From xen-announce-bounces@lists.xen.org Tue Jul 07 12:27:46 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 07 Jul 2015 12:27:46 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZCRxB-0001bn-E5; Tue, 07 Jul 2015 12:26:25 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZCRx9-0001bO-Kl; Tue, 07 Jul 2015 12:26:23 +0000 Received: from [85.158.137.68] by server-2.bemta-3.messagelabs.com id 56/58-00727-E65CB955; Tue, 07 Jul 2015 12:26:22 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-15.tower-31.messagelabs.com!1436271980!23315201!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 26858 invoked from network); 7 Jul 2015 12:26:21 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-15.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 7 Jul 2015 12:26:21 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZCRwy-0001ic-AV; Tue, 07 Jul 2015 12:26:12 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1ZCRwx-0006ws-Qs; Tue, 07 Jul 2015 12:26:12 +0000 Date: Tue, 07 Jul 2015 12:26:11 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 137 (CVE-2015-3259) - xl command line config handling stack overflow X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-3259 / XSA-137 version 3 xl command line config handling stack overflow UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The xl command line utility mishandles long configuration values when passed as command line arguments, with a buffer overrun. VULNERABLE SYSTEMS ================== Systems built on top of xl which pass laundered or checked (but otherwise untrusted) configuration values onto xl's command line, without restricting their length, are vulnerable. We are not presently aware of any publicly distributed production software which exposes the xl vulnerability. However it is sufficiently simple to create such an arrangement that it might be done locally in an attempt to grant partial management access to particular domains. Systems using the libxl library directly, without using xl, are not vulnerable. Systems using toolstacks other than xl are not vulnerable. Systems where only fully trusted input is ever presented to the xl command line are not vulnerable. The vulnerability exists on x86 and ARM. The vulnerability was introduced in Xen 4.1 and affects all subsequent Xen releases. IMPACT ====== A semi-trusted guest administrator or controller, who is intended to be able to partially control the configuration settings for a domain, can escalate their privileges to that of the whole host. MITIGATION ========== Limiting the length of untrusted configuration settings will avoid the vulnerability. (The total length of all command-line configuration settings, including some interposed newlines and trailing nul, must be less than 1024.) CREDITS ======= This issue was discovered by Donghai Zhu of Alibab. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa137.patch Xen 4.2.x and later $ sha256sum xsa137*.patch 0272c443575c88b53445c89ef84f0cd98a03944d3303f06c66c33ef0037d97b9 xsa137.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVm8UeAAoJEIP+FMlX6CvZmnEH/1Tq+nP7STM4yE56JJsqUikV HmKbJuCy6yApsMQ7JrPjbs3yo826OQl3BVyZBicfgk6B2Cx78QgbF+XGK6B/9sfz DP5bMwz9S4n5u7K4bMkppx+6p2nG06hkzfdwzGbCC3nKiW9chYo4NdPtcQRA4d2d LnSN7JGJjxAFq22a3KKlb5AILr6x/+PYPan/jolf39rXmU1Lcg0fsMFuLm8fK1MQ burOoCphm8Xd0UOgNaH2BGCAjYoFuxKC7n12u9poCFQpnyKsYI7YGvLI2X6NgHOZ PRRSsuWqf0g7huzM/UkvPthCJzxmPWPqrLoBVOuspAOFVcqwqDmdKKSjcppEV+Q= =rvRm -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa137.patch" Content-Disposition: attachment; filename="xsa137.patch" Content-Transfer-Encoding: base64 RnJvbSA1OTNmZTUyZmFhMWI4NTU2N2E3ZWMyMGM2OWQ4Y2ZiYzczNjhhZTVi IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBJYW4gSmFja3NvbiA8 aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4KRGF0ZTogTW9uLCAxNSBKdW4g MjAxNSAxNDo1MDo0MiArMDEwMApTdWJqZWN0OiBbUEFUQ0hdIHhsOiBTYW5l IGhhbmRsaW5nIG9mIGV4dHJhIGNvbmZpZyBmaWxlIGFyZ3VtZW50cwoKVmFy aW91cyB4bCBzdWItY29tbWFuZHMgdGFrZSBhZGRpdGlvbmFsIHBhcmFtZXRl cnMgY29udGFpbmluZyA9IGFzCmFkZGl0aW9uYWwgY29uZmlnIGZyYWdtZW50 cy4KClRoZSBoYW5kbGluZyBvZiB0aGVzZSBjb25maWcgZnJhZ21lbnRzIGhh cyBhIG51bWJlciBvZiBidWdzOgoKIDEuIFVzZSBvZiBhIHN0YXRpYyAxMDI0 LWJ5dGUgYnVmZmVyLiAgKElmIHRydW5jYXRpb24gd291bGQgb2NjdXIsCiAg ICB3aXRoIHNlbWktdHJ1c3RlZCBpbnB1dCwgYSBzZWN1cml0eSByaXNrIGFy aXNlcyBkdWUgdG8gcXVvdGVzCiAgICBiZWluZyBsb3N0LikKCiAyLiBNaXNo YW5kbGluZyBvZiB0aGUgcmV0dXJuIHZhbHVlIGZyb20gc25wcmludGYsIHNv IHRoYXQgaWYKICAgIHRydW5jYXRpb24gb2NjdXJzLCB0aGUgdG8td3JpdGUg cG9pbnRlciBpcyB1cGRhdGVkIHdpdGggdGhlCiAgICB3YW50ZWQtdG8td3Jp dGUgbGVuZ3RoLCByZXN1bHRpbmcgaW4gc3RhY2sgY29ycnVwdGlvbi4gIChU aGlzIGlzCiAgICBYU0EtMTM3LikKCiAzLiBDbG9uZS1hbmQtaGFjayBvZiB0 aGUgY29kZSBmb3IgY29uc3RydWN0aW5nIHRoZSBhcHBlbmRlZAogICAgY29u ZmlnIGZpbGUuCgpUaGVzZSBhcmUgZml4ZWQgaGVyZSwgYnkgaW50cm9kdWNp bmcgYSBuZXcgZnVuY3Rpb24KYHN0cmluZ19yZWFsbG9jX2FwcGVuZCcgYW5k IHVzaW5nIGl0IGV2ZXJ5d2hlcmUuICBUaGUgYGV4dHJhX2luZm8nCmJ1ZmZl cnMgYXJlIHJlcGxhY2VkIGJ5IHBvaW50ZXJzLCB3aGljaCBzdGFydCBvZmYg TlVMTCBhbmQgYXJlCmV4cGxpY2l0bHkgZnJlZWQgb24gYWxsIHJldHVybiBw YXRocy4KClRoZSBzZXBhcmF0ZSB2YXJpYWJsZSB3aGljaCB3aWxsIGJlY29t ZSBkb21faW5mby5leHRyYV9jb25maWcgaXMKYWJvbGlzaGVkICh3aGljaCBp bnZvbHZlcyBtb3ZpbmcgdGhlIGNsZWFyaW5nIG9mIGRvbV9pbmZvKS4KCkFk ZGl0aW9uYWwgYnVncyBJIG9ic2VydmUsIG5vdCBmaXhlZCBoZXJlOgoKIDQu IFRoZSBmdW5jdGlvbnMgd2hpY2ggbm93IGNhbGwgc3RyaW5nX3JlYWxsb2Nf YXBwZW5kIHVzZSBhZC1ob2MKICAgIGVycm9yIHJldHVybnMsIHdpdGggbXVs dGlwbGUgY2FsbHMgdG8gYHJldHVybicuICBUaGlzIGN1cnJlbnRseQogICAg bmVjZXNzaXRhdGVzIG11bHRpcGxlIG5ldyBjYWxscyB0byBgZnJlZScuCgog NS4gTWFueSBvZiB0aGUgcGF0aHMgaW4geGwgY2FsbCBleGl0KC1yYykgd2hl cmUgcmMgaXMgYSBsaWJ4bCBzdGF0dXMKICAgIGNvZGUuICBUaGlzIGlzIGEg cmlkaWN1bG91cyBleGl0IHN0YXR1cyBgY29udmVudGlvbicuCgogNi4gVGhl IGxvb3BzIGZvciBoYW5kbGluZyBleHRyYSBjb25maWcgZGF0YSBhcmUgY2xv bmUtYW5kLWhhY2tzLgoKIDcuIE9uY2UgdGhlIGV4dHJhIGNvbmZpZyBidWZm ZXIgaXMgYWNjdW11bGF0ZWQsIGl0IG11c3QgYmUgY29tYmluZWQKICAgIHdp dGggdGhlIGFwcHJvcHJpYXRlIG1haW4gY29uZmlnIGZpbGUuICBUaGUgY29k ZSB0byBkbyB0aGlzCiAgICBjb21iaW5pbmcgaXMgY2xvbmUtYW5kLWhhY2tl ZCB0b28uCgpTaWduZWQtb2ZmLWJ5OiBJYW4gSmFja3NvbiA8SWFuLkphY2tz b25AZXUuY2l0cml4LmNvbT4KVGVzdGVkLWJ5OiBJYW4gSmFja3NvbiA8SWFu LkphY2tzb25AZXUuY2l0cml4LmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVs bCA8aWFuLGNhbXBiZWxsQGNpdHJpeC5jb20+Ci0tLQp2MjogVXNlIFNTSVpF X01BWCwgbm90IElOVF9NQVguCiAgICBDaGVjayAqYWNjdW11bGF0ZSBmb3Ig TlVMTCwgbm90IGFjY3VtdWxhdGUuCiAgICBNb3ZlIG1lbXNldCBvZiBkb21f aW5mby4KLS0tCiB0b29scy9saWJ4bC94bF9jbWRpbXBsLmMgfCAgIDY0ICsr KysrKysrKysrKysrKysrKysrKysrKysrKysrLS0tLS0tLS0tLS0tLS0tLS0K IDEgZmlsZSBjaGFuZ2VkLCA0MCBpbnNlcnRpb25zKCspLCAyNCBkZWxldGlv bnMoLSkKCmRpZmYgLS1naXQgYS90b29scy9saWJ4bC94bF9jbWRpbXBsLmMg Yi90b29scy9saWJ4bC94bF9jbWRpbXBsLmMKaW5kZXggYzg1ODA2OC4uYzAx YTg1MSAxMDA2NDQKLS0tIGEvdG9vbHMvbGlieGwveGxfY21kaW1wbC5jCisr KyBiL3Rvb2xzL2xpYnhsL3hsX2NtZGltcGwuYwpAQCAtMTUxLDcgKzE1MSw3 IEBAIHN0cnVjdCBkb21haW5fY3JlYXRlIHsKICAgICBpbnQgY29uc29sZV9h dXRvY29ubmVjdDsKICAgICBpbnQgY2hlY2twb2ludGVkX3N0cmVhbTsKICAg ICBjb25zdCBjaGFyICpjb25maWdfZmlsZTsKLSAgICBjb25zdCBjaGFyICpl eHRyYV9jb25maWc7IC8qIGV4dHJhIGNvbmZpZyBzdHJpbmcgKi8KKyAgICBj aGFyICpleHRyYV9jb25maWc7IC8qIGV4dHJhIGNvbmZpZyBzdHJpbmcgKi8K ICAgICBjb25zdCBjaGFyICpyZXN0b3JlX2ZpbGU7CiAgICAgaW50IG1pZ3Jh dGVfZmQ7IC8qIC0xIG1lYW5zIG5vbmUgKi8KICAgICBjaGFyICoqbWlncmF0 aW9uX2RvbW5hbWVfcjsgLyogZnJvbSBtYWxsb2MgKi8KQEAgLTQ4MDUsMTEg KzQ4MDUsMjUgQEAgaW50IG1haW5fdm1fbGlzdChpbnQgYXJnYywgY2hhciAq KmFyZ3YpCiAgICAgcmV0dXJuIDA7CiB9CiAKK3N0YXRpYyB2b2lkIHN0cmlu Z19yZWFsbG9jX2FwcGVuZChjaGFyICoqYWNjdW11bGF0ZSwgY29uc3QgY2hh ciAqbW9yZSkKK3sKKyAgICAvKiBBcHBlbmRzIG1vcmUgdG8gYWNjdW11bGF0 ZS4gIEFjY3VtdWxhdGUgaXMgZWl0aGVyIE5VTEwsIG9yCisgICAgICogcG9p bnRzIChhbHdheXMpIHRvIGEgbWFsbG9jJ2QgbnVsLXRlcm1pbmF0ZWQgc3Ry aW5nLiAqLworCisgICAgc2l6ZV90IG9sZGxlbiA9ICphY2N1bXVsYXRlID8g c3RybGVuKCphY2N1bXVsYXRlKSA6IDA7CisgICAgc2l6ZV90IG1vcmVsZW4g PSBzdHJsZW4obW9yZSkgKyAxLypudWwqLzsKKyAgICBpZiAob2xkbGVuID4g U1NJWkVfTUFYIHx8IG1vcmVsZW4gPiBTU0laRV9NQVggLSBvbGRsZW4pIHsK KyAgICAgICAgZnByaW50ZihzdGRlcnIsIkFkZGl0aW9uYWwgY29uZmlnIGRh dGEgZmFyIHRvbyBsYXJnZVxuIik7CisgICAgICAgIGV4aXQoLUVSUk9SX0ZB SUwpOworICAgIH0KKworICAgICphY2N1bXVsYXRlID0geHJlYWxsb2MoKmFj Y3VtdWxhdGUsIG9sZGxlbiArIG1vcmVsZW4pOworICAgIG1lbWNweSgqYWNj dW11bGF0ZSArIG9sZGxlbiwgbW9yZSwgbW9yZWxlbik7Cit9CisKIGludCBt YWluX2NyZWF0ZShpbnQgYXJnYywgY2hhciAqKmFyZ3YpCiB7CiAgICAgY29u c3QgY2hhciAqZmlsZW5hbWUgPSBOVUxMOwotICAgIGNoYXIgKnA7Ci0gICAg Y2hhciBleHRyYV9jb25maWdbMTAyNF07CiAgICAgc3RydWN0IGRvbWFpbl9j cmVhdGUgZG9tX2luZm87CiAgICAgaW50IHBhdXNlZCA9IDAsIGRlYnVnID0g MCwgZGFlbW9uaXplID0gMSwgY29uc29sZV9hdXRvY29ubmVjdCA9IDAsCiAg ICAgICAgIHF1aWV0ID0gMCwgbW9uaXRvciA9IDEsIHZuYyA9IDAsIHZuY2F1 dG9wYXNzID0gMDsKQEAgLTQ4MjQsNiArNDgzOCw4IEBAIGludCBtYWluX2Ny ZWF0ZShpbnQgYXJnYywgY2hhciAqKmFyZ3YpCiAgICAgICAgIHswLCAwLCAw LCAwfQogICAgIH07CiAKKyAgICBkb21faW5mby5leHRyYV9jb25maWcgPSBO VUxMOworCiAgICAgaWYgKGFyZ3ZbMV0gJiYgYXJndlsxXVswXSAhPSAnLScg JiYgIXN0cmNocihhcmd2WzFdLCAnPScpKSB7CiAgICAgICAgIGZpbGVuYW1l ID0gYXJndlsxXTsKICAgICAgICAgYXJnYy0tOyBhcmd2Kys7CkBAIC00ODYz LDIwICs0ODc5LDIxIEBAIGludCBtYWluX2NyZWF0ZShpbnQgYXJnYywgY2hh ciAqKmFyZ3YpCiAgICAgICAgIGJyZWFrOwogICAgIH0KIAotICAgIGV4dHJh X2NvbmZpZ1swXSA9ICdcMCc7Ci0gICAgZm9yIChwID0gZXh0cmFfY29uZmln OyBvcHRpbmQgPCBhcmdjOyBvcHRpbmQrKykgeworICAgIG1lbXNldCgmZG9t X2luZm8sIDAsIHNpemVvZihkb21faW5mbykpOworCisgICAgZm9yICg7IG9w dGluZCA8IGFyZ2M7IG9wdGluZCsrKSB7CiAgICAgICAgIGlmIChzdHJjaHIo YXJndltvcHRpbmRdLCAnPScpICE9IE5VTEwpIHsKLSAgICAgICAgICAgIHAg Kz0gc25wcmludGYocCwgc2l6ZW9mKGV4dHJhX2NvbmZpZykgLSAocCAtIGV4 dHJhX2NvbmZpZyksCi0gICAgICAgICAgICAgICAgIiVzXG4iLCBhcmd2W29w dGluZF0pOworICAgICAgICAgICAgc3RyaW5nX3JlYWxsb2NfYXBwZW5kKCZk b21faW5mby5leHRyYV9jb25maWcsIGFyZ3Zbb3B0aW5kXSk7CisgICAgICAg ICAgICBzdHJpbmdfcmVhbGxvY19hcHBlbmQoJmRvbV9pbmZvLmV4dHJhX2Nv bmZpZywgIlxuIik7CiAgICAgICAgIH0gZWxzZSBpZiAoIWZpbGVuYW1lKSB7 CiAgICAgICAgICAgICBmaWxlbmFtZSA9IGFyZ3Zbb3B0aW5kXTsKICAgICAg ICAgfSBlbHNlIHsKICAgICAgICAgICAgIGhlbHAoImNyZWF0ZSIpOworICAg ICAgICAgICAgZnJlZShkb21faW5mby5leHRyYV9jb25maWcpOwogICAgICAg ICAgICAgcmV0dXJuIDI7CiAgICAgICAgIH0KICAgICB9CiAKLSAgICBtZW1z ZXQoJmRvbV9pbmZvLCAwLCBzaXplb2YoZG9tX2luZm8pKTsKICAgICBkb21f aW5mby5kZWJ1ZyA9IGRlYnVnOwogICAgIGRvbV9pbmZvLmRhZW1vbml6ZSA9 IGRhZW1vbml6ZTsKICAgICBkb21faW5mby5tb25pdG9yID0gbW9uaXRvcjsK QEAgLTQ4ODQsMTYgKzQ5MDEsMTggQEAgaW50IG1haW5fY3JlYXRlKGludCBh cmdjLCBjaGFyICoqYXJndikKICAgICBkb21faW5mby5kcnlydW4gPSBkcnly dW5fb25seTsKICAgICBkb21faW5mby5xdWlldCA9IHF1aWV0OwogICAgIGRv bV9pbmZvLmNvbmZpZ19maWxlID0gZmlsZW5hbWU7Ci0gICAgZG9tX2luZm8u ZXh0cmFfY29uZmlnID0gZXh0cmFfY29uZmlnOwogICAgIGRvbV9pbmZvLm1p Z3JhdGVfZmQgPSAtMTsKICAgICBkb21faW5mby52bmMgPSB2bmM7CiAgICAg ZG9tX2luZm8udm5jYXV0b3Bhc3MgPSB2bmNhdXRvcGFzczsKICAgICBkb21f aW5mby5jb25zb2xlX2F1dG9jb25uZWN0ID0gY29uc29sZV9hdXRvY29ubmVj dDsKIAogICAgIHJjID0gY3JlYXRlX2RvbWFpbigmZG9tX2luZm8pOwotICAg IGlmIChyYyA8IDApCisgICAgaWYgKHJjIDwgMCkgeworICAgICAgICBmcmVl KGRvbV9pbmZvLmV4dHJhX2NvbmZpZyk7CiAgICAgICAgIHJldHVybiAtcmM7 CisgICAgfQogCisgICAgZnJlZShkb21faW5mby5leHRyYV9jb25maWcpOwog ICAgIHJldHVybiAwOwogfQogCkBAIC00OTAxLDggKzQ5MjAsNyBAQCBpbnQg bWFpbl9jb25maWdfdXBkYXRlKGludCBhcmdjLCBjaGFyICoqYXJndikKIHsK ICAgICB1aW50MzJfdCBkb21pZDsKICAgICBjb25zdCBjaGFyICpmaWxlbmFt ZSA9IE5VTEw7Ci0gICAgY2hhciAqcDsKLSAgICBjaGFyIGV4dHJhX2NvbmZp Z1sxMDI0XTsKKyAgICBjaGFyICpleHRyYV9jb25maWcgPSBOVUxMOwogICAg IHZvaWQgKmNvbmZpZ19kYXRhID0gMDsKICAgICBpbnQgY29uZmlnX2xlbiA9 IDA7CiAgICAgbGlieGxfZG9tYWluX2NvbmZpZyBkX2NvbmZpZzsKQEAgLTQ5 NDAsMTUgKzQ5NTgsMTUgQEAgaW50IG1haW5fY29uZmlnX3VwZGF0ZShpbnQg YXJnYywgY2hhciAqKmFyZ3YpCiAgICAgICAgIGJyZWFrOwogICAgIH0KIAot ICAgIGV4dHJhX2NvbmZpZ1swXSA9ICdcMCc7Ci0gICAgZm9yIChwID0gZXh0 cmFfY29uZmlnOyBvcHRpbmQgPCBhcmdjOyBvcHRpbmQrKykgeworICAgIGZv ciAoOyBvcHRpbmQgPCBhcmdjOyBvcHRpbmQrKykgewogICAgICAgICBpZiAo c3RyY2hyKGFyZ3Zbb3B0aW5kXSwgJz0nKSAhPSBOVUxMKSB7Ci0gICAgICAg ICAgICBwICs9IHNucHJpbnRmKHAsIHNpemVvZihleHRyYV9jb25maWcpIC0g KHAgLSBleHRyYV9jb25maWcpLAotICAgICAgICAgICAgICAgICIlc1xuIiwg YXJndltvcHRpbmRdKTsKKyAgICAgICAgICAgIHN0cmluZ19yZWFsbG9jX2Fw cGVuZCgmZXh0cmFfY29uZmlnLCBhcmd2W29wdGluZF0pOworICAgICAgICAg ICAgc3RyaW5nX3JlYWxsb2NfYXBwZW5kKCZleHRyYV9jb25maWcsICJcbiIp OwogICAgICAgICB9IGVsc2UgaWYgKCFmaWxlbmFtZSkgewogICAgICAgICAg ICAgZmlsZW5hbWUgPSBhcmd2W29wdGluZF07CiAgICAgICAgIH0gZWxzZSB7 CiAgICAgICAgICAgICBoZWxwKCJjcmVhdGUiKTsKKyAgICAgICAgICAgIGZy ZWUoZXh0cmFfY29uZmlnKTsKICAgICAgICAgICAgIHJldHVybiAyOwogICAg ICAgICB9CiAgICAgfQpAQCAtNDk1Nyw3ICs0OTc1LDggQEAgaW50IG1haW5f Y29uZmlnX3VwZGF0ZShpbnQgYXJnYywgY2hhciAqKmFyZ3YpCiAgICAgICAg IHJjID0gbGlieGxfcmVhZF9maWxlX2NvbnRlbnRzKGN0eCwgZmlsZW5hbWUs CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICZjb25m aWdfZGF0YSwgJmNvbmZpZ19sZW4pOwogICAgICAgICBpZiAocmMpIHsgZnBy aW50ZihzdGRlcnIsICJGYWlsZWQgdG8gcmVhZCBjb25maWcgZmlsZTogJXM6 ICVzXG4iLAotICAgICAgICAgICAgICAgICAgICAgICAgICAgZmlsZW5hbWUs IHN0cmVycm9yKGVycm5vKSk7IHJldHVybiBFUlJPUl9GQUlMOyB9CisgICAg ICAgICAgICAgICAgICAgICAgICAgICBmaWxlbmFtZSwgc3RyZXJyb3IoZXJy bm8pKTsKKyAgICAgICAgICAgICAgICAgIGZyZWUoZXh0cmFfY29uZmlnKTsg cmV0dXJuIEVSUk9SX0ZBSUw7IH0KICAgICAgICAgaWYgKHN0cmxlbihleHRy YV9jb25maWcpKSB7CiAgICAgICAgICAgICBpZiAoY29uZmlnX2xlbiA+IElO VF9NQVggLSAoc3RybGVuKGV4dHJhX2NvbmZpZykgKyAyICsgMSkpIHsKICAg ICAgICAgICAgICAgICBmcHJpbnRmKHN0ZGVyciwgIkZhaWxlZCB0byBhdHRh Y2ggZXh0cmEgY29uZmlncmF0aW9uXG4iKTsKQEAgLTQ5OTgsNyArNTAxNyw3 IEBAIGludCBtYWluX2NvbmZpZ191cGRhdGUoaW50IGFyZ2MsIGNoYXIgKiph cmd2KQogICAgIGxpYnhsX2RvbWFpbl9jb25maWdfZGlzcG9zZSgmZF9jb25m aWcpOwogCiAgICAgZnJlZShjb25maWdfZGF0YSk7Ci0KKyAgICBmcmVlKGV4 dHJhX2NvbmZpZyk7CiAgICAgcmV0dXJuIDA7CiB9CiAKQEAgLTcyNTUsNyAr NzI3NCw3IEBAIGludCBtYWluX2NwdXBvb2xjcmVhdGUoaW50IGFyZ2MsIGNo YXIgKiphcmd2KQogewogICAgIGNvbnN0IGNoYXIgKmZpbGVuYW1lID0gTlVM TCwgKmNvbmZpZ19zcmM9TlVMTDsKICAgICBjb25zdCBjaGFyICpwOwotICAg IGNoYXIgZXh0cmFfY29uZmlnWzEwMjRdOworICAgIGNoYXIgKmV4dHJhX2Nv bmZpZyA9IE5VTEw7CiAgICAgaW50IG9wdDsKICAgICBzdGF0aWMgc3RydWN0 IG9wdGlvbiBvcHRzW10gPSB7CiAgICAgICAgIHsiZGVmY29uZmlnIiwgMSwg MCwgJ2YnfSwKQEAgLTcyODksMTMgKzczMDgsMTAgQEAgaW50IG1haW5fY3B1 cG9vbGNyZWF0ZShpbnQgYXJnYywgY2hhciAqKmFyZ3YpCiAgICAgICAgIGJy ZWFrOwogICAgIH0KIAotICAgIG1lbXNldChleHRyYV9jb25maWcsIDAsIHNp emVvZihleHRyYV9jb25maWcpKTsKICAgICB3aGlsZSAob3B0aW5kIDwgYXJn YykgewogICAgICAgICBpZiAoKHAgPSBzdHJjaHIoYXJndltvcHRpbmRdLCAn PScpKSkgewotICAgICAgICAgICAgaWYgKHN0cmxlbihleHRyYV9jb25maWcp ICsgMSArIHN0cmxlbihhcmd2W29wdGluZF0pIDwgc2l6ZW9mKGV4dHJhX2Nv bmZpZykpIHsKLSAgICAgICAgICAgICAgICBzdHJjYXQoZXh0cmFfY29uZmln LCAiXG4iKTsKLSAgICAgICAgICAgICAgICBzdHJjYXQoZXh0cmFfY29uZmln LCBhcmd2W29wdGluZF0pOwotICAgICAgICAgICAgfQorICAgICAgICAgICAg c3RyaW5nX3JlYWxsb2NfYXBwZW5kKCZleHRyYV9jb25maWcsICJcbiIpOwor ICAgICAgICAgICAgc3RyaW5nX3JlYWxsb2NfYXBwZW5kKCZleHRyYV9jb25m aWcsIGFyZ3Zbb3B0aW5kXSk7CiAgICAgICAgIH0gZWxzZSBpZiAoIWZpbGVu YW1lKSB7CiAgICAgICAgICAgICBmaWxlbmFtZSA9IGFyZ3Zbb3B0aW5kXTsK ICAgICAgICAgfSBlbHNlIHsKLS0gCjEuNy4xMC40Cgo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Jul 07 12:27:46 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 07 Jul 2015 12:27:46 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZCRxB-0001bn-E5; Tue, 07 Jul 2015 12:26:25 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZCRx9-0001bO-Kl; Tue, 07 Jul 2015 12:26:23 +0000 Received: from [85.158.137.68] by server-2.bemta-3.messagelabs.com id 56/58-00727-E65CB955; Tue, 07 Jul 2015 12:26:22 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-15.tower-31.messagelabs.com!1436271980!23315201!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 26858 invoked from network); 7 Jul 2015 12:26:21 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-15.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 7 Jul 2015 12:26:21 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZCRwy-0001ic-AV; Tue, 07 Jul 2015 12:26:12 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1ZCRwx-0006ws-Qs; Tue, 07 Jul 2015 12:26:12 +0000 Date: Tue, 07 Jul 2015 12:26:11 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 137 (CVE-2015-3259) - xl command line config handling stack overflow X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-3259 / XSA-137 version 3 xl command line config handling stack overflow UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The xl command line utility mishandles long configuration values when passed as command line arguments, with a buffer overrun. VULNERABLE SYSTEMS ================== Systems built on top of xl which pass laundered or checked (but otherwise untrusted) configuration values onto xl's command line, without restricting their length, are vulnerable. We are not presently aware of any publicly distributed production software which exposes the xl vulnerability. However it is sufficiently simple to create such an arrangement that it might be done locally in an attempt to grant partial management access to particular domains. Systems using the libxl library directly, without using xl, are not vulnerable. Systems using toolstacks other than xl are not vulnerable. Systems where only fully trusted input is ever presented to the xl command line are not vulnerable. The vulnerability exists on x86 and ARM. The vulnerability was introduced in Xen 4.1 and affects all subsequent Xen releases. IMPACT ====== A semi-trusted guest administrator or controller, who is intended to be able to partially control the configuration settings for a domain, can escalate their privileges to that of the whole host. MITIGATION ========== Limiting the length of untrusted configuration settings will avoid the vulnerability. (The total length of all command-line configuration settings, including some interposed newlines and trailing nul, must be less than 1024.) CREDITS ======= This issue was discovered by Donghai Zhu of Alibab. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa137.patch Xen 4.2.x and later $ sha256sum xsa137*.patch 0272c443575c88b53445c89ef84f0cd98a03944d3303f06c66c33ef0037d97b9 xsa137.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVm8UeAAoJEIP+FMlX6CvZmnEH/1Tq+nP7STM4yE56JJsqUikV HmKbJuCy6yApsMQ7JrPjbs3yo826OQl3BVyZBicfgk6B2Cx78QgbF+XGK6B/9sfz DP5bMwz9S4n5u7K4bMkppx+6p2nG06hkzfdwzGbCC3nKiW9chYo4NdPtcQRA4d2d LnSN7JGJjxAFq22a3KKlb5AILr6x/+PYPan/jolf39rXmU1Lcg0fsMFuLm8fK1MQ burOoCphm8Xd0UOgNaH2BGCAjYoFuxKC7n12u9poCFQpnyKsYI7YGvLI2X6NgHOZ PRRSsuWqf0g7huzM/UkvPthCJzxmPWPqrLoBVOuspAOFVcqwqDmdKKSjcppEV+Q= =rvRm -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa137.patch" Content-Disposition: attachment; filename="xsa137.patch" Content-Transfer-Encoding: base64 RnJvbSA1OTNmZTUyZmFhMWI4NTU2N2E3ZWMyMGM2OWQ4Y2ZiYzczNjhhZTVi IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBJYW4gSmFja3NvbiA8 aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4KRGF0ZTogTW9uLCAxNSBKdW4g MjAxNSAxNDo1MDo0MiArMDEwMApTdWJqZWN0OiBbUEFUQ0hdIHhsOiBTYW5l IGhhbmRsaW5nIG9mIGV4dHJhIGNvbmZpZyBmaWxlIGFyZ3VtZW50cwoKVmFy aW91cyB4bCBzdWItY29tbWFuZHMgdGFrZSBhZGRpdGlvbmFsIHBhcmFtZXRl cnMgY29udGFpbmluZyA9IGFzCmFkZGl0aW9uYWwgY29uZmlnIGZyYWdtZW50 cy4KClRoZSBoYW5kbGluZyBvZiB0aGVzZSBjb25maWcgZnJhZ21lbnRzIGhh cyBhIG51bWJlciBvZiBidWdzOgoKIDEuIFVzZSBvZiBhIHN0YXRpYyAxMDI0 LWJ5dGUgYnVmZmVyLiAgKElmIHRydW5jYXRpb24gd291bGQgb2NjdXIsCiAg ICB3aXRoIHNlbWktdHJ1c3RlZCBpbnB1dCwgYSBzZWN1cml0eSByaXNrIGFy aXNlcyBkdWUgdG8gcXVvdGVzCiAgICBiZWluZyBsb3N0LikKCiAyLiBNaXNo YW5kbGluZyBvZiB0aGUgcmV0dXJuIHZhbHVlIGZyb20gc25wcmludGYsIHNv IHRoYXQgaWYKICAgIHRydW5jYXRpb24gb2NjdXJzLCB0aGUgdG8td3JpdGUg cG9pbnRlciBpcyB1cGRhdGVkIHdpdGggdGhlCiAgICB3YW50ZWQtdG8td3Jp dGUgbGVuZ3RoLCByZXN1bHRpbmcgaW4gc3RhY2sgY29ycnVwdGlvbi4gIChU aGlzIGlzCiAgICBYU0EtMTM3LikKCiAzLiBDbG9uZS1hbmQtaGFjayBvZiB0 aGUgY29kZSBmb3IgY29uc3RydWN0aW5nIHRoZSBhcHBlbmRlZAogICAgY29u ZmlnIGZpbGUuCgpUaGVzZSBhcmUgZml4ZWQgaGVyZSwgYnkgaW50cm9kdWNp bmcgYSBuZXcgZnVuY3Rpb24KYHN0cmluZ19yZWFsbG9jX2FwcGVuZCcgYW5k IHVzaW5nIGl0IGV2ZXJ5d2hlcmUuICBUaGUgYGV4dHJhX2luZm8nCmJ1ZmZl cnMgYXJlIHJlcGxhY2VkIGJ5IHBvaW50ZXJzLCB3aGljaCBzdGFydCBvZmYg TlVMTCBhbmQgYXJlCmV4cGxpY2l0bHkgZnJlZWQgb24gYWxsIHJldHVybiBw YXRocy4KClRoZSBzZXBhcmF0ZSB2YXJpYWJsZSB3aGljaCB3aWxsIGJlY29t ZSBkb21faW5mby5leHRyYV9jb25maWcgaXMKYWJvbGlzaGVkICh3aGljaCBp bnZvbHZlcyBtb3ZpbmcgdGhlIGNsZWFyaW5nIG9mIGRvbV9pbmZvKS4KCkFk ZGl0aW9uYWwgYnVncyBJIG9ic2VydmUsIG5vdCBmaXhlZCBoZXJlOgoKIDQu IFRoZSBmdW5jdGlvbnMgd2hpY2ggbm93IGNhbGwgc3RyaW5nX3JlYWxsb2Nf YXBwZW5kIHVzZSBhZC1ob2MKICAgIGVycm9yIHJldHVybnMsIHdpdGggbXVs dGlwbGUgY2FsbHMgdG8gYHJldHVybicuICBUaGlzIGN1cnJlbnRseQogICAg bmVjZXNzaXRhdGVzIG11bHRpcGxlIG5ldyBjYWxscyB0byBgZnJlZScuCgog NS4gTWFueSBvZiB0aGUgcGF0aHMgaW4geGwgY2FsbCBleGl0KC1yYykgd2hl cmUgcmMgaXMgYSBsaWJ4bCBzdGF0dXMKICAgIGNvZGUuICBUaGlzIGlzIGEg cmlkaWN1bG91cyBleGl0IHN0YXR1cyBgY29udmVudGlvbicuCgogNi4gVGhl IGxvb3BzIGZvciBoYW5kbGluZyBleHRyYSBjb25maWcgZGF0YSBhcmUgY2xv bmUtYW5kLWhhY2tzLgoKIDcuIE9uY2UgdGhlIGV4dHJhIGNvbmZpZyBidWZm ZXIgaXMgYWNjdW11bGF0ZWQsIGl0IG11c3QgYmUgY29tYmluZWQKICAgIHdp dGggdGhlIGFwcHJvcHJpYXRlIG1haW4gY29uZmlnIGZpbGUuICBUaGUgY29k ZSB0byBkbyB0aGlzCiAgICBjb21iaW5pbmcgaXMgY2xvbmUtYW5kLWhhY2tl ZCB0b28uCgpTaWduZWQtb2ZmLWJ5OiBJYW4gSmFja3NvbiA8SWFuLkphY2tz b25AZXUuY2l0cml4LmNvbT4KVGVzdGVkLWJ5OiBJYW4gSmFja3NvbiA8SWFu LkphY2tzb25AZXUuY2l0cml4LmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVs bCA8aWFuLGNhbXBiZWxsQGNpdHJpeC5jb20+Ci0tLQp2MjogVXNlIFNTSVpF X01BWCwgbm90IElOVF9NQVguCiAgICBDaGVjayAqYWNjdW11bGF0ZSBmb3Ig TlVMTCwgbm90IGFjY3VtdWxhdGUuCiAgICBNb3ZlIG1lbXNldCBvZiBkb21f aW5mby4KLS0tCiB0b29scy9saWJ4bC94bF9jbWRpbXBsLmMgfCAgIDY0ICsr KysrKysrKysrKysrKysrKysrKysrKysrKysrLS0tLS0tLS0tLS0tLS0tLS0K IDEgZmlsZSBjaGFuZ2VkLCA0MCBpbnNlcnRpb25zKCspLCAyNCBkZWxldGlv bnMoLSkKCmRpZmYgLS1naXQgYS90b29scy9saWJ4bC94bF9jbWRpbXBsLmMg Yi90b29scy9saWJ4bC94bF9jbWRpbXBsLmMKaW5kZXggYzg1ODA2OC4uYzAx YTg1MSAxMDA2NDQKLS0tIGEvdG9vbHMvbGlieGwveGxfY21kaW1wbC5jCisr KyBiL3Rvb2xzL2xpYnhsL3hsX2NtZGltcGwuYwpAQCAtMTUxLDcgKzE1MSw3 IEBAIHN0cnVjdCBkb21haW5fY3JlYXRlIHsKICAgICBpbnQgY29uc29sZV9h dXRvY29ubmVjdDsKICAgICBpbnQgY2hlY2twb2ludGVkX3N0cmVhbTsKICAg ICBjb25zdCBjaGFyICpjb25maWdfZmlsZTsKLSAgICBjb25zdCBjaGFyICpl eHRyYV9jb25maWc7IC8qIGV4dHJhIGNvbmZpZyBzdHJpbmcgKi8KKyAgICBj aGFyICpleHRyYV9jb25maWc7IC8qIGV4dHJhIGNvbmZpZyBzdHJpbmcgKi8K ICAgICBjb25zdCBjaGFyICpyZXN0b3JlX2ZpbGU7CiAgICAgaW50IG1pZ3Jh dGVfZmQ7IC8qIC0xIG1lYW5zIG5vbmUgKi8KICAgICBjaGFyICoqbWlncmF0 aW9uX2RvbW5hbWVfcjsgLyogZnJvbSBtYWxsb2MgKi8KQEAgLTQ4MDUsMTEg KzQ4MDUsMjUgQEAgaW50IG1haW5fdm1fbGlzdChpbnQgYXJnYywgY2hhciAq KmFyZ3YpCiAgICAgcmV0dXJuIDA7CiB9CiAKK3N0YXRpYyB2b2lkIHN0cmlu Z19yZWFsbG9jX2FwcGVuZChjaGFyICoqYWNjdW11bGF0ZSwgY29uc3QgY2hh ciAqbW9yZSkKK3sKKyAgICAvKiBBcHBlbmRzIG1vcmUgdG8gYWNjdW11bGF0 ZS4gIEFjY3VtdWxhdGUgaXMgZWl0aGVyIE5VTEwsIG9yCisgICAgICogcG9p bnRzIChhbHdheXMpIHRvIGEgbWFsbG9jJ2QgbnVsLXRlcm1pbmF0ZWQgc3Ry aW5nLiAqLworCisgICAgc2l6ZV90IG9sZGxlbiA9ICphY2N1bXVsYXRlID8g c3RybGVuKCphY2N1bXVsYXRlKSA6IDA7CisgICAgc2l6ZV90IG1vcmVsZW4g PSBzdHJsZW4obW9yZSkgKyAxLypudWwqLzsKKyAgICBpZiAob2xkbGVuID4g U1NJWkVfTUFYIHx8IG1vcmVsZW4gPiBTU0laRV9NQVggLSBvbGRsZW4pIHsK KyAgICAgICAgZnByaW50ZihzdGRlcnIsIkFkZGl0aW9uYWwgY29uZmlnIGRh dGEgZmFyIHRvbyBsYXJnZVxuIik7CisgICAgICAgIGV4aXQoLUVSUk9SX0ZB SUwpOworICAgIH0KKworICAgICphY2N1bXVsYXRlID0geHJlYWxsb2MoKmFj Y3VtdWxhdGUsIG9sZGxlbiArIG1vcmVsZW4pOworICAgIG1lbWNweSgqYWNj dW11bGF0ZSArIG9sZGxlbiwgbW9yZSwgbW9yZWxlbik7Cit9CisKIGludCBt YWluX2NyZWF0ZShpbnQgYXJnYywgY2hhciAqKmFyZ3YpCiB7CiAgICAgY29u c3QgY2hhciAqZmlsZW5hbWUgPSBOVUxMOwotICAgIGNoYXIgKnA7Ci0gICAg Y2hhciBleHRyYV9jb25maWdbMTAyNF07CiAgICAgc3RydWN0IGRvbWFpbl9j cmVhdGUgZG9tX2luZm87CiAgICAgaW50IHBhdXNlZCA9IDAsIGRlYnVnID0g MCwgZGFlbW9uaXplID0gMSwgY29uc29sZV9hdXRvY29ubmVjdCA9IDAsCiAg ICAgICAgIHF1aWV0ID0gMCwgbW9uaXRvciA9IDEsIHZuYyA9IDAsIHZuY2F1 dG9wYXNzID0gMDsKQEAgLTQ4MjQsNiArNDgzOCw4IEBAIGludCBtYWluX2Ny ZWF0ZShpbnQgYXJnYywgY2hhciAqKmFyZ3YpCiAgICAgICAgIHswLCAwLCAw LCAwfQogICAgIH07CiAKKyAgICBkb21faW5mby5leHRyYV9jb25maWcgPSBO VUxMOworCiAgICAgaWYgKGFyZ3ZbMV0gJiYgYXJndlsxXVswXSAhPSAnLScg JiYgIXN0cmNocihhcmd2WzFdLCAnPScpKSB7CiAgICAgICAgIGZpbGVuYW1l ID0gYXJndlsxXTsKICAgICAgICAgYXJnYy0tOyBhcmd2Kys7CkBAIC00ODYz LDIwICs0ODc5LDIxIEBAIGludCBtYWluX2NyZWF0ZShpbnQgYXJnYywgY2hh ciAqKmFyZ3YpCiAgICAgICAgIGJyZWFrOwogICAgIH0KIAotICAgIGV4dHJh X2NvbmZpZ1swXSA9ICdcMCc7Ci0gICAgZm9yIChwID0gZXh0cmFfY29uZmln OyBvcHRpbmQgPCBhcmdjOyBvcHRpbmQrKykgeworICAgIG1lbXNldCgmZG9t X2luZm8sIDAsIHNpemVvZihkb21faW5mbykpOworCisgICAgZm9yICg7IG9w dGluZCA8IGFyZ2M7IG9wdGluZCsrKSB7CiAgICAgICAgIGlmIChzdHJjaHIo YXJndltvcHRpbmRdLCAnPScpICE9IE5VTEwpIHsKLSAgICAgICAgICAgIHAg Kz0gc25wcmludGYocCwgc2l6ZW9mKGV4dHJhX2NvbmZpZykgLSAocCAtIGV4 dHJhX2NvbmZpZyksCi0gICAgICAgICAgICAgICAgIiVzXG4iLCBhcmd2W29w dGluZF0pOworICAgICAgICAgICAgc3RyaW5nX3JlYWxsb2NfYXBwZW5kKCZk b21faW5mby5leHRyYV9jb25maWcsIGFyZ3Zbb3B0aW5kXSk7CisgICAgICAg ICAgICBzdHJpbmdfcmVhbGxvY19hcHBlbmQoJmRvbV9pbmZvLmV4dHJhX2Nv bmZpZywgIlxuIik7CiAgICAgICAgIH0gZWxzZSBpZiAoIWZpbGVuYW1lKSB7 CiAgICAgICAgICAgICBmaWxlbmFtZSA9IGFyZ3Zbb3B0aW5kXTsKICAgICAg ICAgfSBlbHNlIHsKICAgICAgICAgICAgIGhlbHAoImNyZWF0ZSIpOworICAg ICAgICAgICAgZnJlZShkb21faW5mby5leHRyYV9jb25maWcpOwogICAgICAg ICAgICAgcmV0dXJuIDI7CiAgICAgICAgIH0KICAgICB9CiAKLSAgICBtZW1z ZXQoJmRvbV9pbmZvLCAwLCBzaXplb2YoZG9tX2luZm8pKTsKICAgICBkb21f aW5mby5kZWJ1ZyA9IGRlYnVnOwogICAgIGRvbV9pbmZvLmRhZW1vbml6ZSA9 IGRhZW1vbml6ZTsKICAgICBkb21faW5mby5tb25pdG9yID0gbW9uaXRvcjsK QEAgLTQ4ODQsMTYgKzQ5MDEsMTggQEAgaW50IG1haW5fY3JlYXRlKGludCBh cmdjLCBjaGFyICoqYXJndikKICAgICBkb21faW5mby5kcnlydW4gPSBkcnly dW5fb25seTsKICAgICBkb21faW5mby5xdWlldCA9IHF1aWV0OwogICAgIGRv bV9pbmZvLmNvbmZpZ19maWxlID0gZmlsZW5hbWU7Ci0gICAgZG9tX2luZm8u ZXh0cmFfY29uZmlnID0gZXh0cmFfY29uZmlnOwogICAgIGRvbV9pbmZvLm1p Z3JhdGVfZmQgPSAtMTsKICAgICBkb21faW5mby52bmMgPSB2bmM7CiAgICAg ZG9tX2luZm8udm5jYXV0b3Bhc3MgPSB2bmNhdXRvcGFzczsKICAgICBkb21f aW5mby5jb25zb2xlX2F1dG9jb25uZWN0ID0gY29uc29sZV9hdXRvY29ubmVj dDsKIAogICAgIHJjID0gY3JlYXRlX2RvbWFpbigmZG9tX2luZm8pOwotICAg IGlmIChyYyA8IDApCisgICAgaWYgKHJjIDwgMCkgeworICAgICAgICBmcmVl KGRvbV9pbmZvLmV4dHJhX2NvbmZpZyk7CiAgICAgICAgIHJldHVybiAtcmM7 CisgICAgfQogCisgICAgZnJlZShkb21faW5mby5leHRyYV9jb25maWcpOwog ICAgIHJldHVybiAwOwogfQogCkBAIC00OTAxLDggKzQ5MjAsNyBAQCBpbnQg bWFpbl9jb25maWdfdXBkYXRlKGludCBhcmdjLCBjaGFyICoqYXJndikKIHsK ICAgICB1aW50MzJfdCBkb21pZDsKICAgICBjb25zdCBjaGFyICpmaWxlbmFt ZSA9IE5VTEw7Ci0gICAgY2hhciAqcDsKLSAgICBjaGFyIGV4dHJhX2NvbmZp Z1sxMDI0XTsKKyAgICBjaGFyICpleHRyYV9jb25maWcgPSBOVUxMOwogICAg IHZvaWQgKmNvbmZpZ19kYXRhID0gMDsKICAgICBpbnQgY29uZmlnX2xlbiA9 IDA7CiAgICAgbGlieGxfZG9tYWluX2NvbmZpZyBkX2NvbmZpZzsKQEAgLTQ5 NDAsMTUgKzQ5NTgsMTUgQEAgaW50IG1haW5fY29uZmlnX3VwZGF0ZShpbnQg YXJnYywgY2hhciAqKmFyZ3YpCiAgICAgICAgIGJyZWFrOwogICAgIH0KIAot ICAgIGV4dHJhX2NvbmZpZ1swXSA9ICdcMCc7Ci0gICAgZm9yIChwID0gZXh0 cmFfY29uZmlnOyBvcHRpbmQgPCBhcmdjOyBvcHRpbmQrKykgeworICAgIGZv ciAoOyBvcHRpbmQgPCBhcmdjOyBvcHRpbmQrKykgewogICAgICAgICBpZiAo c3RyY2hyKGFyZ3Zbb3B0aW5kXSwgJz0nKSAhPSBOVUxMKSB7Ci0gICAgICAg ICAgICBwICs9IHNucHJpbnRmKHAsIHNpemVvZihleHRyYV9jb25maWcpIC0g KHAgLSBleHRyYV9jb25maWcpLAotICAgICAgICAgICAgICAgICIlc1xuIiwg YXJndltvcHRpbmRdKTsKKyAgICAgICAgICAgIHN0cmluZ19yZWFsbG9jX2Fw cGVuZCgmZXh0cmFfY29uZmlnLCBhcmd2W29wdGluZF0pOworICAgICAgICAg ICAgc3RyaW5nX3JlYWxsb2NfYXBwZW5kKCZleHRyYV9jb25maWcsICJcbiIp OwogICAgICAgICB9IGVsc2UgaWYgKCFmaWxlbmFtZSkgewogICAgICAgICAg ICAgZmlsZW5hbWUgPSBhcmd2W29wdGluZF07CiAgICAgICAgIH0gZWxzZSB7 CiAgICAgICAgICAgICBoZWxwKCJjcmVhdGUiKTsKKyAgICAgICAgICAgIGZy ZWUoZXh0cmFfY29uZmlnKTsKICAgICAgICAgICAgIHJldHVybiAyOwogICAg ICAgICB9CiAgICAgfQpAQCAtNDk1Nyw3ICs0OTc1LDggQEAgaW50IG1haW5f Y29uZmlnX3VwZGF0ZShpbnQgYXJnYywgY2hhciAqKmFyZ3YpCiAgICAgICAg IHJjID0gbGlieGxfcmVhZF9maWxlX2NvbnRlbnRzKGN0eCwgZmlsZW5hbWUs CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICZjb25m aWdfZGF0YSwgJmNvbmZpZ19sZW4pOwogICAgICAgICBpZiAocmMpIHsgZnBy aW50ZihzdGRlcnIsICJGYWlsZWQgdG8gcmVhZCBjb25maWcgZmlsZTogJXM6 ICVzXG4iLAotICAgICAgICAgICAgICAgICAgICAgICAgICAgZmlsZW5hbWUs IHN0cmVycm9yKGVycm5vKSk7IHJldHVybiBFUlJPUl9GQUlMOyB9CisgICAg ICAgICAgICAgICAgICAgICAgICAgICBmaWxlbmFtZSwgc3RyZXJyb3IoZXJy bm8pKTsKKyAgICAgICAgICAgICAgICAgIGZyZWUoZXh0cmFfY29uZmlnKTsg cmV0dXJuIEVSUk9SX0ZBSUw7IH0KICAgICAgICAgaWYgKHN0cmxlbihleHRy YV9jb25maWcpKSB7CiAgICAgICAgICAgICBpZiAoY29uZmlnX2xlbiA+IElO VF9NQVggLSAoc3RybGVuKGV4dHJhX2NvbmZpZykgKyAyICsgMSkpIHsKICAg ICAgICAgICAgICAgICBmcHJpbnRmKHN0ZGVyciwgIkZhaWxlZCB0byBhdHRh Y2ggZXh0cmEgY29uZmlncmF0aW9uXG4iKTsKQEAgLTQ5OTgsNyArNTAxNyw3 IEBAIGludCBtYWluX2NvbmZpZ191cGRhdGUoaW50IGFyZ2MsIGNoYXIgKiph cmd2KQogICAgIGxpYnhsX2RvbWFpbl9jb25maWdfZGlzcG9zZSgmZF9jb25m aWcpOwogCiAgICAgZnJlZShjb25maWdfZGF0YSk7Ci0KKyAgICBmcmVlKGV4 dHJhX2NvbmZpZyk7CiAgICAgcmV0dXJuIDA7CiB9CiAKQEAgLTcyNTUsNyAr NzI3NCw3IEBAIGludCBtYWluX2NwdXBvb2xjcmVhdGUoaW50IGFyZ2MsIGNo YXIgKiphcmd2KQogewogICAgIGNvbnN0IGNoYXIgKmZpbGVuYW1lID0gTlVM TCwgKmNvbmZpZ19zcmM9TlVMTDsKICAgICBjb25zdCBjaGFyICpwOwotICAg IGNoYXIgZXh0cmFfY29uZmlnWzEwMjRdOworICAgIGNoYXIgKmV4dHJhX2Nv bmZpZyA9IE5VTEw7CiAgICAgaW50IG9wdDsKICAgICBzdGF0aWMgc3RydWN0 IG9wdGlvbiBvcHRzW10gPSB7CiAgICAgICAgIHsiZGVmY29uZmlnIiwgMSwg MCwgJ2YnfSwKQEAgLTcyODksMTMgKzczMDgsMTAgQEAgaW50IG1haW5fY3B1 cG9vbGNyZWF0ZShpbnQgYXJnYywgY2hhciAqKmFyZ3YpCiAgICAgICAgIGJy ZWFrOwogICAgIH0KIAotICAgIG1lbXNldChleHRyYV9jb25maWcsIDAsIHNp emVvZihleHRyYV9jb25maWcpKTsKICAgICB3aGlsZSAob3B0aW5kIDwgYXJn YykgewogICAgICAgICBpZiAoKHAgPSBzdHJjaHIoYXJndltvcHRpbmRdLCAn PScpKSkgewotICAgICAgICAgICAgaWYgKHN0cmxlbihleHRyYV9jb25maWcp ICsgMSArIHN0cmxlbihhcmd2W29wdGluZF0pIDwgc2l6ZW9mKGV4dHJhX2Nv bmZpZykpIHsKLSAgICAgICAgICAgICAgICBzdHJjYXQoZXh0cmFfY29uZmln LCAiXG4iKTsKLSAgICAgICAgICAgICAgICBzdHJjYXQoZXh0cmFfY29uZmln LCBhcmd2W29wdGluZF0pOwotICAgICAgICAgICAgfQorICAgICAgICAgICAg c3RyaW5nX3JlYWxsb2NfYXBwZW5kKCZleHRyYV9jb25maWcsICJcbiIpOwor ICAgICAgICAgICAgc3RyaW5nX3JlYWxsb2NfYXBwZW5kKCZleHRyYV9jb25m aWcsIGFyZ3Zbb3B0aW5kXSk7CiAgICAgICAgIH0gZWxzZSBpZiAoIWZpbGVu YW1lKSB7CiAgICAgICAgICAgICBmaWxlbmFtZSA9IGFyZ3Zbb3B0aW5kXTsK ICAgICAgICAgfSBlbHNlIHsKLS0gCjEuNy4xMC40Cgo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Jul 27 12:04:24 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 27 Jul 2015 12:04:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZJh7m-0000yd-4b; Mon, 27 Jul 2015 12:03:18 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZJh7l-0000yQ-06; Mon, 27 Jul 2015 12:03:17 +0000 Received: from [193.109.254.147] by server-4.bemta-14.messagelabs.com id DA/07-27764-40E16B55; Mon, 27 Jul 2015 12:03:16 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-16.tower-27.messagelabs.com!1437998593!27957156!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 9637 invoked from network); 27 Jul 2015 12:03:14 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-16.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 27 Jul 2015 12:03:14 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZJh7b-0001MM-5u; Mon, 27 Jul 2015 12:03:07 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1ZJh7a-0007Mm-P4; Mon, 27 Jul 2015 12:03:07 +0000 Date: Mon, 27 Jul 2015 12:03:06 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 138 (CVE-2015-5154) - QEMU heap overflow flaw while processing certain ATAPI commands. X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-5154 / XSA-138 version 2 QEMU heap overflow flaw while processing certain ATAPI commands. UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The QEMU security team has predisclosed the following advisory: A heap overflow flaw was found in the way QEMU's IDE subsystem handled I/O buffer access while processing certain ATAPI commands. A privileged guest user in a guest with CDROM drive enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process corresponding to the guest. IMPACT ====== An HVM guest which has access to an emulated IDE CDROM device (e.g. with a device with "devtype=cdrom", or the "cdrom" convenience alias, in the VBD configuration) can exploit this vulnerability to take over the qemu process elevating its privilege to that of the qemu process. VULNERABLE SYSTEMS ================== All Xen systems running x86 HVM guests without stubdomains which have been configured with an emulated CD-ROM driver model are vulnerable. Systems using qemu-dm stubdomain device models (for example, by specifying "device_model_stubdomain_override=1" in xl's domain configuration files) are NOT vulnerable. Both the traditional ("qemu-xen-traditional") or upstream-based ("qemu-xen") qemu device models are potentially vulnerable. Systems running only PV guests are NOT vulnerable. ARM systems are NOT vulnerable. MITIGATION ========== Avoiding the use of emulated CD-ROM devices altogether, by not specifying such devices in the domain configuration, will avoid this issue. Enabling stubdomains will mitigate this issue, by reducing the escalation to only those privileges accorded to the service domain. qemu-dm stubdomains are only available with "qemu-xen-traditional". CREDITS ======= This issue was discovered by Kevin Wolf of Red Hat. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa138-qemut-{1,2}.patch qemu-xen-traditional, Xen unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x xsa138-qemuu-{1,2,3}.patch qemu-upstream, xen unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x xsa138-qemuu-{1,3}.patch qemu-upstream, Xen 4.2.x NOTE: xsa138-qemuu-2.patch is not required for Xen 4.2.x. $ sha256sum xsa138*.patch 7e385455379d88658b8ab0d4c1effffe9af21fff2e1dc0fe51cacc779afc83a4 xsa138-qemut-1.patch c9a89082e36a0646a6fe002c6892d966d415d11ad5cfdcfea7e9c8d7a3f1316c xsa138-qemut-2.patch a076808f543c82aeac2f0239a4a46d9baadcd4e4b0a2f9ae7ded99cf59cffde6 xsa138-qemuu-1.patch ed16dca7d2c179d0931d6e2503264d6593547a803eb3f08f6db7fff2127509a9 xsa138-qemuu-2.patch 090bdec00ede1f0ace1af52833038a74971e060d0c176b42bfca08511d36c644 xsa138-qemuu-3.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of patches or mitigations is NOT permitted (except on systems used and administered only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. The decision not to permit deployment was made by the group that, at their discretion, disclosed the issue to the Xen Project Security Team. Deployment is permitted only AFTER the embargo ends. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVth2LAAoJEIP+FMlX6CvZcd4IAJYWZrj86FDn9L5SqeTq8cLX 6tnptNaQb+uDQ/thV2R+nUVdJNaJt1UIhRhO2tD2g0dEqj/I7Vx/Hh95ncPCQ3fS ec7ph9lcsdAy8E+7abNlhJnPsOVOazEwI0we2deKjdn3CqyfVXqA47rSDY4VChtc kTV7lEIEebBlo1igz05/poUEhjkCP8UvSfpgpQY60N2y+C0OyIXPIog4q2LiEbeO cq/deACYN3jOVwPTozkQNAAOq0++UfnGfDredOIYCbvqA5OtMf1DGlWyTQLIEuKJ zCiatGudJI2klVYkHSVYfXr54WjreiRCOfLB9ilhBW7Yr2juWFQIAc+0Kf09uFo= =I0Tz -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa138-qemut-1.patch" Content-Disposition: attachment; filename="xsa138-qemut-1.patch" Content-Transfer-Encoding: base64 RnJvbSA1MTA5NTJkNGMzM2VlNjk1NzQxNjdjZTMwODI5YjIxYzgxNWExNjVi IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBLZXZpbiBXb2xmIDxr d29sZkByZWRoYXQuY29tPgpEYXRlOiBXZWQsIDMgSnVuIDIwMTUgMTQ6MTM6 MzEgKzAyMDAKU3ViamVjdDogW1BBVENIIDEvMl0gaWRlOiBDaGVjayBhcnJh eSBib3VuZHMgYmVmb3JlIHdyaXRpbmcgdG8gaW9fYnVmZmVyCiAoQ1ZFLTIw MTUtNTE1NCkKCklmIHRoZSBlbmRfdHJhbnNmZXJfZnVuYyBvZiBhIGNvbW1h bmQgaXMgY2FsbGVkIGJlY2F1c2UgZW5vdWdoIGRhdGEgaGFzCmJlZW4gcmVh ZCBvciB3cml0dGVuIGZvciB0aGUgY3VycmVudCBQSU8gdHJhbnNmZXIsIGFu ZCBpdCBmYWlscyB0bwpjb3JyZWN0bHkgY2FsbCB0aGUgY29tbWFuZCBjb21w bGV0aW9uIGZ1bmN0aW9ucywgdGhlIERSUSBiaXQgaW4gdGhlCnN0YXR1cyBy ZWdpc3RlciBhbmQgcy0+ZW5kX3RyYW5zZmVyX2Z1bmMgbWF5IHJlbWFpbiBz ZXQuIFRoaXMgYWxsb3dzIHRoZQpndWVzdCB0byBhY2Nlc3MgZnVydGhlciBi eXRlcyBpbiBzLT5pb19idWZmZXIgYmV5b25kIHMtPmRhdGFfZW5kLCBhbmQK ZXZlbnR1YWxseSBvdmVyZmxvd2luZyB0aGUgaW9fYnVmZmVyLgoKT25lIGNh c2Ugd2hlcmUgdGhpcyBjdXJyZW50bHkgaGFwcGVucyBpcyBlbXVsYXRpb24g b2YgdGhlIEFUQVBJIGNvbW1hbmQKU1RBUlQgU1RPUCBVTklULgoKVGhpcyBw YXRjaCBmaXhlcyB0aGUgcHJvYmxlbSBieSBhZGRpbmcgZXhwbGljaXQgYXJy YXkgYm91bmRzIGNoZWNrcwpiZWZvcmUgYWNjZXNzaW5nIHRoZSBidWZmZXIg aW5zdGVhZCBvZiByZWx5aW5nIG9uIGVuZF90cmFuc2Zlcl9mdW5jIHRvCmZ1 bmN0aW9uIGNvcnJlY3RseS4KCkNjOiBxZW11LXN0YWJsZUBub25nbnUub3Jn ClNpZ25lZC1vZmYtYnk6IEtldmluIFdvbGYgPGt3b2xmQHJlZGhhdC5jb20+ Ci0tLQogaHcvaWRlLmMgfCAxNiArKysrKysrKysrKysrKysrCiAxIGZpbGUg Y2hhbmdlZCwgMTYgaW5zZXJ0aW9ucygrKQoKZGlmZiAtLWdpdCBhL2h3L2lk ZS5jIGIvaHcvaWRlLmMKaW5kZXggNzkxNjY2Yi4uMjExZWM4OCAxMDA2NDQK LS0tIGEvaHcvaWRlLmMKKysrIGIvaHcvaWRlLmMKQEAgLTMwMDIsNiArMzAw MiwxMCBAQCBzdGF0aWMgdm9pZCBpZGVfZGF0YV93cml0ZXcodm9pZCAqb3Bh cXVlLCB1aW50MzJfdCBhZGRyLCB1aW50MzJfdCB2YWwpCiAgICAgYnVmZmVy ZWRfcGlvX3dyaXRlKHMsIGFkZHIsIDIpOwogCiAgICAgcCA9IHMtPmRhdGFf cHRyOworICAgIGlmIChwICsgMiA+IHMtPmRhdGFfZW5kKSB7CisgICAgICAg IHJldHVybjsKKyAgICB9CisKICAgICAqKHVpbnQxNl90ICopcCA9IGxlMTZf dG9fY3B1KHZhbCk7CiAgICAgcCArPSAyOwogICAgIHMtPmRhdGFfcHRyID0g cDsKQEAgLTMwMjEsNiArMzAyNSwxMCBAQCBzdGF0aWMgdWludDMyX3QgaWRl X2RhdGFfcmVhZHcodm9pZCAqb3BhcXVlLCB1aW50MzJfdCBhZGRyKQogICAg IGJ1ZmZlcmVkX3Bpb19yZWFkKHMsIGFkZHIsIDIpOwogCiAgICAgcCA9IHMt PmRhdGFfcHRyOworICAgIGlmIChwICsgMiA+IHMtPmRhdGFfZW5kKSB7Cisg ICAgICAgIHJldHVybiAwOworICAgIH0KKwogICAgIHJldCA9IGNwdV90b19s ZTE2KCoodWludDE2X3QgKilwKTsKICAgICBwICs9IDI7CiAgICAgcy0+ZGF0 YV9wdHIgPSBwOwpAQCAtMzA0MCw2ICszMDQ4LDEwIEBAIHN0YXRpYyB2b2lk IGlkZV9kYXRhX3dyaXRlbCh2b2lkICpvcGFxdWUsIHVpbnQzMl90IGFkZHIs IHVpbnQzMl90IHZhbCkKICAgICBidWZmZXJlZF9waW9fd3JpdGUocywgYWRk ciwgNCk7CiAKICAgICBwID0gcy0+ZGF0YV9wdHI7CisgICAgaWYgKHAgKyA0 ID4gcy0+ZGF0YV9lbmQpIHsKKyAgICAgICAgcmV0dXJuOworICAgIH0KKwog ICAgICoodWludDMyX3QgKilwID0gbGUzMl90b19jcHUodmFsKTsKICAgICBw ICs9IDQ7CiAgICAgcy0+ZGF0YV9wdHIgPSBwOwpAQCAtMzA1OSw2ICszMDcx LDEwIEBAIHN0YXRpYyB1aW50MzJfdCBpZGVfZGF0YV9yZWFkbCh2b2lkICpv cGFxdWUsIHVpbnQzMl90IGFkZHIpCiAgICAgYnVmZmVyZWRfcGlvX3JlYWQo cywgYWRkciwgNCk7CiAKICAgICBwID0gcy0+ZGF0YV9wdHI7CisgICAgaWYg KHAgKyA0ID4gcy0+ZGF0YV9lbmQpIHsKKyAgICAgICAgcmV0dXJuIDA7Cisg ICAgfQorCiAgICAgcmV0ID0gY3B1X3RvX2xlMzIoKih1aW50MzJfdCAqKXAp OwogICAgIHAgKz0gNDsKICAgICBzLT5kYXRhX3B0ciA9IHA7Ci0tIAoyLjEu NAoK --=separator Content-Type: application/octet-stream; name="xsa138-qemut-2.patch" Content-Disposition: attachment; filename="xsa138-qemut-2.patch" Content-Transfer-Encoding: base64 RnJvbSAxYWMwZjYwZDU1OGI3ZmNhNTVjNjlhNjFhYjRjNDUzOGFmMWYwMmY5 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBLZXZpbiBXb2xmIDxr d29sZkByZWRoYXQuY29tPgpEYXRlOiBXZWQsIDMgSnVuIDIwMTUgMTQ6NDE6 MjcgKzAyMDAKU3ViamVjdDogW1BBVENIIDIvMl0gaWRlOiBDbGVhciBEUlEg YWZ0ZXIgaGFuZGxpbmcgYWxsIGV4cGVjdGVkIGFjY2Vzc2VzCgpUaGlzIGlz IGFkZGl0aW9uYWwgaGFyZGVuaW5nIGFnYWluc3QgYW4gZW5kX3RyYW5zZmVy X2Z1bmMgdGhhdCBmYWlscyB0bwpjbGVhciB0aGUgRFJRIHN0YXR1cyBiaXQu IFRoZSBiaXQgbXVzdCBiZSB1bnNldCBhcyBzb29uIGFzIHRoZSBQSU8KdHJh bnNmZXIgaGFzIGNvbXBsZXRlZCwgc28gaXQncyBiZXR0ZXIgdG8gZG8gdGhp cyBpbiBhIGNlbnRyYWwgcGxhY2UKaW5zdGVhZCBvZiBkdXBsaWNhdGluZyB0 aGUgY29kZSBpbiBhbGwgY29tbWFuZHMgKGFuZCBmb3JnZXR0aW5nIGl0IGlu CnNvbWUpLgoKU2lnbmVkLW9mZi1ieTogS2V2aW4gV29sZiA8a3dvbGZAcmVk aGF0LmNvbT4KLS0tCiBody9pZGUuYyB8IDE2ICsrKysrKysrKysrKy0tLS0K IDEgZmlsZSBjaGFuZ2VkLCAxMiBpbnNlcnRpb25zKCspLCA0IGRlbGV0aW9u cygtKQoKZGlmZiAtLWdpdCBhL2h3L2lkZS5jIGIvaHcvaWRlLmMKaW5kZXgg MjExZWM4OC4uN2I4NGQxYiAxMDA2NDQKLS0tIGEvaHcvaWRlLmMKKysrIGIv aHcvaWRlLmMKQEAgLTMwMDksOCArMzAwOSwxMCBAQCBzdGF0aWMgdm9pZCBp ZGVfZGF0YV93cml0ZXcodm9pZCAqb3BhcXVlLCB1aW50MzJfdCBhZGRyLCB1 aW50MzJfdCB2YWwpCiAgICAgKih1aW50MTZfdCAqKXAgPSBsZTE2X3RvX2Nw dSh2YWwpOwogICAgIHAgKz0gMjsKICAgICBzLT5kYXRhX3B0ciA9IHA7Ci0g ICAgaWYgKHAgPj0gcy0+ZGF0YV9lbmQpCisgICAgaWYgKHAgPj0gcy0+ZGF0 YV9lbmQpIHsKKyAgICAgICAgcy0+c3RhdHVzICY9IH5EUlFfU1RBVDsKICAg ICAgICAgcy0+ZW5kX3RyYW5zZmVyX2Z1bmMocyk7CisgICAgfQogfQogCiBz dGF0aWMgdWludDMyX3QgaWRlX2RhdGFfcmVhZHcodm9pZCAqb3BhcXVlLCB1 aW50MzJfdCBhZGRyKQpAQCAtMzAzMiw4ICszMDM0LDEwIEBAIHN0YXRpYyB1 aW50MzJfdCBpZGVfZGF0YV9yZWFkdyh2b2lkICpvcGFxdWUsIHVpbnQzMl90 IGFkZHIpCiAgICAgcmV0ID0gY3B1X3RvX2xlMTYoKih1aW50MTZfdCAqKXAp OwogICAgIHAgKz0gMjsKICAgICBzLT5kYXRhX3B0ciA9IHA7Ci0gICAgaWYg KHAgPj0gcy0+ZGF0YV9lbmQpCisgICAgaWYgKHAgPj0gcy0+ZGF0YV9lbmQp IHsKKyAgICAgICAgcy0+c3RhdHVzICY9IH5EUlFfU1RBVDsKICAgICAgICAg cy0+ZW5kX3RyYW5zZmVyX2Z1bmMocyk7CisgICAgfQogICAgIHJldHVybiBy ZXQ7CiB9CiAKQEAgLTMwNTUsOCArMzA1OSwxMCBAQCBzdGF0aWMgdm9pZCBp ZGVfZGF0YV93cml0ZWwodm9pZCAqb3BhcXVlLCB1aW50MzJfdCBhZGRyLCB1 aW50MzJfdCB2YWwpCiAgICAgKih1aW50MzJfdCAqKXAgPSBsZTMyX3RvX2Nw dSh2YWwpOwogICAgIHAgKz0gNDsKICAgICBzLT5kYXRhX3B0ciA9IHA7Ci0g ICAgaWYgKHAgPj0gcy0+ZGF0YV9lbmQpCisgICAgaWYgKHAgPj0gcy0+ZGF0 YV9lbmQpIHsKKyAgICAgICAgcy0+c3RhdHVzICY9IH5EUlFfU1RBVDsKICAg ICAgICAgcy0+ZW5kX3RyYW5zZmVyX2Z1bmMocyk7CisgICAgfQogfQogCiBz dGF0aWMgdWludDMyX3QgaWRlX2RhdGFfcmVhZGwodm9pZCAqb3BhcXVlLCB1 aW50MzJfdCBhZGRyKQpAQCAtMzA3OCw4ICszMDg0LDEwIEBAIHN0YXRpYyB1 aW50MzJfdCBpZGVfZGF0YV9yZWFkbCh2b2lkICpvcGFxdWUsIHVpbnQzMl90 IGFkZHIpCiAgICAgcmV0ID0gY3B1X3RvX2xlMzIoKih1aW50MzJfdCAqKXAp OwogICAgIHAgKz0gNDsKICAgICBzLT5kYXRhX3B0ciA9IHA7Ci0gICAgaWYg KHAgPj0gcy0+ZGF0YV9lbmQpCisgICAgaWYgKHAgPj0gcy0+ZGF0YV9lbmQp IHsKKyAgICAgICAgcy0+c3RhdHVzICY9IH5EUlFfU1RBVDsKICAgICAgICAg cy0+ZW5kX3RyYW5zZmVyX2Z1bmMocyk7CisgICAgfQogICAgIHJldHVybiBy ZXQ7CiB9CiAKLS0gCjIuMS40Cgo= --=separator Content-Type: application/octet-stream; name="xsa138-qemuu-1.patch" Content-Disposition: attachment; filename="xsa138-qemuu-1.patch" Content-Transfer-Encoding: base64 RnJvbSBhOWRlMTQxNzU1NDhjMDRlMGY4YmU3ZmFlMjE5MjQ2NTA5YmE0NmE5 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBLZXZpbiBXb2xmIDxr d29sZkByZWRoYXQuY29tPgpEYXRlOiBXZWQsIDMgSnVuIDIwMTUgMTQ6MTM6 MzEgKzAyMDAKU3ViamVjdDogW1BBVENIIDEvM10gaWRlOiBDaGVjayBhcnJh eSBib3VuZHMgYmVmb3JlIHdyaXRpbmcgdG8gaW9fYnVmZmVyCiAoQ1ZFLTIw MTUtNTE1NCkKCklmIHRoZSBlbmRfdHJhbnNmZXJfZnVuYyBvZiBhIGNvbW1h bmQgaXMgY2FsbGVkIGJlY2F1c2UgZW5vdWdoIGRhdGEgaGFzCmJlZW4gcmVh ZCBvciB3cml0dGVuIGZvciB0aGUgY3VycmVudCBQSU8gdHJhbnNmZXIsIGFu ZCBpdCBmYWlscyB0bwpjb3JyZWN0bHkgY2FsbCB0aGUgY29tbWFuZCBjb21w bGV0aW9uIGZ1bmN0aW9ucywgdGhlIERSUSBiaXQgaW4gdGhlCnN0YXR1cyBy ZWdpc3RlciBhbmQgcy0+ZW5kX3RyYW5zZmVyX2Z1bmMgbWF5IHJlbWFpbiBz ZXQuIFRoaXMgYWxsb3dzIHRoZQpndWVzdCB0byBhY2Nlc3MgZnVydGhlciBi eXRlcyBpbiBzLT5pb19idWZmZXIgYmV5b25kIHMtPmRhdGFfZW5kLCBhbmQK ZXZlbnR1YWxseSBvdmVyZmxvd2luZyB0aGUgaW9fYnVmZmVyLgoKT25lIGNh c2Ugd2hlcmUgdGhpcyBjdXJyZW50bHkgaGFwcGVucyBpcyBlbXVsYXRpb24g b2YgdGhlIEFUQVBJIGNvbW1hbmQKU1RBUlQgU1RPUCBVTklULgoKVGhpcyBw YXRjaCBmaXhlcyB0aGUgcHJvYmxlbSBieSBhZGRpbmcgZXhwbGljaXQgYXJy YXkgYm91bmRzIGNoZWNrcwpiZWZvcmUgYWNjZXNzaW5nIHRoZSBidWZmZXIg aW5zdGVhZCBvZiByZWx5aW5nIG9uIGVuZF90cmFuc2Zlcl9mdW5jIHRvCmZ1 bmN0aW9uIGNvcnJlY3RseS4KCkNjOiBxZW11LXN0YWJsZUBub25nbnUub3Jn ClNpZ25lZC1vZmYtYnk6IEtldmluIFdvbGYgPGt3b2xmQHJlZGhhdC5jb20+ Ci0tLQogaHcvaWRlL2NvcmUuYyB8IDE2ICsrKysrKysrKysrKysrKysKIDEg ZmlsZSBjaGFuZ2VkLCAxNiBpbnNlcnRpb25zKCspCgpkaWZmIC0tZ2l0IGEv aHcvaWRlL2NvcmUuYyBiL2h3L2lkZS9jb3JlLmMKaW5kZXggMTIyZTk1NS4u NDRmY2MyMyAxMDA2NDQKLS0tIGEvaHcvaWRlL2NvcmUuYworKysgYi9ody9p ZGUvY29yZS5jCkBAIC0yMDIxLDYgKzIwMjEsMTAgQEAgdm9pZCBpZGVfZGF0 YV93cml0ZXcodm9pZCAqb3BhcXVlLCB1aW50MzJfdCBhZGRyLCB1aW50MzJf dCB2YWwpCiAgICAgfQogCiAgICAgcCA9IHMtPmRhdGFfcHRyOworICAgIGlm IChwICsgMiA+IHMtPmRhdGFfZW5kKSB7CisgICAgICAgIHJldHVybjsKKyAg ICB9CisKICAgICAqKHVpbnQxNl90ICopcCA9IGxlMTZfdG9fY3B1KHZhbCk7 CiAgICAgcCArPSAyOwogICAgIHMtPmRhdGFfcHRyID0gcDsKQEAgLTIwNDIs NiArMjA0NiwxMCBAQCB1aW50MzJfdCBpZGVfZGF0YV9yZWFkdyh2b2lkICpv cGFxdWUsIHVpbnQzMl90IGFkZHIpCiAgICAgfQogCiAgICAgcCA9IHMtPmRh dGFfcHRyOworICAgIGlmIChwICsgMiA+IHMtPmRhdGFfZW5kKSB7CisgICAg ICAgIHJldHVybiAwOworICAgIH0KKwogICAgIHJldCA9IGNwdV90b19sZTE2 KCoodWludDE2X3QgKilwKTsKICAgICBwICs9IDI7CiAgICAgcy0+ZGF0YV9w dHIgPSBwOwpAQCAtMjA2Myw2ICsyMDcxLDEwIEBAIHZvaWQgaWRlX2RhdGFf d3JpdGVsKHZvaWQgKm9wYXF1ZSwgdWludDMyX3QgYWRkciwgdWludDMyX3Qg dmFsKQogICAgIH0KIAogICAgIHAgPSBzLT5kYXRhX3B0cjsKKyAgICBpZiAo cCArIDQgPiBzLT5kYXRhX2VuZCkgeworICAgICAgICByZXR1cm47CisgICAg fQorCiAgICAgKih1aW50MzJfdCAqKXAgPSBsZTMyX3RvX2NwdSh2YWwpOwog ICAgIHAgKz0gNDsKICAgICBzLT5kYXRhX3B0ciA9IHA7CkBAIC0yMDg0LDYg KzIwOTYsMTAgQEAgdWludDMyX3QgaWRlX2RhdGFfcmVhZGwodm9pZCAqb3Bh cXVlLCB1aW50MzJfdCBhZGRyKQogICAgIH0KIAogICAgIHAgPSBzLT5kYXRh X3B0cjsKKyAgICBpZiAocCArIDQgPiBzLT5kYXRhX2VuZCkgeworICAgICAg ICByZXR1cm4gMDsKKyAgICB9CisKICAgICByZXQgPSBjcHVfdG9fbGUzMigq KHVpbnQzMl90ICopcCk7CiAgICAgcCArPSA0OwogICAgIHMtPmRhdGFfcHRy ID0gcDsKLS0gCjEuOC4zLjEK --=separator Content-Type: application/octet-stream; name="xsa138-qemuu-2.patch" Content-Disposition: attachment; filename="xsa138-qemuu-2.patch" Content-Transfer-Encoding: base64 RnJvbSBhYTg1MWQzMGFjZmJiOTU4MDA5OGFjMWRjODI4ODU1MzBjYjhiM2Mx IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBLZXZpbiBXb2xmIDxr d29sZkByZWRoYXQuY29tPgpEYXRlOiBXZWQsIDMgSnVuIDIwMTUgMTQ6MTc6 NDYgKzAyMDAKU3ViamVjdDogW1BBVENIIDIvM10gaWRlL2F0YXBpOiBGaXgg U1RBUlQgU1RPUCBVTklUIGNvbW1hbmQgY29tcGxldGlvbgoKVGhlIGNvbW1h bmQgbXVzdCBiZSBjb21wbGV0ZWQgb24gYWxsIGNvZGUgcGF0aHMuIFNUQVJU IFNUT1AgVU5JVCB3aXRoCnB3cmNuZCBzZXQgc2hvdWxkIHN1Y2NlZWQgd2l0 aG91dCBkb2luZyBhbnl0aGluZy4KClNpZ25lZC1vZmYtYnk6IEtldmluIFdv bGYgPGt3b2xmQHJlZGhhdC5jb20+Ci0tLQogaHcvaWRlL2F0YXBpLmMgfCAx ICsKIDEgZmlsZSBjaGFuZ2VkLCAxIGluc2VydGlvbigrKQoKZGlmZiAtLWdp dCBhL2h3L2lkZS9hdGFwaS5jIGIvaHcvaWRlL2F0YXBpLmMKaW5kZXggOTUw ZTMxMS4uNzlkZDE2NyAxMDA2NDQKLS0tIGEvaHcvaWRlL2F0YXBpLmMKKysr IGIvaHcvaWRlL2F0YXBpLmMKQEAgLTk4Myw2ICs5ODMsNyBAQCBzdGF0aWMg dm9pZCBjbWRfc3RhcnRfc3RvcF91bml0KElERVN0YXRlICpzLCB1aW50OF90 KiBidWYpCgogICAgIGlmIChwd3JjbmQpIHsKICAgICAgICAgLyogZWplY3Qv bG9hZCBvbmx5IGhhcHBlbnMgZm9yIHBvd2VyIGNvbmRpdGlvbiA9PSAwICov CisgICAgICAgIGlkZV9hdGFwaV9jbWRfb2socyk7CiAgICAgICAgIHJldHVy bjsKICAgICB9CgotLQoxLjguMy4xCgo= --=separator Content-Type: application/octet-stream; name="xsa138-qemuu-3.patch" Content-Disposition: attachment; filename="xsa138-qemuu-3.patch" Content-Transfer-Encoding: base64 RnJvbSAxZDNjMjI2OGY4NzA4MTI2YTM0MDY0YzJlMGMxMDAwYjQwZTZmM2U1 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBLZXZpbiBXb2xmIDxr d29sZkByZWRoYXQuY29tPgpEYXRlOiBXZWQsIDMgSnVuIDIwMTUgMTQ6NDE6 MjcgKzAyMDAKU3ViamVjdDogW1BBVENIIDMvM10gaWRlOiBDbGVhciBEUlEg YWZ0ZXIgaGFuZGxpbmcgYWxsIGV4cGVjdGVkIGFjY2Vzc2VzCgpUaGlzIGlz IGFkZGl0aW9uYWwgaGFyZGVuaW5nIGFnYWluc3QgYW4gZW5kX3RyYW5zZmVy X2Z1bmMgdGhhdCBmYWlscyB0bwpjbGVhciB0aGUgRFJRIHN0YXR1cyBiaXQu IFRoZSBiaXQgbXVzdCBiZSB1bnNldCBhcyBzb29uIGFzIHRoZSBQSU8KdHJh bnNmZXIgaGFzIGNvbXBsZXRlZCwgc28gaXQncyBiZXR0ZXIgdG8gZG8gdGhp cyBpbiBhIGNlbnRyYWwgcGxhY2UKaW5zdGVhZCBvZiBkdXBsaWNhdGluZyB0 aGUgY29kZSBpbiBhbGwgY29tbWFuZHMgKGFuZCBmb3JnZXR0aW5nIGl0IGlu CnNvbWUpLgoKU2lnbmVkLW9mZi1ieTogS2V2aW4gV29sZiA8a3dvbGZAcmVk aGF0LmNvbT4KLS0tCiBody9pZGUvY29yZS5jIHwgMTYgKysrKysrKysrKysr LS0tLQogMSBmaWxlIGNoYW5nZWQsIDEyIGluc2VydGlvbnMoKyksIDQgZGVs ZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvaHcvaWRlL2NvcmUuYyBiL2h3L2lk ZS9jb3JlLmMKaW5kZXggNDRmY2MyMy4uNTA0NDljYSAxMDA2NDQKLS0tIGEv aHcvaWRlL2NvcmUuYworKysgYi9ody9pZGUvY29yZS5jCkBAIC0yMDI4LDgg KzIwMjgsMTAgQEAgdm9pZCBpZGVfZGF0YV93cml0ZXcodm9pZCAqb3BhcXVl LCB1aW50MzJfdCBhZGRyLCB1aW50MzJfdCB2YWwpCiAgICAgKih1aW50MTZf dCAqKXAgPSBsZTE2X3RvX2NwdSh2YWwpOwogICAgIHAgKz0gMjsKICAgICBz LT5kYXRhX3B0ciA9IHA7Ci0gICAgaWYgKHAgPj0gcy0+ZGF0YV9lbmQpCisg ICAgaWYgKHAgPj0gcy0+ZGF0YV9lbmQpIHsKKyAgICAgICAgcy0+c3RhdHVz ICY9IH5EUlFfU1RBVDsKICAgICAgICAgcy0+ZW5kX3RyYW5zZmVyX2Z1bmMo cyk7CisgICAgfQogfQoKIHVpbnQzMl90IGlkZV9kYXRhX3JlYWR3KHZvaWQg Km9wYXF1ZSwgdWludDMyX3QgYWRkcikKQEAgLTIwNTMsOCArMjA1NSwxMCBA QCB1aW50MzJfdCBpZGVfZGF0YV9yZWFkdyh2b2lkICpvcGFxdWUsIHVpbnQz Ml90IGFkZHIpCiAgICAgcmV0ID0gY3B1X3RvX2xlMTYoKih1aW50MTZfdCAq KXApOwogICAgIHAgKz0gMjsKICAgICBzLT5kYXRhX3B0ciA9IHA7Ci0gICAg aWYgKHAgPj0gcy0+ZGF0YV9lbmQpCisgICAgaWYgKHAgPj0gcy0+ZGF0YV9l bmQpIHsKKyAgICAgICAgcy0+c3RhdHVzICY9IH5EUlFfU1RBVDsKICAgICAg ICAgcy0+ZW5kX3RyYW5zZmVyX2Z1bmMocyk7CisgICAgfQogICAgIHJldHVy biByZXQ7CiB9CgpAQCAtMjA3OCw4ICsyMDgyLDEwIEBAIHZvaWQgaWRlX2Rh dGFfd3JpdGVsKHZvaWQgKm9wYXF1ZSwgdWludDMyX3QgYWRkciwgdWludDMy X3QgdmFsKQogICAgICoodWludDMyX3QgKilwID0gbGUzMl90b19jcHUodmFs KTsKICAgICBwICs9IDQ7CiAgICAgcy0+ZGF0YV9wdHIgPSBwOwotICAgIGlm IChwID49IHMtPmRhdGFfZW5kKQorICAgIGlmIChwID49IHMtPmRhdGFfZW5k KSB7CisgICAgICAgIHMtPnN0YXR1cyAmPSB+RFJRX1NUQVQ7CiAgICAgICAg IHMtPmVuZF90cmFuc2Zlcl9mdW5jKHMpOworICAgIH0KIH0KCiB1aW50MzJf dCBpZGVfZGF0YV9yZWFkbCh2b2lkICpvcGFxdWUsIHVpbnQzMl90IGFkZHIp CkBAIC0yMTAzLDggKzIxMDksMTAgQEAgdWludDMyX3QgaWRlX2RhdGFfcmVh ZGwodm9pZCAqb3BhcXVlLCB1aW50MzJfdCBhZGRyKQogICAgIHJldCA9IGNw dV90b19sZTMyKCoodWludDMyX3QgKilwKTsKICAgICBwICs9IDQ7CiAgICAg cy0+ZGF0YV9wdHIgPSBwOwotICAgIGlmIChwID49IHMtPmRhdGFfZW5kKQor ICAgIGlmIChwID49IHMtPmRhdGFfZW5kKSB7CisgICAgICAgIHMtPnN0YXR1 cyAmPSB+RFJRX1NUQVQ7CiAgICAgICAgIHMtPmVuZF90cmFuc2Zlcl9mdW5j KHMpOworICAgIH0KICAgICByZXR1cm4gcmV0OwogfQoKLS0KMS44LjMuMQoK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Jul 27 12:04:24 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 27 Jul 2015 12:04:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZJh7m-0000yd-4b; Mon, 27 Jul 2015 12:03:18 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZJh7l-0000yQ-06; Mon, 27 Jul 2015 12:03:17 +0000 Received: from [193.109.254.147] by server-4.bemta-14.messagelabs.com id DA/07-27764-40E16B55; Mon, 27 Jul 2015 12:03:16 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-16.tower-27.messagelabs.com!1437998593!27957156!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 9637 invoked from network); 27 Jul 2015 12:03:14 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-16.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 27 Jul 2015 12:03:14 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZJh7b-0001MM-5u; Mon, 27 Jul 2015 12:03:07 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1ZJh7a-0007Mm-P4; Mon, 27 Jul 2015 12:03:07 +0000 Date: Mon, 27 Jul 2015 12:03:06 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 138 (CVE-2015-5154) - QEMU heap overflow flaw while processing certain ATAPI commands. X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-5154 / XSA-138 version 2 QEMU heap overflow flaw while processing certain ATAPI commands. UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The QEMU security team has predisclosed the following advisory: A heap overflow flaw was found in the way QEMU's IDE subsystem handled I/O buffer access while processing certain ATAPI commands. A privileged guest user in a guest with CDROM drive enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process corresponding to the guest. IMPACT ====== An HVM guest which has access to an emulated IDE CDROM device (e.g. with a device with "devtype=cdrom", or the "cdrom" convenience alias, in the VBD configuration) can exploit this vulnerability to take over the qemu process elevating its privilege to that of the qemu process. VULNERABLE SYSTEMS ================== All Xen systems running x86 HVM guests without stubdomains which have been configured with an emulated CD-ROM driver model are vulnerable. Systems using qemu-dm stubdomain device models (for example, by specifying "device_model_stubdomain_override=1" in xl's domain configuration files) are NOT vulnerable. Both the traditional ("qemu-xen-traditional") or upstream-based ("qemu-xen") qemu device models are potentially vulnerable. Systems running only PV guests are NOT vulnerable. ARM systems are NOT vulnerable. MITIGATION ========== Avoiding the use of emulated CD-ROM devices altogether, by not specifying such devices in the domain configuration, will avoid this issue. Enabling stubdomains will mitigate this issue, by reducing the escalation to only those privileges accorded to the service domain. qemu-dm stubdomains are only available with "qemu-xen-traditional". CREDITS ======= This issue was discovered by Kevin Wolf of Red Hat. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa138-qemut-{1,2}.patch qemu-xen-traditional, Xen unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x xsa138-qemuu-{1,2,3}.patch qemu-upstream, xen unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x xsa138-qemuu-{1,3}.patch qemu-upstream, Xen 4.2.x NOTE: xsa138-qemuu-2.patch is not required for Xen 4.2.x. $ sha256sum xsa138*.patch 7e385455379d88658b8ab0d4c1effffe9af21fff2e1dc0fe51cacc779afc83a4 xsa138-qemut-1.patch c9a89082e36a0646a6fe002c6892d966d415d11ad5cfdcfea7e9c8d7a3f1316c xsa138-qemut-2.patch a076808f543c82aeac2f0239a4a46d9baadcd4e4b0a2f9ae7ded99cf59cffde6 xsa138-qemuu-1.patch ed16dca7d2c179d0931d6e2503264d6593547a803eb3f08f6db7fff2127509a9 xsa138-qemuu-2.patch 090bdec00ede1f0ace1af52833038a74971e060d0c176b42bfca08511d36c644 xsa138-qemuu-3.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of patches or mitigations is NOT permitted (except on systems used and administered only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. The decision not to permit deployment was made by the group that, at their discretion, disclosed the issue to the Xen Project Security Team. Deployment is permitted only AFTER the embargo ends. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVth2LAAoJEIP+FMlX6CvZcd4IAJYWZrj86FDn9L5SqeTq8cLX 6tnptNaQb+uDQ/thV2R+nUVdJNaJt1UIhRhO2tD2g0dEqj/I7Vx/Hh95ncPCQ3fS ec7ph9lcsdAy8E+7abNlhJnPsOVOazEwI0we2deKjdn3CqyfVXqA47rSDY4VChtc kTV7lEIEebBlo1igz05/poUEhjkCP8UvSfpgpQY60N2y+C0OyIXPIog4q2LiEbeO cq/deACYN3jOVwPTozkQNAAOq0++UfnGfDredOIYCbvqA5OtMf1DGlWyTQLIEuKJ zCiatGudJI2klVYkHSVYfXr54WjreiRCOfLB9ilhBW7Yr2juWFQIAc+0Kf09uFo= =I0Tz -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa138-qemut-1.patch" Content-Disposition: attachment; filename="xsa138-qemut-1.patch" Content-Transfer-Encoding: base64 RnJvbSA1MTA5NTJkNGMzM2VlNjk1NzQxNjdjZTMwODI5YjIxYzgxNWExNjVi IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBLZXZpbiBXb2xmIDxr d29sZkByZWRoYXQuY29tPgpEYXRlOiBXZWQsIDMgSnVuIDIwMTUgMTQ6MTM6 MzEgKzAyMDAKU3ViamVjdDogW1BBVENIIDEvMl0gaWRlOiBDaGVjayBhcnJh eSBib3VuZHMgYmVmb3JlIHdyaXRpbmcgdG8gaW9fYnVmZmVyCiAoQ1ZFLTIw MTUtNTE1NCkKCklmIHRoZSBlbmRfdHJhbnNmZXJfZnVuYyBvZiBhIGNvbW1h bmQgaXMgY2FsbGVkIGJlY2F1c2UgZW5vdWdoIGRhdGEgaGFzCmJlZW4gcmVh ZCBvciB3cml0dGVuIGZvciB0aGUgY3VycmVudCBQSU8gdHJhbnNmZXIsIGFu ZCBpdCBmYWlscyB0bwpjb3JyZWN0bHkgY2FsbCB0aGUgY29tbWFuZCBjb21w bGV0aW9uIGZ1bmN0aW9ucywgdGhlIERSUSBiaXQgaW4gdGhlCnN0YXR1cyBy ZWdpc3RlciBhbmQgcy0+ZW5kX3RyYW5zZmVyX2Z1bmMgbWF5IHJlbWFpbiBz ZXQuIFRoaXMgYWxsb3dzIHRoZQpndWVzdCB0byBhY2Nlc3MgZnVydGhlciBi eXRlcyBpbiBzLT5pb19idWZmZXIgYmV5b25kIHMtPmRhdGFfZW5kLCBhbmQK ZXZlbnR1YWxseSBvdmVyZmxvd2luZyB0aGUgaW9fYnVmZmVyLgoKT25lIGNh c2Ugd2hlcmUgdGhpcyBjdXJyZW50bHkgaGFwcGVucyBpcyBlbXVsYXRpb24g b2YgdGhlIEFUQVBJIGNvbW1hbmQKU1RBUlQgU1RPUCBVTklULgoKVGhpcyBw YXRjaCBmaXhlcyB0aGUgcHJvYmxlbSBieSBhZGRpbmcgZXhwbGljaXQgYXJy YXkgYm91bmRzIGNoZWNrcwpiZWZvcmUgYWNjZXNzaW5nIHRoZSBidWZmZXIg aW5zdGVhZCBvZiByZWx5aW5nIG9uIGVuZF90cmFuc2Zlcl9mdW5jIHRvCmZ1 bmN0aW9uIGNvcnJlY3RseS4KCkNjOiBxZW11LXN0YWJsZUBub25nbnUub3Jn ClNpZ25lZC1vZmYtYnk6IEtldmluIFdvbGYgPGt3b2xmQHJlZGhhdC5jb20+ Ci0tLQogaHcvaWRlLmMgfCAxNiArKysrKysrKysrKysrKysrCiAxIGZpbGUg Y2hhbmdlZCwgMTYgaW5zZXJ0aW9ucygrKQoKZGlmZiAtLWdpdCBhL2h3L2lk ZS5jIGIvaHcvaWRlLmMKaW5kZXggNzkxNjY2Yi4uMjExZWM4OCAxMDA2NDQK LS0tIGEvaHcvaWRlLmMKKysrIGIvaHcvaWRlLmMKQEAgLTMwMDIsNiArMzAw MiwxMCBAQCBzdGF0aWMgdm9pZCBpZGVfZGF0YV93cml0ZXcodm9pZCAqb3Bh cXVlLCB1aW50MzJfdCBhZGRyLCB1aW50MzJfdCB2YWwpCiAgICAgYnVmZmVy ZWRfcGlvX3dyaXRlKHMsIGFkZHIsIDIpOwogCiAgICAgcCA9IHMtPmRhdGFf cHRyOworICAgIGlmIChwICsgMiA+IHMtPmRhdGFfZW5kKSB7CisgICAgICAg IHJldHVybjsKKyAgICB9CisKICAgICAqKHVpbnQxNl90ICopcCA9IGxlMTZf dG9fY3B1KHZhbCk7CiAgICAgcCArPSAyOwogICAgIHMtPmRhdGFfcHRyID0g cDsKQEAgLTMwMjEsNiArMzAyNSwxMCBAQCBzdGF0aWMgdWludDMyX3QgaWRl X2RhdGFfcmVhZHcodm9pZCAqb3BhcXVlLCB1aW50MzJfdCBhZGRyKQogICAg IGJ1ZmZlcmVkX3Bpb19yZWFkKHMsIGFkZHIsIDIpOwogCiAgICAgcCA9IHMt PmRhdGFfcHRyOworICAgIGlmIChwICsgMiA+IHMtPmRhdGFfZW5kKSB7Cisg ICAgICAgIHJldHVybiAwOworICAgIH0KKwogICAgIHJldCA9IGNwdV90b19s ZTE2KCoodWludDE2X3QgKilwKTsKICAgICBwICs9IDI7CiAgICAgcy0+ZGF0 YV9wdHIgPSBwOwpAQCAtMzA0MCw2ICszMDQ4LDEwIEBAIHN0YXRpYyB2b2lk IGlkZV9kYXRhX3dyaXRlbCh2b2lkICpvcGFxdWUsIHVpbnQzMl90IGFkZHIs IHVpbnQzMl90IHZhbCkKICAgICBidWZmZXJlZF9waW9fd3JpdGUocywgYWRk ciwgNCk7CiAKICAgICBwID0gcy0+ZGF0YV9wdHI7CisgICAgaWYgKHAgKyA0 ID4gcy0+ZGF0YV9lbmQpIHsKKyAgICAgICAgcmV0dXJuOworICAgIH0KKwog ICAgICoodWludDMyX3QgKilwID0gbGUzMl90b19jcHUodmFsKTsKICAgICBw ICs9IDQ7CiAgICAgcy0+ZGF0YV9wdHIgPSBwOwpAQCAtMzA1OSw2ICszMDcx LDEwIEBAIHN0YXRpYyB1aW50MzJfdCBpZGVfZGF0YV9yZWFkbCh2b2lkICpv cGFxdWUsIHVpbnQzMl90IGFkZHIpCiAgICAgYnVmZmVyZWRfcGlvX3JlYWQo cywgYWRkciwgNCk7CiAKICAgICBwID0gcy0+ZGF0YV9wdHI7CisgICAgaWYg KHAgKyA0ID4gcy0+ZGF0YV9lbmQpIHsKKyAgICAgICAgcmV0dXJuIDA7Cisg ICAgfQorCiAgICAgcmV0ID0gY3B1X3RvX2xlMzIoKih1aW50MzJfdCAqKXAp OwogICAgIHAgKz0gNDsKICAgICBzLT5kYXRhX3B0ciA9IHA7Ci0tIAoyLjEu NAoK --=separator Content-Type: application/octet-stream; name="xsa138-qemut-2.patch" Content-Disposition: attachment; filename="xsa138-qemut-2.patch" Content-Transfer-Encoding: base64 RnJvbSAxYWMwZjYwZDU1OGI3ZmNhNTVjNjlhNjFhYjRjNDUzOGFmMWYwMmY5 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBLZXZpbiBXb2xmIDxr d29sZkByZWRoYXQuY29tPgpEYXRlOiBXZWQsIDMgSnVuIDIwMTUgMTQ6NDE6 MjcgKzAyMDAKU3ViamVjdDogW1BBVENIIDIvMl0gaWRlOiBDbGVhciBEUlEg YWZ0ZXIgaGFuZGxpbmcgYWxsIGV4cGVjdGVkIGFjY2Vzc2VzCgpUaGlzIGlz IGFkZGl0aW9uYWwgaGFyZGVuaW5nIGFnYWluc3QgYW4gZW5kX3RyYW5zZmVy X2Z1bmMgdGhhdCBmYWlscyB0bwpjbGVhciB0aGUgRFJRIHN0YXR1cyBiaXQu IFRoZSBiaXQgbXVzdCBiZSB1bnNldCBhcyBzb29uIGFzIHRoZSBQSU8KdHJh bnNmZXIgaGFzIGNvbXBsZXRlZCwgc28gaXQncyBiZXR0ZXIgdG8gZG8gdGhp cyBpbiBhIGNlbnRyYWwgcGxhY2UKaW5zdGVhZCBvZiBkdXBsaWNhdGluZyB0 aGUgY29kZSBpbiBhbGwgY29tbWFuZHMgKGFuZCBmb3JnZXR0aW5nIGl0IGlu CnNvbWUpLgoKU2lnbmVkLW9mZi1ieTogS2V2aW4gV29sZiA8a3dvbGZAcmVk aGF0LmNvbT4KLS0tCiBody9pZGUuYyB8IDE2ICsrKysrKysrKysrKy0tLS0K IDEgZmlsZSBjaGFuZ2VkLCAxMiBpbnNlcnRpb25zKCspLCA0IGRlbGV0aW9u cygtKQoKZGlmZiAtLWdpdCBhL2h3L2lkZS5jIGIvaHcvaWRlLmMKaW5kZXgg MjExZWM4OC4uN2I4NGQxYiAxMDA2NDQKLS0tIGEvaHcvaWRlLmMKKysrIGIv aHcvaWRlLmMKQEAgLTMwMDksOCArMzAwOSwxMCBAQCBzdGF0aWMgdm9pZCBp ZGVfZGF0YV93cml0ZXcodm9pZCAqb3BhcXVlLCB1aW50MzJfdCBhZGRyLCB1 aW50MzJfdCB2YWwpCiAgICAgKih1aW50MTZfdCAqKXAgPSBsZTE2X3RvX2Nw dSh2YWwpOwogICAgIHAgKz0gMjsKICAgICBzLT5kYXRhX3B0ciA9IHA7Ci0g ICAgaWYgKHAgPj0gcy0+ZGF0YV9lbmQpCisgICAgaWYgKHAgPj0gcy0+ZGF0 YV9lbmQpIHsKKyAgICAgICAgcy0+c3RhdHVzICY9IH5EUlFfU1RBVDsKICAg ICAgICAgcy0+ZW5kX3RyYW5zZmVyX2Z1bmMocyk7CisgICAgfQogfQogCiBz dGF0aWMgdWludDMyX3QgaWRlX2RhdGFfcmVhZHcodm9pZCAqb3BhcXVlLCB1 aW50MzJfdCBhZGRyKQpAQCAtMzAzMiw4ICszMDM0LDEwIEBAIHN0YXRpYyB1 aW50MzJfdCBpZGVfZGF0YV9yZWFkdyh2b2lkICpvcGFxdWUsIHVpbnQzMl90 IGFkZHIpCiAgICAgcmV0ID0gY3B1X3RvX2xlMTYoKih1aW50MTZfdCAqKXAp OwogICAgIHAgKz0gMjsKICAgICBzLT5kYXRhX3B0ciA9IHA7Ci0gICAgaWYg KHAgPj0gcy0+ZGF0YV9lbmQpCisgICAgaWYgKHAgPj0gcy0+ZGF0YV9lbmQp IHsKKyAgICAgICAgcy0+c3RhdHVzICY9IH5EUlFfU1RBVDsKICAgICAgICAg cy0+ZW5kX3RyYW5zZmVyX2Z1bmMocyk7CisgICAgfQogICAgIHJldHVybiBy ZXQ7CiB9CiAKQEAgLTMwNTUsOCArMzA1OSwxMCBAQCBzdGF0aWMgdm9pZCBp ZGVfZGF0YV93cml0ZWwodm9pZCAqb3BhcXVlLCB1aW50MzJfdCBhZGRyLCB1 aW50MzJfdCB2YWwpCiAgICAgKih1aW50MzJfdCAqKXAgPSBsZTMyX3RvX2Nw dSh2YWwpOwogICAgIHAgKz0gNDsKICAgICBzLT5kYXRhX3B0ciA9IHA7Ci0g ICAgaWYgKHAgPj0gcy0+ZGF0YV9lbmQpCisgICAgaWYgKHAgPj0gcy0+ZGF0 YV9lbmQpIHsKKyAgICAgICAgcy0+c3RhdHVzICY9IH5EUlFfU1RBVDsKICAg ICAgICAgcy0+ZW5kX3RyYW5zZmVyX2Z1bmMocyk7CisgICAgfQogfQogCiBz dGF0aWMgdWludDMyX3QgaWRlX2RhdGFfcmVhZGwodm9pZCAqb3BhcXVlLCB1 aW50MzJfdCBhZGRyKQpAQCAtMzA3OCw4ICszMDg0LDEwIEBAIHN0YXRpYyB1 aW50MzJfdCBpZGVfZGF0YV9yZWFkbCh2b2lkICpvcGFxdWUsIHVpbnQzMl90 IGFkZHIpCiAgICAgcmV0ID0gY3B1X3RvX2xlMzIoKih1aW50MzJfdCAqKXAp OwogICAgIHAgKz0gNDsKICAgICBzLT5kYXRhX3B0ciA9IHA7Ci0gICAgaWYg KHAgPj0gcy0+ZGF0YV9lbmQpCisgICAgaWYgKHAgPj0gcy0+ZGF0YV9lbmQp IHsKKyAgICAgICAgcy0+c3RhdHVzICY9IH5EUlFfU1RBVDsKICAgICAgICAg cy0+ZW5kX3RyYW5zZmVyX2Z1bmMocyk7CisgICAgfQogICAgIHJldHVybiBy ZXQ7CiB9CiAKLS0gCjIuMS40Cgo= --=separator Content-Type: application/octet-stream; name="xsa138-qemuu-1.patch" Content-Disposition: attachment; filename="xsa138-qemuu-1.patch" Content-Transfer-Encoding: base64 RnJvbSBhOWRlMTQxNzU1NDhjMDRlMGY4YmU3ZmFlMjE5MjQ2NTA5YmE0NmE5 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBLZXZpbiBXb2xmIDxr d29sZkByZWRoYXQuY29tPgpEYXRlOiBXZWQsIDMgSnVuIDIwMTUgMTQ6MTM6 MzEgKzAyMDAKU3ViamVjdDogW1BBVENIIDEvM10gaWRlOiBDaGVjayBhcnJh eSBib3VuZHMgYmVmb3JlIHdyaXRpbmcgdG8gaW9fYnVmZmVyCiAoQ1ZFLTIw MTUtNTE1NCkKCklmIHRoZSBlbmRfdHJhbnNmZXJfZnVuYyBvZiBhIGNvbW1h bmQgaXMgY2FsbGVkIGJlY2F1c2UgZW5vdWdoIGRhdGEgaGFzCmJlZW4gcmVh ZCBvciB3cml0dGVuIGZvciB0aGUgY3VycmVudCBQSU8gdHJhbnNmZXIsIGFu ZCBpdCBmYWlscyB0bwpjb3JyZWN0bHkgY2FsbCB0aGUgY29tbWFuZCBjb21w bGV0aW9uIGZ1bmN0aW9ucywgdGhlIERSUSBiaXQgaW4gdGhlCnN0YXR1cyBy ZWdpc3RlciBhbmQgcy0+ZW5kX3RyYW5zZmVyX2Z1bmMgbWF5IHJlbWFpbiBz ZXQuIFRoaXMgYWxsb3dzIHRoZQpndWVzdCB0byBhY2Nlc3MgZnVydGhlciBi eXRlcyBpbiBzLT5pb19idWZmZXIgYmV5b25kIHMtPmRhdGFfZW5kLCBhbmQK ZXZlbnR1YWxseSBvdmVyZmxvd2luZyB0aGUgaW9fYnVmZmVyLgoKT25lIGNh c2Ugd2hlcmUgdGhpcyBjdXJyZW50bHkgaGFwcGVucyBpcyBlbXVsYXRpb24g b2YgdGhlIEFUQVBJIGNvbW1hbmQKU1RBUlQgU1RPUCBVTklULgoKVGhpcyBw YXRjaCBmaXhlcyB0aGUgcHJvYmxlbSBieSBhZGRpbmcgZXhwbGljaXQgYXJy YXkgYm91bmRzIGNoZWNrcwpiZWZvcmUgYWNjZXNzaW5nIHRoZSBidWZmZXIg aW5zdGVhZCBvZiByZWx5aW5nIG9uIGVuZF90cmFuc2Zlcl9mdW5jIHRvCmZ1 bmN0aW9uIGNvcnJlY3RseS4KCkNjOiBxZW11LXN0YWJsZUBub25nbnUub3Jn ClNpZ25lZC1vZmYtYnk6IEtldmluIFdvbGYgPGt3b2xmQHJlZGhhdC5jb20+ Ci0tLQogaHcvaWRlL2NvcmUuYyB8IDE2ICsrKysrKysrKysrKysrKysKIDEg ZmlsZSBjaGFuZ2VkLCAxNiBpbnNlcnRpb25zKCspCgpkaWZmIC0tZ2l0IGEv aHcvaWRlL2NvcmUuYyBiL2h3L2lkZS9jb3JlLmMKaW5kZXggMTIyZTk1NS4u NDRmY2MyMyAxMDA2NDQKLS0tIGEvaHcvaWRlL2NvcmUuYworKysgYi9ody9p ZGUvY29yZS5jCkBAIC0yMDIxLDYgKzIwMjEsMTAgQEAgdm9pZCBpZGVfZGF0 YV93cml0ZXcodm9pZCAqb3BhcXVlLCB1aW50MzJfdCBhZGRyLCB1aW50MzJf dCB2YWwpCiAgICAgfQogCiAgICAgcCA9IHMtPmRhdGFfcHRyOworICAgIGlm IChwICsgMiA+IHMtPmRhdGFfZW5kKSB7CisgICAgICAgIHJldHVybjsKKyAg ICB9CisKICAgICAqKHVpbnQxNl90ICopcCA9IGxlMTZfdG9fY3B1KHZhbCk7 CiAgICAgcCArPSAyOwogICAgIHMtPmRhdGFfcHRyID0gcDsKQEAgLTIwNDIs NiArMjA0NiwxMCBAQCB1aW50MzJfdCBpZGVfZGF0YV9yZWFkdyh2b2lkICpv cGFxdWUsIHVpbnQzMl90IGFkZHIpCiAgICAgfQogCiAgICAgcCA9IHMtPmRh dGFfcHRyOworICAgIGlmIChwICsgMiA+IHMtPmRhdGFfZW5kKSB7CisgICAg ICAgIHJldHVybiAwOworICAgIH0KKwogICAgIHJldCA9IGNwdV90b19sZTE2 KCoodWludDE2X3QgKilwKTsKICAgICBwICs9IDI7CiAgICAgcy0+ZGF0YV9w dHIgPSBwOwpAQCAtMjA2Myw2ICsyMDcxLDEwIEBAIHZvaWQgaWRlX2RhdGFf d3JpdGVsKHZvaWQgKm9wYXF1ZSwgdWludDMyX3QgYWRkciwgdWludDMyX3Qg dmFsKQogICAgIH0KIAogICAgIHAgPSBzLT5kYXRhX3B0cjsKKyAgICBpZiAo cCArIDQgPiBzLT5kYXRhX2VuZCkgeworICAgICAgICByZXR1cm47CisgICAg fQorCiAgICAgKih1aW50MzJfdCAqKXAgPSBsZTMyX3RvX2NwdSh2YWwpOwog ICAgIHAgKz0gNDsKICAgICBzLT5kYXRhX3B0ciA9IHA7CkBAIC0yMDg0LDYg KzIwOTYsMTAgQEAgdWludDMyX3QgaWRlX2RhdGFfcmVhZGwodm9pZCAqb3Bh cXVlLCB1aW50MzJfdCBhZGRyKQogICAgIH0KIAogICAgIHAgPSBzLT5kYXRh X3B0cjsKKyAgICBpZiAocCArIDQgPiBzLT5kYXRhX2VuZCkgeworICAgICAg ICByZXR1cm4gMDsKKyAgICB9CisKICAgICByZXQgPSBjcHVfdG9fbGUzMigq KHVpbnQzMl90ICopcCk7CiAgICAgcCArPSA0OwogICAgIHMtPmRhdGFfcHRy ID0gcDsKLS0gCjEuOC4zLjEK --=separator Content-Type: application/octet-stream; name="xsa138-qemuu-2.patch" Content-Disposition: attachment; filename="xsa138-qemuu-2.patch" Content-Transfer-Encoding: base64 RnJvbSBhYTg1MWQzMGFjZmJiOTU4MDA5OGFjMWRjODI4ODU1MzBjYjhiM2Mx IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBLZXZpbiBXb2xmIDxr d29sZkByZWRoYXQuY29tPgpEYXRlOiBXZWQsIDMgSnVuIDIwMTUgMTQ6MTc6 NDYgKzAyMDAKU3ViamVjdDogW1BBVENIIDIvM10gaWRlL2F0YXBpOiBGaXgg U1RBUlQgU1RPUCBVTklUIGNvbW1hbmQgY29tcGxldGlvbgoKVGhlIGNvbW1h bmQgbXVzdCBiZSBjb21wbGV0ZWQgb24gYWxsIGNvZGUgcGF0aHMuIFNUQVJU IFNUT1AgVU5JVCB3aXRoCnB3cmNuZCBzZXQgc2hvdWxkIHN1Y2NlZWQgd2l0 aG91dCBkb2luZyBhbnl0aGluZy4KClNpZ25lZC1vZmYtYnk6IEtldmluIFdv bGYgPGt3b2xmQHJlZGhhdC5jb20+Ci0tLQogaHcvaWRlL2F0YXBpLmMgfCAx ICsKIDEgZmlsZSBjaGFuZ2VkLCAxIGluc2VydGlvbigrKQoKZGlmZiAtLWdp dCBhL2h3L2lkZS9hdGFwaS5jIGIvaHcvaWRlL2F0YXBpLmMKaW5kZXggOTUw ZTMxMS4uNzlkZDE2NyAxMDA2NDQKLS0tIGEvaHcvaWRlL2F0YXBpLmMKKysr IGIvaHcvaWRlL2F0YXBpLmMKQEAgLTk4Myw2ICs5ODMsNyBAQCBzdGF0aWMg dm9pZCBjbWRfc3RhcnRfc3RvcF91bml0KElERVN0YXRlICpzLCB1aW50OF90 KiBidWYpCgogICAgIGlmIChwd3JjbmQpIHsKICAgICAgICAgLyogZWplY3Qv bG9hZCBvbmx5IGhhcHBlbnMgZm9yIHBvd2VyIGNvbmRpdGlvbiA9PSAwICov CisgICAgICAgIGlkZV9hdGFwaV9jbWRfb2socyk7CiAgICAgICAgIHJldHVy bjsKICAgICB9CgotLQoxLjguMy4xCgo= --=separator Content-Type: application/octet-stream; name="xsa138-qemuu-3.patch" Content-Disposition: attachment; filename="xsa138-qemuu-3.patch" Content-Transfer-Encoding: base64 RnJvbSAxZDNjMjI2OGY4NzA4MTI2YTM0MDY0YzJlMGMxMDAwYjQwZTZmM2U1 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBLZXZpbiBXb2xmIDxr d29sZkByZWRoYXQuY29tPgpEYXRlOiBXZWQsIDMgSnVuIDIwMTUgMTQ6NDE6 MjcgKzAyMDAKU3ViamVjdDogW1BBVENIIDMvM10gaWRlOiBDbGVhciBEUlEg YWZ0ZXIgaGFuZGxpbmcgYWxsIGV4cGVjdGVkIGFjY2Vzc2VzCgpUaGlzIGlz IGFkZGl0aW9uYWwgaGFyZGVuaW5nIGFnYWluc3QgYW4gZW5kX3RyYW5zZmVy X2Z1bmMgdGhhdCBmYWlscyB0bwpjbGVhciB0aGUgRFJRIHN0YXR1cyBiaXQu IFRoZSBiaXQgbXVzdCBiZSB1bnNldCBhcyBzb29uIGFzIHRoZSBQSU8KdHJh bnNmZXIgaGFzIGNvbXBsZXRlZCwgc28gaXQncyBiZXR0ZXIgdG8gZG8gdGhp cyBpbiBhIGNlbnRyYWwgcGxhY2UKaW5zdGVhZCBvZiBkdXBsaWNhdGluZyB0 aGUgY29kZSBpbiBhbGwgY29tbWFuZHMgKGFuZCBmb3JnZXR0aW5nIGl0IGlu CnNvbWUpLgoKU2lnbmVkLW9mZi1ieTogS2V2aW4gV29sZiA8a3dvbGZAcmVk aGF0LmNvbT4KLS0tCiBody9pZGUvY29yZS5jIHwgMTYgKysrKysrKysrKysr LS0tLQogMSBmaWxlIGNoYW5nZWQsIDEyIGluc2VydGlvbnMoKyksIDQgZGVs ZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvaHcvaWRlL2NvcmUuYyBiL2h3L2lk ZS9jb3JlLmMKaW5kZXggNDRmY2MyMy4uNTA0NDljYSAxMDA2NDQKLS0tIGEv aHcvaWRlL2NvcmUuYworKysgYi9ody9pZGUvY29yZS5jCkBAIC0yMDI4LDgg KzIwMjgsMTAgQEAgdm9pZCBpZGVfZGF0YV93cml0ZXcodm9pZCAqb3BhcXVl LCB1aW50MzJfdCBhZGRyLCB1aW50MzJfdCB2YWwpCiAgICAgKih1aW50MTZf dCAqKXAgPSBsZTE2X3RvX2NwdSh2YWwpOwogICAgIHAgKz0gMjsKICAgICBz LT5kYXRhX3B0ciA9IHA7Ci0gICAgaWYgKHAgPj0gcy0+ZGF0YV9lbmQpCisg ICAgaWYgKHAgPj0gcy0+ZGF0YV9lbmQpIHsKKyAgICAgICAgcy0+c3RhdHVz ICY9IH5EUlFfU1RBVDsKICAgICAgICAgcy0+ZW5kX3RyYW5zZmVyX2Z1bmMo cyk7CisgICAgfQogfQoKIHVpbnQzMl90IGlkZV9kYXRhX3JlYWR3KHZvaWQg Km9wYXF1ZSwgdWludDMyX3QgYWRkcikKQEAgLTIwNTMsOCArMjA1NSwxMCBA QCB1aW50MzJfdCBpZGVfZGF0YV9yZWFkdyh2b2lkICpvcGFxdWUsIHVpbnQz Ml90IGFkZHIpCiAgICAgcmV0ID0gY3B1X3RvX2xlMTYoKih1aW50MTZfdCAq KXApOwogICAgIHAgKz0gMjsKICAgICBzLT5kYXRhX3B0ciA9IHA7Ci0gICAg aWYgKHAgPj0gcy0+ZGF0YV9lbmQpCisgICAgaWYgKHAgPj0gcy0+ZGF0YV9l bmQpIHsKKyAgICAgICAgcy0+c3RhdHVzICY9IH5EUlFfU1RBVDsKICAgICAg ICAgcy0+ZW5kX3RyYW5zZmVyX2Z1bmMocyk7CisgICAgfQogICAgIHJldHVy biByZXQ7CiB9CgpAQCAtMjA3OCw4ICsyMDgyLDEwIEBAIHZvaWQgaWRlX2Rh dGFfd3JpdGVsKHZvaWQgKm9wYXF1ZSwgdWludDMyX3QgYWRkciwgdWludDMy X3QgdmFsKQogICAgICoodWludDMyX3QgKilwID0gbGUzMl90b19jcHUodmFs KTsKICAgICBwICs9IDQ7CiAgICAgcy0+ZGF0YV9wdHIgPSBwOwotICAgIGlm IChwID49IHMtPmRhdGFfZW5kKQorICAgIGlmIChwID49IHMtPmRhdGFfZW5k KSB7CisgICAgICAgIHMtPnN0YXR1cyAmPSB+RFJRX1NUQVQ7CiAgICAgICAg IHMtPmVuZF90cmFuc2Zlcl9mdW5jKHMpOworICAgIH0KIH0KCiB1aW50MzJf dCBpZGVfZGF0YV9yZWFkbCh2b2lkICpvcGFxdWUsIHVpbnQzMl90IGFkZHIp CkBAIC0yMTAzLDggKzIxMDksMTAgQEAgdWludDMyX3QgaWRlX2RhdGFfcmVh ZGwodm9pZCAqb3BhcXVlLCB1aW50MzJfdCBhZGRyKQogICAgIHJldCA9IGNw dV90b19sZTMyKCoodWludDMyX3QgKilwKTsKICAgICBwICs9IDQ7CiAgICAg cy0+ZGF0YV9wdHIgPSBwOwotICAgIGlmIChwID49IHMtPmRhdGFfZW5kKQor ICAgIGlmIChwID49IHMtPmRhdGFfZW5kKSB7CisgICAgICAgIHMtPnN0YXR1 cyAmPSB+RFJRX1NUQVQ7CiAgICAgICAgIHMtPmVuZF90cmFuc2Zlcl9mdW5j KHMpOworICAgIH0KICAgICByZXR1cm4gcmV0OwogfQoKLS0KMS44LjMuMQoK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator--