IHg4Nl9lbXVsYXRlKAogICAgICAgICBjYXNlIDY6IC8qIGxtc3cgKi8KICAg ICAgICAgICAgIGZhaWxfaWYob3BzLT5yZWFkX2NyID09IE5VTEwpOwogICAg ICAgICAgICAgZmFpbF9pZihvcHMtPndyaXRlX2NyID09IE5VTEwpOworICAg ICAgICAgICAgZ2VuZXJhdGVfZXhjZXB0aW9uX2lmKCFtb2RlX3JpbmcwKCks IEVYQ19HUCwgMCk7CiAgICAgICAgICAgICBpZiAoIChyYyA9IG9wcy0+cmVh ZF9jcigwLCAmY3IwLCBjdHh0KSkgKQogICAgICAgICAgICAgICAgIGdvdG8g ZG9uZTsKICAgICAgICAgICAgIGlmICggZWEudHlwZSA9PSBPUF9SRUcgKQo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Sep 23 12:15:42 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 23 Sep 2014 12:15:42 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWOzQ-00085F-K0; Tue, 23 Sep 2014 12:14:40 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWOzP-00084G-Me; Tue, 23 Sep 2014 12:14:39 +0000 Received: from [85.158.143.35:21589] by server-3.bemta-4.messagelabs.com id C5/97-06192-E2461245; Tue, 23 Sep 2014 12:14:38 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-13.tower-21.messagelabs.com!1411474477!5338546!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 17527 invoked from network); 23 Sep 2014 12:14:38 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-13.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 23 Sep 2014 12:14:38 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWOzI-0007F9-EJ; Tue, 23 Sep 2014 12:14:32 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1XWOzI-0000xa-CH; Tue, 23 Sep 2014 12:14:32 +0000 Date: Tue, 23 Sep 2014 12:14:32 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 106 - Missing privilege level checks in x86 emulation of software interrupts X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-106 version 2 Missing privilege level checks in x86 emulation of software interrupts UPDATES IN VERSION 2 ==================== Public Release. ISSUE DESCRIPTION ================= The emulation of instructions which generate software interrupts fails to perform supervisor mode permission checks. However these instructions are not usually handled by the emulator. Exceptions to this are - - when a memory operand (implicit for the affected instructions) lives in (emulated or passed through) memory mapped IO space, - - in the case of guests running in 32-bit PAE mode, when such an instruction is (in execution flow) within four instructions of one doing a page table update, - - when an Invalid Opcode exception gets raised by a guest instruction, and the guest then (likely maliciously) alters the instruction to become one of the affected ones, - - when the guest is in real mode (in which case there are no privilege checks anyway). IMPACT ====== Malicious HVM guest user mode code may be able to crash the guest. VULNERABLE SYSTEMS ================== Xen versions from 3.3 onwards are vulnerable. Only user processes in HVM guests can take advantage of this vulnerability. MITIGATION ========== Running only PV guests will avoid this issue. There is no mitigation available for HVM guests. CREDITS ======= This issue was discovered Andrei Lutas at BitDefender and analyzed by Andrew Cooper at Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa106.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa106*.patch 301060f801ab39c15ac773e1bcc250f0e6bf30d748007a96173459b83afc9270 xsa106.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUIWPoAAoJEIP+FMlX6CvZeUAIAIV9TvZK3c6ffMYcWOaeRa+s bSZiFhIzMumnxpJTgCBjqOsQHT5bw1CTf3iW49SBsHly5X/oWJg0ys+shWjBXKl0 SwAkJcywOG3c2ZdxyCJdSM2eQbOhDgympqde7GTTkG29uoqAyAa0kDXn9lBllJPY H7ZIB7K+EA77yxgADH/YO4ZGFWelnUaOb+3qorw3GtdWAVHhhXr4Gnq98vOFnRlU 7JI71KH647gjiBQgdy6Wmkn7q7xsLfpYkxs9YronwyjxxHnEOO3Gx3zkEHHIaio/ YzqQPh96d1FZaO5La8ddhlBDyulDDMVKwLg82rtICD8kWwTtqZHuSFHbTmvC+qs= =rTiy -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa106.patch" Content-Disposition: attachment; filename="xsa106.patch" Content-Transfer-Encoding: base64 eDg2ZW11bDogb25seSBlbXVsYXRlIHNvZnR3YXJlIGludGVycnVwdCBpbmpl Y3Rpb24gZm9yIHJlYWwgbW9kZQoKUHJvdGVjdGVkIG1vZGUgZW11bGF0aW9u IGN1cnJlbnRseSBsYWNrcyBwcm9wZXIgcHJpdmlsZWdlIGNoZWNraW5nIG9m CnRoZSByZWZlcmVuY2VkIElEVCBlbnRyeSwgYW5kIHRoZXJlJ3MgY3VycmVu dGx5IG5vIGxlZ2l0aW1hdGUgd2F5IGZvcgphbnkgb2YgdGhlIHJlc3BlY3Rp dmUgaW5zdHJ1Y3Rpb25zIHRvIHJlYWNoIHRoZSBlbXVsYXRvciB3aGVuIHRo ZSBndWVzdAppcyBpbiBwcm90ZWN0ZWQgbW9kZS4KClRoaXMgaXMgWFNBLTEw Ni4KClJlcG9ydGVkLWJ5OiBBbmRyZWkgTFVUQVMgPHZsdXRhc0BiaXRkZWZl bmRlci5jb20+ClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGlj aEBzdXNlLmNvbT4KQWNrZWQtYnk6IEtlaXIgRnJhc2VyIDxrZWlyQHhlbi5v cmc+CgotLS0gYS94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxh dGUuYworKysgYi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxh dGUuYwpAQCAtMjYzNCw2ICsyNjM0LDcgQEAgeDg2X2VtdWxhdGUoCiAgICAg Y2FzZSAweGNkOiAvKiBpbnQgaW1tOCAqLwogICAgICAgICBzcmMudmFsID0g aW5zbl9mZXRjaF90eXBlKHVpbnQ4X3QpOwogICAgIHN3aW50OgorICAgICAg ICBmYWlsX2lmKCFpbl9yZWFsbW9kZShjdHh0LCBvcHMpKTsgLyogWFNBLTEw NiAqLwogICAgICAgICBmYWlsX2lmKG9wcy0+aW5qZWN0X3N3X2ludGVycnVw dCA9PSBOVUxMKTsKICAgICAgICAgcmMgPSBvcHMtPmluamVjdF9zd19pbnRl cnJ1cHQoc3JjLnZhbCwgX3JlZ3MuZWlwIC0gY3R4dC0+cmVncy0+ZWlwLAog ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjdHh0KSA/ IDogWDg2RU1VTF9FWENFUFRJT047Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Sep 23 12:15:42 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 23 Sep 2014 12:15:42 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWOzN-00083M-Jz; Tue, 23 Sep 2014 12:14:37 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWOzM-00082u-6M; Tue, 23 Sep 2014 12:14:36 +0000 Received: from [85.158.143.35:21270] by server-2.bemta-4.messagelabs.com id 05/65-04525-B2461245; Tue, 23 Sep 2014 12:14:35 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-15.tower-21.messagelabs.com!1411474473!12622957!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 27596 invoked from network); 23 Sep 2014 12:14:34 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-15.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 23 Sep 2014 12:14:34 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWOzA-0007Ei-Ss; Tue, 23 Sep 2014 12:14:24 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1XWOzA-0000vf-7e; Tue, 23 Sep 2014 12:14:24 +0000 Date: Tue, 23 Sep 2014 12:14:24 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 104 - Race condition in HVMOP_track_dirty_vram X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-104 version 2 Race condition in HVMOP_track_dirty_vram UPDATES IN VERSION 2 ==================== Public Release. ISSUE DESCRIPTION ================= The routine controlling the setup of dirty video RAM tracking latches the value of a pointer before taking the respective guarding lock, thus making it possible for a stale pointer to be used by the time the lock got acquired and the pointer gets dereferenced. The hypercall providing access to the affected function is available to the domain controlling HVM guests. IMPACT ====== Malicious or buggy stub domain kernels or tool stacks otherwise living outside of Domain0 can mount a denial of service attack which, if successful, can affect the whole system. Only domains controlling HVM guests can exploit this vulnerability. (This includes domains providing hardware emulation services to HVM guests.) VULNERABLE SYSTEMS ================== Xen versions from 4.0.0 onwards are vulnerable. This vulnerability is only applicable to Xen systems using stub domains or other forms of disaggregation of control domains for HVM guests. MITIGATION ========== There is no mitigation available for this issue. (The security of a Xen system using stub domains is still better than with a qemu-dm running as an unrestricted dom0 process. Therefore users with these configurations should not switch to an unrestricted dom0 qemu-dm.) CREDITS ======= This issue was discovered by Andrew Cooper at Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa104.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa104*.patch fc02f6365ca79a6ef386c882b57fab8b56aa12b54fc9b05054552f0f25e32047 xsa104.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUIWPgAAoJEIP+FMlX6CvZoIYH/3HEaknB8j0LpU/OQzO/zhLV EJzzXY4kzsabm3HP0bisTMpa8oMdFCnedcGzegqt/Ig+9CRwtbAijD/IokoODhAC GPYDxZag52l/7PT/qG9WtbGX8CYEHFYLsHZc0Xi3Jo/3cRfdZ8F38UlvjPJVDyXO s3CAHEoPGcgUgCf0kKVADDta80k8USz6ptugqnkagHByF6TK+Fl/EfGpUpx36RWF 6Sl0rtZeKdlqM9uZdf71EKJD1T8/F8CW2h7aKgRYD3IJb/yFpcbYVy+ePtl/XBT+ TDo7ZeqCcuNcge8fiWngD5MvjfDygkkgL7FzNAzGVQcK8NND3NSlctu9Qe8CqJA= =+BMV -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa104.patch" Content-Disposition: attachment; filename="xsa104.patch" Content-Transfer-Encoding: base64 eDg2L3NoYWRvdzogZml4IHJhY2UgY29uZGl0aW9uIHNhbXBsaW5nIHRoZSBk aXJ0eSB2cmFtIHN0YXRlCgpkLT5hcmNoLmh2bV9kb21haW4uZGlydHlfdnJh bSBtdXN0IGJlIHJlYWQgd2l0aCB0aGUgZG9tYWluJ3MgcGFnaW5nIGxvY2sg aGVsZC4KCklmIG5vdCwgdHdvIGNvbmN1cnJlbnQgaHlwZXJjYWxscyBjb3Vs ZCBib3RoIGVuZCB1cCBhdHRlbXB0aW5nIHRvIGZyZWUKZGlydHlfdnJhbSAo dGhlIHNlY29uZCBvZiB3aGljaCB3aWxsIGZyZWUgYSB3aWxkIHBvaW50ZXIp LCBvciBib3RoIGVuZCB1cAphbGxvY2F0aW5nIGEgbmV3IGRpcnR5X3ZyYW0g c3RydWN0dXJlICh0aGUgZmlyc3Qgb2Ygd2hpY2ggd2lsbCBiZSBsZWFrZWQp LgoKVGhpcyBpcyBYU0EtMTA0LgoKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENv b3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6 IFRpbSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgoKLS0tIGEveGVuL2FyY2gveDg2 L21tL3NoYWRvdy9jb21tb24uYworKysgYi94ZW4vYXJjaC94ODYvbW0vc2hh ZG93L2NvbW1vbi5jCkBAIC0zNDg1LDcgKzM0ODUsNyBAQCBpbnQgc2hhZG93 X3RyYWNrX2RpcnR5X3ZyYW0oc3RydWN0IGRvbWFpCiAgICAgaW50IGZsdXNo X3RsYiA9IDA7CiAgICAgdW5zaWduZWQgbG9uZyBpOwogICAgIHAybV90eXBl X3QgdDsKLSAgICBzdHJ1Y3Qgc2hfZGlydHlfdnJhbSAqZGlydHlfdnJhbSA9 IGQtPmFyY2guaHZtX2RvbWFpbi5kaXJ0eV92cmFtOworICAgIHN0cnVjdCBz aF9kaXJ0eV92cmFtICpkaXJ0eV92cmFtOwogICAgIHN0cnVjdCBwMm1fZG9t YWluICpwMm0gPSBwMm1fZ2V0X2hvc3RwMm0oZCk7CiAKICAgICBpZiAoIGVu ZF9wZm4gPCBiZWdpbl9wZm4gfHwgZW5kX3BmbiA+IHAybS0+bWF4X21hcHBl ZF9wZm4gKyAxICkKQEAgLTM0OTUsNiArMzQ5NSw4IEBAIGludCBzaGFkb3df dHJhY2tfZGlydHlfdnJhbShzdHJ1Y3QgZG9tYWkKICAgICBwMm1fbG9jayhw Mm1fZ2V0X2hvc3RwMm0oZCkpOwogICAgIHBhZ2luZ19sb2NrKGQpOwogCisg ICAgZGlydHlfdnJhbSA9IGQtPmFyY2guaHZtX2RvbWFpbi5kaXJ0eV92cmFt OworCiAgICAgaWYgKCBkaXJ0eV92cmFtICYmICghbnIgfHwKICAgICAgICAg ICAgICAoIGJlZ2luX3BmbiAhPSBkaXJ0eV92cmFtLT5iZWdpbl9wZm4KICAg ICAgICAgICAgIHx8IGVuZF9wZm4gICAhPSBkaXJ0eV92cmFtLT5lbmRfcGZu ICkpICkKLS0tIGEveGVuL2luY2x1ZGUvYXNtLXg4Ni9odm0vZG9tYWluLmgK KysrIGIveGVuL2luY2x1ZGUvYXNtLXg4Ni9odm0vZG9tYWluLmgKQEAgLTEx Miw3ICsxMTIsNyBAQCBzdHJ1Y3QgaHZtX2RvbWFpbiB7CiAgICAgLyogTWVt b3J5IHJhbmdlcyB3aXRoIHBpbm5lZCBjYWNoZSBhdHRyaWJ1dGVzLiAqLwog ICAgIHN0cnVjdCBsaXN0X2hlYWQgICAgICAgcGlubmVkX2NhY2hlYXR0cl9y YW5nZXM7CiAKLSAgICAvKiBWUkFNIGRpcnR5IHN1cHBvcnQuICovCisgICAg LyogVlJBTSBkaXJ0eSBzdXBwb3J0LiAgUHJvdGVjdCB3aXRoIHRoZSBkb21h aW4gcGFnaW5nIGxvY2suICovCiAgICAgc3RydWN0IHNoX2RpcnR5X3ZyYW0g KmRpcnR5X3ZyYW07CiAKICAgICAvKiBJZiBvbmUgb2YgdmNwdXMgb2YgdGhp cyBkb21haW4gaXMgaW4gbm9fZmlsbF9tb2RlIG9yCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Sep 23 12:15:42 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 23 Sep 2014 12:15:42 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWOzN-00083M-Jz; Tue, 23 Sep 2014 12:14:37 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWOzM-00082u-6M; Tue, 23 Sep 2014 12:14:36 +0000 Received: from [85.158.143.35:21270] by server-2.bemta-4.messagelabs.com id 05/65-04525-B2461245; Tue, 23 Sep 2014 12:14:35 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-15.tower-21.messagelabs.com!1411474473!12622957!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 27596 invoked from network); 23 Sep 2014 12:14:34 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-15.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 23 Sep 2014 12:14:34 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWOzA-0007Ei-Ss; Tue, 23 Sep 2014 12:14:24 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1XWOzA-0000vf-7e; Tue, 23 Sep 2014 12:14:24 +0000 Date: Tue, 23 Sep 2014 12:14:24 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 104 - Race condition in HVMOP_track_dirty_vram X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-104 version 2 Race condition in HVMOP_track_dirty_vram UPDATES IN VERSION 2 ==================== Public Release. ISSUE DESCRIPTION ================= The routine controlling the setup of dirty video RAM tracking latches the value of a pointer before taking the respective guarding lock, thus making it possible for a stale pointer to be used by the time the lock got acquired and the pointer gets dereferenced. The hypercall providing access to the affected function is available to the domain controlling HVM guests. IMPACT ====== Malicious or buggy stub domain kernels or tool stacks otherwise living outside of Domain0 can mount a denial of service attack which, if successful, can affect the whole system. Only domains controlling HVM guests can exploit this vulnerability. (This includes domains providing hardware emulation services to HVM guests.) VULNERABLE SYSTEMS ================== Xen versions from 4.0.0 onwards are vulnerable. This vulnerability is only applicable to Xen systems using stub domains or other forms of disaggregation of control domains for HVM guests. MITIGATION ========== There is no mitigation available for this issue. (The security of a Xen system using stub domains is still better than with a qemu-dm running as an unrestricted dom0 process. Therefore users with these configurations should not switch to an unrestricted dom0 qemu-dm.) CREDITS ======= This issue was discovered by Andrew Cooper at Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa104.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa104*.patch fc02f6365ca79a6ef386c882b57fab8b56aa12b54fc9b05054552f0f25e32047 xsa104.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUIWPgAAoJEIP+FMlX6CvZoIYH/3HEaknB8j0LpU/OQzO/zhLV EJzzXY4kzsabm3HP0bisTMpa8oMdFCnedcGzegqt/Ig+9CRwtbAijD/IokoODhAC GPYDxZag52l/7PT/qG9WtbGX8CYEHFYLsHZc0Xi3Jo/3cRfdZ8F38UlvjPJVDyXO s3CAHEoPGcgUgCf0kKVADDta80k8USz6ptugqnkagHByF6TK+Fl/EfGpUpx36RWF 6Sl0rtZeKdlqM9uZdf71EKJD1T8/F8CW2h7aKgRYD3IJb/yFpcbYVy+ePtl/XBT+ TDo7ZeqCcuNcge8fiWngD5MvjfDygkkgL7FzNAzGVQcK8NND3NSlctu9Qe8CqJA= =+BMV -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa104.patch" Content-Disposition: attachment; filename="xsa104.patch" Content-Transfer-Encoding: base64 eDg2L3NoYWRvdzogZml4IHJhY2UgY29uZGl0aW9uIHNhbXBsaW5nIHRoZSBk aXJ0eSB2cmFtIHN0YXRlCgpkLT5hcmNoLmh2bV9kb21haW4uZGlydHlfdnJh bSBtdXN0IGJlIHJlYWQgd2l0aCB0aGUgZG9tYWluJ3MgcGFnaW5nIGxvY2sg aGVsZC4KCklmIG5vdCwgdHdvIGNvbmN1cnJlbnQgaHlwZXJjYWxscyBjb3Vs ZCBib3RoIGVuZCB1cCBhdHRlbXB0aW5nIHRvIGZyZWUKZGlydHlfdnJhbSAo dGhlIHNlY29uZCBvZiB3aGljaCB3aWxsIGZyZWUgYSB3aWxkIHBvaW50ZXIp LCBvciBib3RoIGVuZCB1cAphbGxvY2F0aW5nIGEgbmV3IGRpcnR5X3ZyYW0g c3RydWN0dXJlICh0aGUgZmlyc3Qgb2Ygd2hpY2ggd2lsbCBiZSBsZWFrZWQp LgoKVGhpcyBpcyBYU0EtMTA0LgoKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENv b3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6 IFRpbSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgoKLS0tIGEveGVuL2FyY2gveDg2 L21tL3NoYWRvdy9jb21tb24uYworKysgYi94ZW4vYXJjaC94ODYvbW0vc2hh ZG93L2NvbW1vbi5jCkBAIC0zNDg1LDcgKzM0ODUsNyBAQCBpbnQgc2hhZG93 X3RyYWNrX2RpcnR5X3ZyYW0oc3RydWN0IGRvbWFpCiAgICAgaW50IGZsdXNo X3RsYiA9IDA7CiAgICAgdW5zaWduZWQgbG9uZyBpOwogICAgIHAybV90eXBl X3QgdDsKLSAgICBzdHJ1Y3Qgc2hfZGlydHlfdnJhbSAqZGlydHlfdnJhbSA9 IGQtPmFyY2guaHZtX2RvbWFpbi5kaXJ0eV92cmFtOworICAgIHN0cnVjdCBz aF9kaXJ0eV92cmFtICpkaXJ0eV92cmFtOwogICAgIHN0cnVjdCBwMm1fZG9t YWluICpwMm0gPSBwMm1fZ2V0X2hvc3RwMm0oZCk7CiAKICAgICBpZiAoIGVu ZF9wZm4gPCBiZWdpbl9wZm4gfHwgZW5kX3BmbiA+IHAybS0+bWF4X21hcHBl ZF9wZm4gKyAxICkKQEAgLTM0OTUsNiArMzQ5NSw4IEBAIGludCBzaGFkb3df dHJhY2tfZGlydHlfdnJhbShzdHJ1Y3QgZG9tYWkKICAgICBwMm1fbG9jayhw Mm1fZ2V0X2hvc3RwMm0oZCkpOwogICAgIHBhZ2luZ19sb2NrKGQpOwogCisg ICAgZGlydHlfdnJhbSA9IGQtPmFyY2guaHZtX2RvbWFpbi5kaXJ0eV92cmFt OworCiAgICAgaWYgKCBkaXJ0eV92cmFtICYmICghbnIgfHwKICAgICAgICAg ICAgICAoIGJlZ2luX3BmbiAhPSBkaXJ0eV92cmFtLT5iZWdpbl9wZm4KICAg ICAgICAgICAgIHx8IGVuZF9wZm4gICAhPSBkaXJ0eV92cmFtLT5lbmRfcGZu ICkpICkKLS0tIGEveGVuL2luY2x1ZGUvYXNtLXg4Ni9odm0vZG9tYWluLmgK KysrIGIveGVuL2luY2x1ZGUvYXNtLXg4Ni9odm0vZG9tYWluLmgKQEAgLTEx Miw3ICsxMTIsNyBAQCBzdHJ1Y3QgaHZtX2RvbWFpbiB7CiAgICAgLyogTWVt b3J5IHJhbmdlcyB3aXRoIHBpbm5lZCBjYWNoZSBhdHRyaWJ1dGVzLiAqLwog ICAgIHN0cnVjdCBsaXN0X2hlYWQgICAgICAgcGlubmVkX2NhY2hlYXR0cl9y YW5nZXM7CiAKLSAgICAvKiBWUkFNIGRpcnR5IHN1cHBvcnQuICovCisgICAg LyogVlJBTSBkaXJ0eSBzdXBwb3J0LiAgUHJvdGVjdCB3aXRoIHRoZSBkb21h aW4gcGFnaW5nIGxvY2suICovCiAgICAgc3RydWN0IHNoX2RpcnR5X3ZyYW0g KmRpcnR5X3ZyYW07CiAKICAgICAvKiBJZiBvbmUgb2YgdmNwdXMgb2YgdGhp cyBkb21haW4gaXMgaW4gbm9fZmlsbF9tb2RlIG9yCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Sep 24 10:31:35 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 24 Sep 2014 10:31:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWjqL-000251-EV; Wed, 24 Sep 2014 10:30:41 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWjqI-00022b-JA; Wed, 24 Sep 2014 10:30:39 +0000 Received: from [85.158.143.35:40390] by server-1.bemta-4.messagelabs.com id 43/AB-05872-C4D92245; Wed, 24 Sep 2014 10:30:36 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-4.tower-21.messagelabs.com!1411554633!12841991!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 31817 invoked from network); 24 Sep 2014 10:30:34 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-4.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 24 Sep 2014 10:30:34 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWjq1-0004zh-HU; Wed, 24 Sep 2014 10:30:21 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1XWjq1-00053B-Bn; Wed, 24 Sep 2014 10:30:21 +0000 Date: Wed, 24 Sep 2014 10:30:21 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 105 (CVE-2014-7155) - Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-7155 / XSA-105 version 3 Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation UPDATES IN VERSION 3 ==================== This issue has been assigned CVE-2014-7155. ISSUE DESCRIPTION ================= The emulation of the instructions HLT, LGDT, LIDT, and LMSW fails to perform supervisor mode permission checks. However these instructions are not usually handled by the emulator. Exceptions to this are - - when the instruction's memory operand (if any) lives in (emulated or passed through) memory mapped IO space, - - in the case of guests running in 32-bit PAE mode, when such an instruction is (in execution flow) within four instructions of one doing a page table update, - - when an Invalid Opcode exception gets raised by a guest instruction, and the guest then (likely maliciously) alters the instruction to become one of the affected ones. Malicious guest user mode code may be able to leverage this to install e.g. its own Interrupt Descriptor Table (IDT). IMPACT ====== Malicious HVM guest user mode code may be able to crash the guest or escalate its own privilege to guest kernel mode. VULNERABLE SYSTEMS ================== Xen versions from at least 3.2.x onwards are vulnerable. Older versions have not been inspected. Only user processes in HVM guests can take advantage of this vulnerability. MITIGATION ========== Running only PV guests will avoid this issue. There is no mitigation available for HVM guests. CREDITS ======= This issue was discovered Andrei Lutas at BitDefender and analyzed by Andrew Cooper at Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa105.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa105*.patch dfb5ede7cc5609a812a7b1239479cefd387f9f9c8c25e11e64199bc592ad7e39 xsa105.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUIpzkAAoJEIP+FMlX6CvZ0IkIALIftvFcaV2iH54bpvWuurXs m87HvWm0Omy8S5R+K+meJmy05jERWVUg0eaX0nn8KcFsg8H9lNEsdJwc8vmGyhxx tIY1IeHHH/Mbx7kdtdmVrtUaoz/IV2LYIHzsLEPcQ7gLMkMwydCxKL97Rf83Tsq+ Y6Zu3H0vQoR0wVVeh1ks8708TM2TZeNOc0B9foJBult3Zm/ihdBo12eZzVqm/e9g HCYswBKFntj4Iq0sAyhfc5KATirkCnWqpKXJ6oMACEy5H3+Xrh9/u79zatHd/FWL 3FL2yGwQTGqqtVRUhEQD7cfWl9FLRcFZyudWQzIkSlDAGHHrpxVinp/nplm5PvA= =lJ+I -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa105.patch" Content-Disposition: attachment; filename="xsa105.patch" Content-Transfer-Encoding: base64 eDg2L2VtdWxhdGU6IGNoZWNrIGNwbCBmb3IgYWxsIHByaXZpbGVnZWQgaW5z dHJ1Y3Rpb25zCgpXaXRob3V0IHRoaXMsIGl0IGlzIHBvc3NpYmxlIGZvciB1 c2Vyc3BhY2UgdG8gbG9hZCBpdHMgb3duIElEVCBvciBHRFQuCgpUaGlzIGlz IFhTQS0xMDUuCgpSZXBvcnRlZC1ieTogQW5kcmVpIExVVEFTIDx2bHV0YXNA Yml0ZGVmZW5kZXIuY29tPgpTaWduZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpSZXZpZXdlZC1ieTogSmFu IEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpUZXN0ZWQtYnk6IEFuZHJl aSBMVVRBUyA8dmx1dGFzQGJpdGRlZmVuZGVyLmNvbT4KCi0tLSBhL3hlbi9h cmNoL3g4Ni94ODZfZW11bGF0ZS94ODZfZW11bGF0ZS5jCisrKyBiL3hlbi9h cmNoL3g4Ni94ODZfZW11bGF0ZS94ODZfZW11bGF0ZS5jCkBAIC0zMzE0LDYg KzMzMTQsNyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAgZ290byBzd2ludDsK IAogICAgIGNhc2UgMHhmNDogLyogaGx0ICovCisgICAgICAgIGdlbmVyYXRl X2V4Y2VwdGlvbl9pZighbW9kZV9yaW5nMCgpLCBFWENfR1AsIDApOwogICAg ICAgICBjdHh0LT5yZXRpcmUuZmxhZ3MuaGx0ID0gMTsKICAgICAgICAgYnJl YWs7CiAKQEAgLTM3MTAsNiArMzcxMSw3IEBAIHg4Nl9lbXVsYXRlKAogICAg ICAgICAgICAgYnJlYWs7CiAgICAgICAgIGNhc2UgMjogLyogbGdkdCAqLwog ICAgICAgICBjYXNlIDM6IC8qIGxpZHQgKi8KKyAgICAgICAgICAgIGdlbmVy YXRlX2V4Y2VwdGlvbl9pZighbW9kZV9yaW5nMCgpLCBFWENfR1AsIDApOwog ICAgICAgICAgICAgZ2VuZXJhdGVfZXhjZXB0aW9uX2lmKGVhLnR5cGUgIT0g T1BfTUVNLCBFWENfVUQsIC0xKTsKICAgICAgICAgICAgIGZhaWxfaWYob3Bz LT53cml0ZV9zZWdtZW50ID09IE5VTEwpOwogICAgICAgICAgICAgbWVtc2V0 KCZyZWcsIDAsIHNpemVvZihyZWcpKTsKQEAgLTM3MzgsNiArMzc0MCw3IEBA IHg4Nl9lbXVsYXRlKAogICAgICAgICBjYXNlIDY6IC8qIGxtc3cgKi8KICAg ICAgICAgICAgIGZhaWxfaWYob3BzLT5yZWFkX2NyID09IE5VTEwpOwogICAg ICAgICAgICAgZmFpbF9pZihvcHMtPndyaXRlX2NyID09IE5VTEwpOworICAg ICAgICAgICAgZ2VuZXJhdGVfZXhjZXB0aW9uX2lmKCFtb2RlX3JpbmcwKCks IEVYQ19HUCwgMCk7CiAgICAgICAgICAgICBpZiAoIChyYyA9IG9wcy0+cmVh ZF9jcigwLCAmY3IwLCBjdHh0KSkgKQogICAgICAgICAgICAgICAgIGdvdG8g ZG9uZTsKICAgICAgICAgICAgIGlmICggZWEudHlwZSA9PSBPUF9SRUcgKQo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Sep 24 10:31:35 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 24 Sep 2014 10:31:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWjq8-000201-MO; Wed, 24 Sep 2014 10:30:28 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWjq7-0001zo-7d; Wed, 24 Sep 2014 10:30:27 +0000 Received: from [193.109.254.147:29855] by server-12.bemta-14.messagelabs.com id 4B/1D-01461-24D92245; Wed, 24 Sep 2014 10:30:26 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-6.tower-27.messagelabs.com!1411554624!12685878!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 17996 invoked from network); 24 Sep 2014 10:30:25 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-6.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 24 Sep 2014 10:30:25 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWjpm-0004za-UI; Wed, 24 Sep 2014 10:30:06 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1XWjph-00051m-Gn; Wed, 24 Sep 2014 10:30:01 +0000 Date: Wed, 24 Sep 2014 10:30:01 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 104 (CVE-2014-7154) - Race condition in HVMOP_track_dirty_vram X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-7154 / XSA-104 version 3 Race condition in HVMOP_track_dirty_vram UPDATES IN VERSION 3 ==================== This issue has been assigned CVE-2014-7154. ISSUE DESCRIPTION ================= The routine controlling the setup of dirty video RAM tracking latches the value of a pointer before taking the respective guarding lock, thus making it possible for a stale pointer to be used by the time the lock got acquired and the pointer gets dereferenced. The hypercall providing access to the affected function is available to the domain controlling HVM guests. IMPACT ====== Malicious or buggy stub domain kernels or tool stacks otherwise living outside of Domain0 can mount a denial of service attack which, if successful, can affect the whole system. Only domains controlling HVM guests can exploit this vulnerability. (This includes domains providing hardware emulation services to HVM guests.) VULNERABLE SYSTEMS ================== Xen versions from 4.0.0 onwards are vulnerable. This vulnerability is only applicable to Xen systems using stub domains or other forms of disaggregation of control domains for HVM guests. MITIGATION ========== There is no mitigation available for this issue. (The security of a Xen system using stub domains is still better than with a qemu-dm running as an unrestricted dom0 process. Therefore users with these configurations should not switch to an unrestricted dom0 qemu-dm.) CREDITS ======= This issue was discovered by Andrew Cooper at Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa104.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa104*.patch fc02f6365ca79a6ef386c882b57fab8b56aa12b54fc9b05054552f0f25e32047 xsa104.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUIpziAAoJEIP+FMlX6CvZO2wIAMm2konqFYzaAZXbEH25T24K aNTRF+x+RFwZy/701GupySti6Go6HPvm4uya09qIVRyTkafH2WF+VT93rBRlROHM z5ZFwR/wKLFj3TPr/Fhb52ynwDdRPMvFkaWGxvSvxjASBbAPxCAlE8SuTmG1nBOe RtnHNk6cxV5UeYTZ8TosG7RvlPIVA17o82btJ6DPbXIn2tENLTJaZf9cTtNZxKPo kIEuo9E0JFQQyje+t7lImbMQbbe216JTRtATTivVuP68AcE/TSRggLwoBxSitjUp YNbcfbHUeg2qltftvlZKeGgvrVceQ+Vj59cFNRj4r+xRXXywAAGZkgCpZNLeQnA= =gwmy -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa104.patch" Content-Disposition: attachment; filename="xsa104.patch" Content-Transfer-Encoding: base64 eDg2L3NoYWRvdzogZml4IHJhY2UgY29uZGl0aW9uIHNhbXBsaW5nIHRoZSBk aXJ0eSB2cmFtIHN0YXRlCgpkLT5hcmNoLmh2bV9kb21haW4uZGlydHlfdnJh bSBtdXN0IGJlIHJlYWQgd2l0aCB0aGUgZG9tYWluJ3MgcGFnaW5nIGxvY2sg aGVsZC4KCklmIG5vdCwgdHdvIGNvbmN1cnJlbnQgaHlwZXJjYWxscyBjb3Vs ZCBib3RoIGVuZCB1cCBhdHRlbXB0aW5nIHRvIGZyZWUKZGlydHlfdnJhbSAo dGhlIHNlY29uZCBvZiB3aGljaCB3aWxsIGZyZWUgYSB3aWxkIHBvaW50ZXIp LCBvciBib3RoIGVuZCB1cAphbGxvY2F0aW5nIGEgbmV3IGRpcnR5X3ZyYW0g c3RydWN0dXJlICh0aGUgZmlyc3Qgb2Ygd2hpY2ggd2lsbCBiZSBsZWFrZWQp LgoKVGhpcyBpcyBYU0EtMTA0LgoKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENv b3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6 IFRpbSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgoKLS0tIGEveGVuL2FyY2gveDg2 L21tL3NoYWRvdy9jb21tb24uYworKysgYi94ZW4vYXJjaC94ODYvbW0vc2hh ZG93L2NvbW1vbi5jCkBAIC0zNDg1LDcgKzM0ODUsNyBAQCBpbnQgc2hhZG93 X3RyYWNrX2RpcnR5X3ZyYW0oc3RydWN0IGRvbWFpCiAgICAgaW50IGZsdXNo X3RsYiA9IDA7CiAgICAgdW5zaWduZWQgbG9uZyBpOwogICAgIHAybV90eXBl X3QgdDsKLSAgICBzdHJ1Y3Qgc2hfZGlydHlfdnJhbSAqZGlydHlfdnJhbSA9 IGQtPmFyY2guaHZtX2RvbWFpbi5kaXJ0eV92cmFtOworICAgIHN0cnVjdCBz aF9kaXJ0eV92cmFtICpkaXJ0eV92cmFtOwogICAgIHN0cnVjdCBwMm1fZG9t YWluICpwMm0gPSBwMm1fZ2V0X2hvc3RwMm0oZCk7CiAKICAgICBpZiAoIGVu ZF9wZm4gPCBiZWdpbl9wZm4gfHwgZW5kX3BmbiA+IHAybS0+bWF4X21hcHBl ZF9wZm4gKyAxICkKQEAgLTM0OTUsNiArMzQ5NSw4IEBAIGludCBzaGFkb3df dHJhY2tfZGlydHlfdnJhbShzdHJ1Y3QgZG9tYWkKICAgICBwMm1fbG9jayhw Mm1fZ2V0X2hvc3RwMm0oZCkpOwogICAgIHBhZ2luZ19sb2NrKGQpOwogCisg ICAgZGlydHlfdnJhbSA9IGQtPmFyY2guaHZtX2RvbWFpbi5kaXJ0eV92cmFt OworCiAgICAgaWYgKCBkaXJ0eV92cmFtICYmICghbnIgfHwKICAgICAgICAg ICAgICAoIGJlZ2luX3BmbiAhPSBkaXJ0eV92cmFtLT5iZWdpbl9wZm4KICAg ICAgICAgICAgIHx8IGVuZF9wZm4gICAhPSBkaXJ0eV92cmFtLT5lbmRfcGZu ICkpICkKLS0tIGEveGVuL2luY2x1ZGUvYXNtLXg4Ni9odm0vZG9tYWluLmgK KysrIGIveGVuL2luY2x1ZGUvYXNtLXg4Ni9odm0vZG9tYWluLmgKQEAgLTEx Miw3ICsxMTIsNyBAQCBzdHJ1Y3QgaHZtX2RvbWFpbiB7CiAgICAgLyogTWVt b3J5IHJhbmdlcyB3aXRoIHBpbm5lZCBjYWNoZSBhdHRyaWJ1dGVzLiAqLwog ICAgIHN0cnVjdCBsaXN0X2hlYWQgICAgICAgcGlubmVkX2NhY2hlYXR0cl9y YW5nZXM7CiAKLSAgICAvKiBWUkFNIGRpcnR5IHN1cHBvcnQuICovCisgICAg LyogVlJBTSBkaXJ0eSBzdXBwb3J0LiAgUHJvdGVjdCB3aXRoIHRoZSBkb21h aW4gcGFnaW5nIGxvY2suICovCiAgICAgc3RydWN0IHNoX2RpcnR5X3ZyYW0g KmRpcnR5X3ZyYW07CiAKICAgICAvKiBJZiBvbmUgb2YgdmNwdXMgb2YgdGhp cyBkb21haW4gaXMgaW4gbm9fZmlsbF9tb2RlIG9yCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Sep 24 10:31:35 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 24 Sep 2014 10:31:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWjqI-00022d-66; Wed, 24 Sep 2014 10:30:38 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWjqG-00021h-Gl; Wed, 24 Sep 2014 10:30:36 +0000 Received: from [85.158.143.35:40215] by server-1.bemta-4.messagelabs.com id 86/9B-05872-B4D92245; Wed, 24 Sep 2014 10:30:35 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-16.tower-21.messagelabs.com!1411554634!9434792!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 11009 invoked from network); 24 Sep 2014 10:30:35 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-16.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 24 Sep 2014 10:30:35 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWjq4-0004zs-UM; Wed, 24 Sep 2014 10:30:24 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1XWjq4-00054B-SR; Wed, 24 Sep 2014 10:30:24 +0000 Date: Wed, 24 Sep 2014 10:30:24 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 106 (CVE-2014-7156) - Missing privilege level checks in x86 emulation of software interrupts X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-7156 / XSA-106 version 3 Missing privilege level checks in x86 emulation of software interrupts UPDATES IN VERSION 3 ==================== This issue has been assigned CVE-2014-7156. ISSUE DESCRIPTION ================= The emulation of instructions which generate software interrupts fails to perform supervisor mode permission checks. However these instructions are not usually handled by the emulator. Exceptions to this are - - when a memory operand (implicit for the affected instructions) lives in (emulated or passed through) memory mapped IO space, - - in the case of guests running in 32-bit PAE mode, when such an instruction is (in execution flow) within four instructions of one doing a page table update, - - when an Invalid Opcode exception gets raised by a guest instruction, and the guest then (likely maliciously) alters the instruction to become one of the affected ones, - - when the guest is in real mode (in which case there are no privilege checks anyway). IMPACT ====== Malicious HVM guest user mode code may be able to crash the guest. VULNERABLE SYSTEMS ================== Xen versions from 3.3 onwards are vulnerable. Only user processes in HVM guests can take advantage of this vulnerability. MITIGATION ========== Running only PV guests will avoid this issue. There is no mitigation available for HVM guests. CREDITS ======= This issue was discovered Andrei Lutas at BitDefender and analyzed by Andrew Cooper at Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa106.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa106*.patch 301060f801ab39c15ac773e1bcc250f0e6bf30d748007a96173459b83afc9270 xsa106.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUIpznAAoJEIP+FMlX6CvZNzsH/2EiupxpKxmHXoWxZAqlDz5E +cdmv5axHGO74bU8xGe/WFcfOCjx8LaPifWd/g6AMlSa7BHe1i1sPmOifr6jhRlz xfJonBcXl6/Z7LpfaYdu2M+6mDXoO2Ov5yKEYDNPyzwfmRH+bLBBGrGTzJvyaEj2 PS2JgtIzIVRFHdmYh7zJeS9isKt9+/lKplAIluKUUUhnX1pMUaTV9Ax67MUs7BdJ SHh37YoMIZAxAkRl80nT7gBdohLUmQJZm3CVFFjk71hSFlvdRJNZuVJnxMyXXBA3 awQlxUAhUQmP8ls1JTK0EMVe9EAPvyqgPlk/2Ch8UBtpg0MeGzBs9UJwjYeP47Y= =c9bK -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa106.patch" Content-Disposition: attachment; filename="xsa106.patch" Content-Transfer-Encoding: base64 eDg2ZW11bDogb25seSBlbXVsYXRlIHNvZnR3YXJlIGludGVycnVwdCBpbmpl Y3Rpb24gZm9yIHJlYWwgbW9kZQoKUHJvdGVjdGVkIG1vZGUgZW11bGF0aW9u IGN1cnJlbnRseSBsYWNrcyBwcm9wZXIgcHJpdmlsZWdlIGNoZWNraW5nIG9m CnRoZSByZWZlcmVuY2VkIElEVCBlbnRyeSwgYW5kIHRoZXJlJ3MgY3VycmVu dGx5IG5vIGxlZ2l0aW1hdGUgd2F5IGZvcgphbnkgb2YgdGhlIHJlc3BlY3Rp dmUgaW5zdHJ1Y3Rpb25zIHRvIHJlYWNoIHRoZSBlbXVsYXRvciB3aGVuIHRo ZSBndWVzdAppcyBpbiBwcm90ZWN0ZWQgbW9kZS4KClRoaXMgaXMgWFNBLTEw Ni4KClJlcG9ydGVkLWJ5OiBBbmRyZWkgTFVUQVMgPHZsdXRhc0BiaXRkZWZl bmRlci5jb20+ClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGlj aEBzdXNlLmNvbT4KQWNrZWQtYnk6IEtlaXIgRnJhc2VyIDxrZWlyQHhlbi5v cmc+CgotLS0gYS94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxh dGUuYworKysgYi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxh dGUuYwpAQCAtMjYzNCw2ICsyNjM0LDcgQEAgeDg2X2VtdWxhdGUoCiAgICAg Y2FzZSAweGNkOiAvKiBpbnQgaW1tOCAqLwogICAgICAgICBzcmMudmFsID0g aW5zbl9mZXRjaF90eXBlKHVpbnQ4X3QpOwogICAgIHN3aW50OgorICAgICAg ICBmYWlsX2lmKCFpbl9yZWFsbW9kZShjdHh0LCBvcHMpKTsgLyogWFNBLTEw NiAqLwogICAgICAgICBmYWlsX2lmKG9wcy0+aW5qZWN0X3N3X2ludGVycnVw dCA9PSBOVUxMKTsKICAgICAgICAgcmMgPSBvcHMtPmluamVjdF9zd19pbnRl cnJ1cHQoc3JjLnZhbCwgX3JlZ3MuZWlwIC0gY3R4dC0+cmVncy0+ZWlwLAog ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjdHh0KSA/ IDogWDg2RU1VTF9FWENFUFRJT047Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Sep 24 10:31:35 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 24 Sep 2014 10:31:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWjqL-000251-EV; Wed, 24 Sep 2014 10:30:41 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWjqI-00022b-JA; Wed, 24 Sep 2014 10:30:39 +0000 Received: from [85.158.143.35:40390] by server-1.bemta-4.messagelabs.com id 43/AB-05872-C4D92245; Wed, 24 Sep 2014 10:30:36 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-4.tower-21.messagelabs.com!1411554633!12841991!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 31817 invoked from network); 24 Sep 2014 10:30:34 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-4.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 24 Sep 2014 10:30:34 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWjq1-0004zh-HU; Wed, 24 Sep 2014 10:30:21 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1XWjq1-00053B-Bn; Wed, 24 Sep 2014 10:30:21 +0000 Date: Wed, 24 Sep 2014 10:30:21 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 105 (CVE-2014-7155) - Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-7155 / XSA-105 version 3 Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation UPDATES IN VERSION 3 ==================== This issue has been assigned CVE-2014-7155. ISSUE DESCRIPTION ================= The emulation of the instructions HLT, LGDT, LIDT, and LMSW fails to perform supervisor mode permission checks. However these instructions are not usually handled by the emulator. Exceptions to this are - - when the instruction's memory operand (if any) lives in (emulated or passed through) memory mapped IO space, - - in the case of guests running in 32-bit PAE mode, when such an instruction is (in execution flow) within four instructions of one doing a page table update, - - when an Invalid Opcode exception gets raised by a guest instruction, and the guest then (likely maliciously) alters the instruction to become one of the affected ones. Malicious guest user mode code may be able to leverage this to install e.g. its own Interrupt Descriptor Table (IDT). IMPACT ====== Malicious HVM guest user mode code may be able to crash the guest or escalate its own privilege to guest kernel mode. VULNERABLE SYSTEMS ================== Xen versions from at least 3.2.x onwards are vulnerable. Older versions have not been inspected. Only user processes in HVM guests can take advantage of this vulnerability. MITIGATION ========== Running only PV guests will avoid this issue. There is no mitigation available for HVM guests. CREDITS ======= This issue was discovered Andrei Lutas at BitDefender and analyzed by Andrew Cooper at Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa105.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa105*.patch dfb5ede7cc5609a812a7b1239479cefd387f9f9c8c25e11e64199bc592ad7e39 xsa105.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUIpzkAAoJEIP+FMlX6CvZ0IkIALIftvFcaV2iH54bpvWuurXs m87HvWm0Omy8S5R+K+meJmy05jERWVUg0eaX0nn8KcFsg8H9lNEsdJwc8vmGyhxx tIY1IeHHH/Mbx7kdtdmVrtUaoz/IV2LYIHzsLEPcQ7gLMkMwydCxKL97Rf83Tsq+ Y6Zu3H0vQoR0wVVeh1ks8708TM2TZeNOc0B9foJBult3Zm/ihdBo12eZzVqm/e9g HCYswBKFntj4Iq0sAyhfc5KATirkCnWqpKXJ6oMACEy5H3+Xrh9/u79zatHd/FWL 3FL2yGwQTGqqtVRUhEQD7cfWl9FLRcFZyudWQzIkSlDAGHHrpxVinp/nplm5PvA= =lJ+I -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa105.patch" Content-Disposition: attachment; filename="xsa105.patch" Content-Transfer-Encoding: base64 eDg2L2VtdWxhdGU6IGNoZWNrIGNwbCBmb3IgYWxsIHByaXZpbGVnZWQgaW5z dHJ1Y3Rpb25zCgpXaXRob3V0IHRoaXMsIGl0IGlzIHBvc3NpYmxlIGZvciB1 c2Vyc3BhY2UgdG8gbG9hZCBpdHMgb3duIElEVCBvciBHRFQuCgpUaGlzIGlz IFhTQS0xMDUuCgpSZXBvcnRlZC1ieTogQW5kcmVpIExVVEFTIDx2bHV0YXNA Yml0ZGVmZW5kZXIuY29tPgpTaWduZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpSZXZpZXdlZC1ieTogSmFu IEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpUZXN0ZWQtYnk6IEFuZHJl aSBMVVRBUyA8dmx1dGFzQGJpdGRlZmVuZGVyLmNvbT4KCi0tLSBhL3hlbi9h cmNoL3g4Ni94ODZfZW11bGF0ZS94ODZfZW11bGF0ZS5jCisrKyBiL3hlbi9h cmNoL3g4Ni94ODZfZW11bGF0ZS94ODZfZW11bGF0ZS5jCkBAIC0zMzE0LDYg KzMzMTQsNyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAgZ290byBzd2ludDsK IAogICAgIGNhc2UgMHhmNDogLyogaGx0ICovCisgICAgICAgIGdlbmVyYXRl X2V4Y2VwdGlvbl9pZighbW9kZV9yaW5nMCgpLCBFWENfR1AsIDApOwogICAg ICAgICBjdHh0LT5yZXRpcmUuZmxhZ3MuaGx0ID0gMTsKICAgICAgICAgYnJl YWs7CiAKQEAgLTM3MTAsNiArMzcxMSw3IEBAIHg4Nl9lbXVsYXRlKAogICAg ICAgICAgICAgYnJlYWs7CiAgICAgICAgIGNhc2UgMjogLyogbGdkdCAqLwog ICAgICAgICBjYXNlIDM6IC8qIGxpZHQgKi8KKyAgICAgICAgICAgIGdlbmVy YXRlX2V4Y2VwdGlvbl9pZighbW9kZV9yaW5nMCgpLCBFWENfR1AsIDApOwog ICAgICAgICAgICAgZ2VuZXJhdGVfZXhjZXB0aW9uX2lmKGVhLnR5cGUgIT0g T1BfTUVNLCBFWENfVUQsIC0xKTsKICAgICAgICAgICAgIGZhaWxfaWYob3Bz LT53cml0ZV9zZWdtZW50ID09IE5VTEwpOwogICAgICAgICAgICAgbWVtc2V0 KCZyZWcsIDAsIHNpemVvZihyZWcpKTsKQEAgLTM3MzgsNiArMzc0MCw3IEBA IHg4Nl9lbXVsYXRlKAogICAgICAgICBjYXNlIDY6IC8qIGxtc3cgKi8KICAg ICAgICAgICAgIGZhaWxfaWYob3BzLT5yZWFkX2NyID09IE5VTEwpOwogICAg ICAgICAgICAgZmFpbF9pZihvcHMtPndyaXRlX2NyID09IE5VTEwpOworICAg ICAgICAgICAgZ2VuZXJhdGVfZXhjZXB0aW9uX2lmKCFtb2RlX3JpbmcwKCks IEVYQ19HUCwgMCk7CiAgICAgICAgICAgICBpZiAoIChyYyA9IG9wcy0+cmVh ZF9jcigwLCAmY3IwLCBjdHh0KSkgKQogICAgICAgICAgICAgICAgIGdvdG8g ZG9uZTsKICAgICAgICAgICAgIGlmICggZWEudHlwZSA9PSBPUF9SRUcgKQo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Sep 24 10:31:35 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 24 Sep 2014 10:31:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWjq8-000201-MO; Wed, 24 Sep 2014 10:30:28 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWjq7-0001zo-7d; Wed, 24 Sep 2014 10:30:27 +0000 Received: from [193.109.254.147:29855] by server-12.bemta-14.messagelabs.com id 4B/1D-01461-24D92245; Wed, 24 Sep 2014 10:30:26 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-6.tower-27.messagelabs.com!1411554624!12685878!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 17996 invoked from network); 24 Sep 2014 10:30:25 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-6.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 24 Sep 2014 10:30:25 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWjpm-0004za-UI; Wed, 24 Sep 2014 10:30:06 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1XWjph-00051m-Gn; Wed, 24 Sep 2014 10:30:01 +0000 Date: Wed, 24 Sep 2014 10:30:01 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 104 (CVE-2014-7154) - Race condition in HVMOP_track_dirty_vram X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-7154 / XSA-104 version 3 Race condition in HVMOP_track_dirty_vram UPDATES IN VERSION 3 ==================== This issue has been assigned CVE-2014-7154. ISSUE DESCRIPTION ================= The routine controlling the setup of dirty video RAM tracking latches the value of a pointer before taking the respective guarding lock, thus making it possible for a stale pointer to be used by the time the lock got acquired and the pointer gets dereferenced. The hypercall providing access to the affected function is available to the domain controlling HVM guests. IMPACT ====== Malicious or buggy stub domain kernels or tool stacks otherwise living outside of Domain0 can mount a denial of service attack which, if successful, can affect the whole system. Only domains controlling HVM guests can exploit this vulnerability. (This includes domains providing hardware emulation services to HVM guests.) VULNERABLE SYSTEMS ================== Xen versions from 4.0.0 onwards are vulnerable. This vulnerability is only applicable to Xen systems using stub domains or other forms of disaggregation of control domains for HVM guests. MITIGATION ========== There is no mitigation available for this issue. (The security of a Xen system using stub domains is still better than with a qemu-dm running as an unrestricted dom0 process. Therefore users with these configurations should not switch to an unrestricted dom0 qemu-dm.) CREDITS ======= This issue was discovered by Andrew Cooper at Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa104.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa104*.patch fc02f6365ca79a6ef386c882b57fab8b56aa12b54fc9b05054552f0f25e32047 xsa104.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUIpziAAoJEIP+FMlX6CvZO2wIAMm2konqFYzaAZXbEH25T24K aNTRF+x+RFwZy/701GupySti6Go6HPvm4uya09qIVRyTkafH2WF+VT93rBRlROHM z5ZFwR/wKLFj3TPr/Fhb52ynwDdRPMvFkaWGxvSvxjASBbAPxCAlE8SuTmG1nBOe RtnHNk6cxV5UeYTZ8TosG7RvlPIVA17o82btJ6DPbXIn2tENLTJaZf9cTtNZxKPo kIEuo9E0JFQQyje+t7lImbMQbbe216JTRtATTivVuP68AcE/TSRggLwoBxSitjUp YNbcfbHUeg2qltftvlZKeGgvrVceQ+Vj59cFNRj4r+xRXXywAAGZkgCpZNLeQnA= =gwmy -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa104.patch" Content-Disposition: attachment; filename="xsa104.patch" Content-Transfer-Encoding: base64 eDg2L3NoYWRvdzogZml4IHJhY2UgY29uZGl0aW9uIHNhbXBsaW5nIHRoZSBk aXJ0eSB2cmFtIHN0YXRlCgpkLT5hcmNoLmh2bV9kb21haW4uZGlydHlfdnJh bSBtdXN0IGJlIHJlYWQgd2l0aCB0aGUgZG9tYWluJ3MgcGFnaW5nIGxvY2sg aGVsZC4KCklmIG5vdCwgdHdvIGNvbmN1cnJlbnQgaHlwZXJjYWxscyBjb3Vs ZCBib3RoIGVuZCB1cCBhdHRlbXB0aW5nIHRvIGZyZWUKZGlydHlfdnJhbSAo dGhlIHNlY29uZCBvZiB3aGljaCB3aWxsIGZyZWUgYSB3aWxkIHBvaW50ZXIp LCBvciBib3RoIGVuZCB1cAphbGxvY2F0aW5nIGEgbmV3IGRpcnR5X3ZyYW0g c3RydWN0dXJlICh0aGUgZmlyc3Qgb2Ygd2hpY2ggd2lsbCBiZSBsZWFrZWQp LgoKVGhpcyBpcyBYU0EtMTA0LgoKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENv b3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6 IFRpbSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgoKLS0tIGEveGVuL2FyY2gveDg2 L21tL3NoYWRvdy9jb21tb24uYworKysgYi94ZW4vYXJjaC94ODYvbW0vc2hh ZG93L2NvbW1vbi5jCkBAIC0zNDg1LDcgKzM0ODUsNyBAQCBpbnQgc2hhZG93 X3RyYWNrX2RpcnR5X3ZyYW0oc3RydWN0IGRvbWFpCiAgICAgaW50IGZsdXNo X3RsYiA9IDA7CiAgICAgdW5zaWduZWQgbG9uZyBpOwogICAgIHAybV90eXBl X3QgdDsKLSAgICBzdHJ1Y3Qgc2hfZGlydHlfdnJhbSAqZGlydHlfdnJhbSA9 IGQtPmFyY2guaHZtX2RvbWFpbi5kaXJ0eV92cmFtOworICAgIHN0cnVjdCBz aF9kaXJ0eV92cmFtICpkaXJ0eV92cmFtOwogICAgIHN0cnVjdCBwMm1fZG9t YWluICpwMm0gPSBwMm1fZ2V0X2hvc3RwMm0oZCk7CiAKICAgICBpZiAoIGVu ZF9wZm4gPCBiZWdpbl9wZm4gfHwgZW5kX3BmbiA+IHAybS0+bWF4X21hcHBl ZF9wZm4gKyAxICkKQEAgLTM0OTUsNiArMzQ5NSw4IEBAIGludCBzaGFkb3df dHJhY2tfZGlydHlfdnJhbShzdHJ1Y3QgZG9tYWkKICAgICBwMm1fbG9jayhw Mm1fZ2V0X2hvc3RwMm0oZCkpOwogICAgIHBhZ2luZ19sb2NrKGQpOwogCisg ICAgZGlydHlfdnJhbSA9IGQtPmFyY2guaHZtX2RvbWFpbi5kaXJ0eV92cmFt OworCiAgICAgaWYgKCBkaXJ0eV92cmFtICYmICghbnIgfHwKICAgICAgICAg ICAgICAoIGJlZ2luX3BmbiAhPSBkaXJ0eV92cmFtLT5iZWdpbl9wZm4KICAg ICAgICAgICAgIHx8IGVuZF9wZm4gICAhPSBkaXJ0eV92cmFtLT5lbmRfcGZu ICkpICkKLS0tIGEveGVuL2luY2x1ZGUvYXNtLXg4Ni9odm0vZG9tYWluLmgK KysrIGIveGVuL2luY2x1ZGUvYXNtLXg4Ni9odm0vZG9tYWluLmgKQEAgLTEx Miw3ICsxMTIsNyBAQCBzdHJ1Y3QgaHZtX2RvbWFpbiB7CiAgICAgLyogTWVt b3J5IHJhbmdlcyB3aXRoIHBpbm5lZCBjYWNoZSBhdHRyaWJ1dGVzLiAqLwog ICAgIHN0cnVjdCBsaXN0X2hlYWQgICAgICAgcGlubmVkX2NhY2hlYXR0cl9y YW5nZXM7CiAKLSAgICAvKiBWUkFNIGRpcnR5IHN1cHBvcnQuICovCisgICAg LyogVlJBTSBkaXJ0eSBzdXBwb3J0LiAgUHJvdGVjdCB3aXRoIHRoZSBkb21h aW4gcGFnaW5nIGxvY2suICovCiAgICAgc3RydWN0IHNoX2RpcnR5X3ZyYW0g KmRpcnR5X3ZyYW07CiAKICAgICAvKiBJZiBvbmUgb2YgdmNwdXMgb2YgdGhp cyBkb21haW4gaXMgaW4gbm9fZmlsbF9tb2RlIG9yCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Sep 24 10:31:35 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 24 Sep 2014 10:31:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWjqI-00022d-66; Wed, 24 Sep 2014 10:30:38 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWjqG-00021h-Gl; Wed, 24 Sep 2014 10:30:36 +0000 Received: from [85.158.143.35:40215] by server-1.bemta-4.messagelabs.com id 86/9B-05872-B4D92245; Wed, 24 Sep 2014 10:30:35 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-16.tower-21.messagelabs.com!1411554634!9434792!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 11009 invoked from network); 24 Sep 2014 10:30:35 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-16.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 24 Sep 2014 10:30:35 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XWjq4-0004zs-UM; Wed, 24 Sep 2014 10:30:24 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1XWjq4-00054B-SR; Wed, 24 Sep 2014 10:30:24 +0000 Date: Wed, 24 Sep 2014 10:30:24 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 106 (CVE-2014-7156) - Missing privilege level checks in x86 emulation of software interrupts X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-7156 / XSA-106 version 3 Missing privilege level checks in x86 emulation of software interrupts UPDATES IN VERSION 3 ==================== This issue has been assigned CVE-2014-7156. ISSUE DESCRIPTION ================= The emulation of instructions which generate software interrupts fails to perform supervisor mode permission checks. However these instructions are not usually handled by the emulator. Exceptions to this are - - when a memory operand (implicit for the affected instructions) lives in (emulated or passed through) memory mapped IO space, - - in the case of guests running in 32-bit PAE mode, when such an instruction is (in execution flow) within four instructions of one doing a page table update, - - when an Invalid Opcode exception gets raised by a guest instruction, and the guest then (likely maliciously) alters the instruction to become one of the affected ones, - - when the guest is in real mode (in which case there are no privilege checks anyway). IMPACT ====== Malicious HVM guest user mode code may be able to crash the guest. VULNERABLE SYSTEMS ================== Xen versions from 3.3 onwards are vulnerable. Only user processes in HVM guests can take advantage of this vulnerability. MITIGATION ========== Running only PV guests will avoid this issue. There is no mitigation available for HVM guests. CREDITS ======= This issue was discovered Andrei Lutas at BitDefender and analyzed by Andrew Cooper at Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa106.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa106*.patch 301060f801ab39c15ac773e1bcc250f0e6bf30d748007a96173459b83afc9270 xsa106.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUIpznAAoJEIP+FMlX6CvZNzsH/2EiupxpKxmHXoWxZAqlDz5E +cdmv5axHGO74bU8xGe/WFcfOCjx8LaPifWd/g6AMlSa7BHe1i1sPmOifr6jhRlz xfJonBcXl6/Z7LpfaYdu2M+6mDXoO2Ov5yKEYDNPyzwfmRH+bLBBGrGTzJvyaEj2 PS2JgtIzIVRFHdmYh7zJeS9isKt9+/lKplAIluKUUUhnX1pMUaTV9Ax67MUs7BdJ SHh37YoMIZAxAkRl80nT7gBdohLUmQJZm3CVFFjk71hSFlvdRJNZuVJnxMyXXBA3 awQlxUAhUQmP8ls1JTK0EMVe9EAPvyqgPlk/2Ch8UBtpg0MeGzBs9UJwjYeP47Y= =c9bK -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa106.patch" Content-Disposition: attachment; filename="xsa106.patch" Content-Transfer-Encoding: base64 eDg2ZW11bDogb25seSBlbXVsYXRlIHNvZnR3YXJlIGludGVycnVwdCBpbmpl Y3Rpb24gZm9yIHJlYWwgbW9kZQoKUHJvdGVjdGVkIG1vZGUgZW11bGF0aW9u IGN1cnJlbnRseSBsYWNrcyBwcm9wZXIgcHJpdmlsZWdlIGNoZWNraW5nIG9m CnRoZSByZWZlcmVuY2VkIElEVCBlbnRyeSwgYW5kIHRoZXJlJ3MgY3VycmVu dGx5IG5vIGxlZ2l0aW1hdGUgd2F5IGZvcgphbnkgb2YgdGhlIHJlc3BlY3Rp dmUgaW5zdHJ1Y3Rpb25zIHRvIHJlYWNoIHRoZSBlbXVsYXRvciB3aGVuIHRo ZSBndWVzdAppcyBpbiBwcm90ZWN0ZWQgbW9kZS4KClRoaXMgaXMgWFNBLTEw Ni4KClJlcG9ydGVkLWJ5OiBBbmRyZWkgTFVUQVMgPHZsdXRhc0BiaXRkZWZl bmRlci5jb20+ClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGlj aEBzdXNlLmNvbT4KQWNrZWQtYnk6IEtlaXIgRnJhc2VyIDxrZWlyQHhlbi5v cmc+CgotLS0gYS94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxh dGUuYworKysgYi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxh dGUuYwpAQCAtMjYzNCw2ICsyNjM0LDcgQEAgeDg2X2VtdWxhdGUoCiAgICAg Y2FzZSAweGNkOiAvKiBpbnQgaW1tOCAqLwogICAgICAgICBzcmMudmFsID0g aW5zbl9mZXRjaF90eXBlKHVpbnQ4X3QpOwogICAgIHN3aW50OgorICAgICAg ICBmYWlsX2lmKCFpbl9yZWFsbW9kZShjdHh0LCBvcHMpKTsgLyogWFNBLTEw NiAqLwogICAgICAgICBmYWlsX2lmKG9wcy0+aW5qZWN0X3N3X2ludGVycnVw dCA9PSBOVUxMKTsKICAgICAgICAgcmMgPSBvcHMtPmluamVjdF9zd19pbnRl cnJ1cHQoc3JjLnZhbCwgX3JlZ3MuZWlwIC0gY3R4dC0+cmVncy0+ZWlwLAog ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjdHh0KSA/ IDogWDg2RU1VTF9FWENFUFRJT047Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator--