From xen-announce-bounces@lists.xen.org Tue Oct 13 12:30:56 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 13 Oct 2015 12:30:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zlyi9-0001I0-3n; Tue, 13 Oct 2015 12:29:45 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZlxwZ-00068S-57 for xen-announce@lists.xenproject.org; Tue, 13 Oct 2015 11:40:35 +0000 Received: from [193.109.254.147] by server-3.bemta-14.messagelabs.com id D5/8D-25435-2BDEC165; Tue, 13 Oct 2015 11:40:34 +0000 X-Env-Sender: prvs=72153cbb0=wei.liu2@citrix.com X-Msg-Ref: server-12.tower-27.messagelabs.com!1444736432!58034655!1 X-Originating-IP: [66.165.176.89] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n, received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 6.13.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 8072 invoked from network); 13 Oct 2015 11:40:33 -0000 Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89) by server-12.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 13 Oct 2015 11:40:33 -0000 X-IronPort-AV: E=Sophos;i="5.17,677,1437436800"; d="scan'208";a="306068363" Date: Tue, 13 Oct 2015 12:40:30 +0100 From: Wei Liu To: Message-ID: <20151013114030.GA13572@zion.uk.xensource.com> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-DLP: MIA2 X-Mailman-Approved-At: Tue, 13 Oct 2015 12:29:43 +0000 Subject: [Xen-announce] ANNOUNCEMENT: Xen 4.6 released X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org Hi all I'm pleased to announce that Xen 4.6 is released. As release manager I would like to thank everyone who involved in the making of 4.6 release (either in the form of patch, bug report or packaging effort). This release wouldn't have happened without all these contributions. You can check out 4.6 release from xen.git with the tag "RELEASE-4.6.0". Tarball and its signature can be obtained from: http://www.xenproject.org/downloads/xen-archives/xen-46-series/xen-460.html Release notes can be found at: http://wiki.xenproject.org/wiki/Xen_Project_4.6_Release_Notes A summary for 4.6 release can be found at: https://blog.xenproject.org/2015/10/13/xen-4-6/ Wei. _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce From xen-announce-bounces@lists.xen.org Tue Oct 13 12:30:56 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 13 Oct 2015 12:30:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zlyi8-0001Hq-MN; Tue, 13 Oct 2015 12:29:44 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zi0rD-0000ro-1s; Fri, 02 Oct 2015 13:58:43 +0000 Received: from [193.109.254.147] by server-11.bemta-14.messagelabs.com id BB/B6-15765-29D8E065; Fri, 02 Oct 2015 13:58:42 +0000 X-Env-Sender: prvs=7101e345a=wei.liu2@citrix.com X-Msg-Ref: server-14.tower-27.messagelabs.com!1443794319!55165173!1 X-Originating-IP: [66.165.176.89] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n, received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 6.13.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 29980 invoked from network); 2 Oct 2015 13:58:41 -0000 Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89) by server-14.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 2 Oct 2015 13:58:41 -0000 X-IronPort-AV: E=Sophos;i="5.17,623,1437436800"; d="scan'208";a="303909080" Date: Fri, 2 Oct 2015 14:58:36 +0100 From: Wei Liu To: , , Message-ID: <20151002135836.GG30122@zion.uk.xensource.com> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) X-DLP: MIA1 X-Mailman-Approved-At: Tue, 13 Oct 2015 12:29:43 +0000 Subject: [Xen-announce] ANNOUNCEMENT: Xen 4.6 RC5 X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org Hi all Xen 4.6 RC5 has been tagged. You can check out the tag 4.6.0-rc5 in xen.git. The tarball can be downloaded from: http://bits.xensource.com/oss-xen/release/4.6.0-rc5/xen-4.6.0-rc5.tar.gz Signature for tarball: http://bits.xensource.com/oss-xen/release/4.6.0-rc5/xen-4.6.0-rc5.tar.gz.sig When reporting bugs, please send your bug report to xen-devel@lists.xenproject.org, present as much information as possible, tag it with "BUG-4.6" and CC release manager (wei.liu2@citrix.com) and relevant maintainers. Note that this RC is tagged on staging-4.6 branch for the benefit of earlier testing. We're positive that OSSTest (our CI infrastructure) is going to get a push to stable-4.6 at some point, because OSSTest couldn't really test the last few patches added. We don't arrange test day for this RC, feel free to report issues anytime. Test instructions on: http://wiki.xenproject.org/wiki/Xen_4.6_RC5_test_instructions Wei. _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce From xen-announce-bounces@lists.xen.org Tue Oct 13 12:30:56 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 13 Oct 2015 12:30:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zlyi8-0001Hq-MN; Tue, 13 Oct 2015 12:29:44 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zi0rD-0000ro-1s; Fri, 02 Oct 2015 13:58:43 +0000 Received: from [193.109.254.147] by server-11.bemta-14.messagelabs.com id BB/B6-15765-29D8E065; Fri, 02 Oct 2015 13:58:42 +0000 X-Env-Sender: prvs=7101e345a=wei.liu2@citrix.com X-Msg-Ref: server-14.tower-27.messagelabs.com!1443794319!55165173!1 X-Originating-IP: [66.165.176.89] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n, received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 6.13.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 29980 invoked from network); 2 Oct 2015 13:58:41 -0000 Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89) by server-14.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 2 Oct 2015 13:58:41 -0000 X-IronPort-AV: E=Sophos;i="5.17,623,1437436800"; d="scan'208";a="303909080" Date: Fri, 2 Oct 2015 14:58:36 +0100 From: Wei Liu To: , , Message-ID: <20151002135836.GG30122@zion.uk.xensource.com> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) X-DLP: MIA1 X-Mailman-Approved-At: Tue, 13 Oct 2015 12:29:43 +0000 Subject: [Xen-announce] ANNOUNCEMENT: Xen 4.6 RC5 X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org Hi all Xen 4.6 RC5 has been tagged. You can check out the tag 4.6.0-rc5 in xen.git. The tarball can be downloaded from: http://bits.xensource.com/oss-xen/release/4.6.0-rc5/xen-4.6.0-rc5.tar.gz Signature for tarball: http://bits.xensource.com/oss-xen/release/4.6.0-rc5/xen-4.6.0-rc5.tar.gz.sig When reporting bugs, please send your bug report to xen-devel@lists.xenproject.org, present as much information as possible, tag it with "BUG-4.6" and CC release manager (wei.liu2@citrix.com) and relevant maintainers. Note that this RC is tagged on staging-4.6 branch for the benefit of earlier testing. We're positive that OSSTest (our CI infrastructure) is going to get a push to stable-4.6 at some point, because OSSTest couldn't really test the last few patches added. We don't arrange test day for this RC, feel free to report issues anytime. Test instructions on: http://wiki.xenproject.org/wiki/Xen_4.6_RC5_test_instructions Wei. _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce From xen-announce-bounces@lists.xen.org Tue Oct 13 12:30:56 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 13 Oct 2015 12:30:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zlyi9-0001I0-3n; Tue, 13 Oct 2015 12:29:45 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZlxwZ-00068S-57 for xen-announce@lists.xenproject.org; Tue, 13 Oct 2015 11:40:35 +0000 Received: from [193.109.254.147] by server-3.bemta-14.messagelabs.com id D5/8D-25435-2BDEC165; Tue, 13 Oct 2015 11:40:34 +0000 X-Env-Sender: prvs=72153cbb0=wei.liu2@citrix.com X-Msg-Ref: server-12.tower-27.messagelabs.com!1444736432!58034655!1 X-Originating-IP: [66.165.176.89] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n, received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 6.13.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 8072 invoked from network); 13 Oct 2015 11:40:33 -0000 Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89) by server-12.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 13 Oct 2015 11:40:33 -0000 X-IronPort-AV: E=Sophos;i="5.17,677,1437436800"; d="scan'208";a="306068363" Date: Tue, 13 Oct 2015 12:40:30 +0100 From: Wei Liu To: Message-ID: <20151013114030.GA13572@zion.uk.xensource.com> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-DLP: MIA2 X-Mailman-Approved-At: Tue, 13 Oct 2015 12:29:43 +0000 Subject: [Xen-announce] ANNOUNCEMENT: Xen 4.6 released X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org Hi all I'm pleased to announce that Xen 4.6 is released. As release manager I would like to thank everyone who involved in the making of 4.6 release (either in the form of patch, bug report or packaging effort). This release wouldn't have happened without all these contributions. You can check out 4.6 release from xen.git with the tag "RELEASE-4.6.0". Tarball and its signature can be obtained from: http://www.xenproject.org/downloads/xen-archives/xen-46-series/xen-460.html Release notes can be found at: http://wiki.xenproject.org/wiki/Xen_Project_4.6_Release_Notes A summary for 4.6 release can be found at: https://blog.xenproject.org/2015/10/13/xen-4-6/ Wei. _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce From xen-announce-bounces@lists.xen.org Thu Oct 29 12:01:24 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 29 Oct 2015 12:01:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlt1-0008BA-Ba; Thu, 29 Oct 2015 12:00:55 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsz-00087Y-FC; Thu, 29 Oct 2015 12:00:53 +0000 Received: from [85.158.139.211] by server-1.bemta-5.messagelabs.com id 8B/D4-32615-47A02365; Thu, 29 Oct 2015 12:00:52 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-7.tower-206.messagelabs.com!1446120050!21741987!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 16346 invoked from network); 29 Oct 2015 12:00:51 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-7.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 29 Oct 2015 12:00:51 -0000 Received: from [50.57.170.242] (helo=xenbits.xen.org) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsq-0005jy-VN; Thu, 29 Oct 2015 12:00:44 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1Zrlsq-00029M-TQ; Thu, 29 Oct 2015 12:00:44 +0000 Date: Thu, 29 Oct 2015 12:00:44 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 152 (CVE-2015-7971) - x86: some pmu and profiling hypercalls log without rate limiting X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-7971 / XSA-152 version 3 x86: some pmu and profiling hypercalls log without rate limiting UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= HYPERCALL_xenoprof_op and HYPERVISOR_xenpmu_op log some errors and attempts at invalid operations. These log messages are not rate-limited, even though they can be triggered by guests. IMPACT ====== A malicious guest could cause repeated logging to the hypervisor console, leading to a Denial of Service attack. VULNERABLE SYSTEMS ================== Xen versions 3.2.x and later are affected. (The VPMU part of the vulnerability is applicable only to Xen 4.6 and later.) ARM systems are not affected. (The pmu hypercall is x86-specific, and xenoprof is not supported on ARM.) MITIGATION ========== The problematic log messages are issued with priority Warning. Therefore they can be rate limited by adding "loglvl=error/warning" to the hypervisor command line or suppressed entirely by adding "loglvl=error". On systems where the guest kernel is controlled by the host rather than guest administrator, running only kernels which do not call these hypercalls will also prevent untrusted guest users from exploiting this issue. However untrusted guest administrators can still trigger it unless further steps are taken to prevent them from loading code into the kernel (e.g. by disabling loadable modules etc) or from using other mechanisms which allow them to run code at kernel privilege. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa152-unstable.patch xen-unstable, Xen 4.6.x xsa152-4.5.patch Xen 4.5.x, Xen 4.4.x, Xen 4.3.x $ sha256sum xsa152*.patch 596f51797aa591b5abd068ead03e21215cf70997c98a4a562392499afe47b81c xsa152.patch 7ae2811ea80da29ee234ad5a2cbb5908e03db8fb6c50774d378d77d273e74e39 xsa152-4.5.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWMgm/AAoJEIP+FMlX6CvZzPwIAJs/NTew5AJA3bTO6QZtVC2T sRt2F11prjjeklrAcqSC03q2bBpyylLB6PJ1jmmtT0MKtST5BszGA+sJt3G8nxw1 XKN8zNX5Yzfmltgi6ZeWk/1ps6kceb4evhkIUzt1v8Ttge148rEedGrJD9eLeRht XdZr8ujXwP3NGBAesKNf0DugPTR7diYyUzvwven+OXVPg0ZT53t1r6Xref7Vl4p6 5b9uOK3rh/QVRbPGTOA1vzObk0MssBTGA615JGG0da4fr4vVUQsVK/MV/N6oc4fJ iUHUcH83ldLGB9kt3+kq1S6KBESInriytPrKxNFvaKOrPlaOTOKRGvJSW0QZpos= =BsWE -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa152.patch" Content-Disposition: attachment; filename="xsa152.patch" Content-Transfer-Encoding: base64 eDg2OiByYXRlLWxpbWl0IGxvZ2dpbmcgaW4gZG9feGVue29wcm9mLHBtdX1f b3AoKQoKU29tZSBvZiB0aGUgc3ViLW9wcyBhcmUgYWNlc3NpYmxlIHRvIGFs bCBndWVzdHMsIGFuZCBoZW5jZSBzaG91bGQgYmUKcmF0ZS1saW1pdGVkLiBJ biB0aGUgeGVub3Byb2YgY2FzZSwganVzdCBsaWtlIGZvciBYU0EtMTQ2LCBp bmNsdWRlIHRoZW0Kb25seSBpbiBkZWJ1ZyBidWlsZHMuIFNpbmNlIHRoZSB2 UE1VIGNvZGUgaXMgcmF0aGVyIG5ldywgYWxsb3cgdGhlbSB0bwpiZSBhbHdh eXMgcHJlc2VudCwgYnV0IGRvd25ncmFkZSB0aGVtIHRvIChyYXRlIGxpbWl0 ZWQpIGd1ZXN0IG1lc3NhZ2VzLgoKVGhpcyBpcyBYU0EtMTUyLgoKU2lnbmVk LW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpSZXZp ZXdlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJlbGxAY2l0cml4LmNv bT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9jcHUvdnBtdS5jCisrKyBiL3hlbi9h cmNoL3g4Ni9jcHUvdnBtdS5jCkBAIC02ODIsOCArNjgyLDggQEAgbG9uZyBk b194ZW5wbXVfb3AodW5zaWduZWQgaW50IG9wLCBYRU5fRwogICAgICAgICAg ICAgdnBtdV9tb2RlID0gcG11X3BhcmFtcy52YWw7CiAgICAgICAgIGVsc2Ug aWYgKCB2cG11X21vZGUgIT0gcG11X3BhcmFtcy52YWwgKQogICAgICAgICB7 Ci0gICAgICAgICAgICBwcmludGsoWEVOTE9HX1dBUk5JTkcKLSAgICAgICAg ICAgICAgICAgICAiVlBNVTogQ2Fubm90IGNoYW5nZSBtb2RlIHdoaWxlIGFj dGl2ZSBWUE1VcyBleGlzdFxuIik7CisgICAgICAgICAgICBncHJpbnRrKFhF TkxPR19XQVJOSU5HLAorICAgICAgICAgICAgICAgICAgICAiVlBNVTogQ2Fu bm90IGNoYW5nZSBtb2RlIHdoaWxlIGFjdGl2ZSBWUE1VcyBleGlzdFxuIik7 CiAgICAgICAgICAgICByZXQgPSAtRUJVU1k7CiAgICAgICAgIH0KIApAQCAt NzE0LDggKzcxNCw4IEBAIGxvbmcgZG9feGVucG11X29wKHVuc2lnbmVkIGlu dCBvcCwgWEVOX0cKICAgICAgICAgICAgIHZwbXVfZmVhdHVyZXMgPSBwbXVf cGFyYW1zLnZhbDsKICAgICAgICAgZWxzZQogICAgICAgICB7Ci0gICAgICAg ICAgICBwcmludGsoWEVOTE9HX1dBUk5JTkcgIlZQTVU6IENhbm5vdCBjaGFu Z2UgZmVhdHVyZXMgd2hpbGUiCi0gICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIiBhY3RpdmUgVlBNVXMgZXhpc3RcbiIpOworICAgICAgICAg ICAgZ3ByaW50ayhYRU5MT0dfV0FSTklORywKKyAgICAgICAgICAgICAgICAg ICAgIlZQTVU6IENhbm5vdCBjaGFuZ2UgZmVhdHVyZXMgd2hpbGUgYWN0aXZl IFZQTVVzIGV4aXN0XG4iKTsKICAgICAgICAgICAgIHJldCA9IC1FQlVTWTsK ICAgICAgICAgfQogCi0tLSBhL3hlbi9jb21tb24veGVub3Byb2YuYworKysg Yi94ZW4vY29tbW9uL3hlbm9wcm9mLmMKQEAgLTY3NiwxNSArNjc2LDEzIEBA IHJldF90IGRvX3hlbm9wcm9mX29wKGludCBvcCwgWEVOX0dVRVNUX0gKICAg ICAKICAgICBpZiAoIChvcCA8IDApIHx8IChvcCA+IFhFTk9QUk9GX2xhc3Rf b3ApICkKICAgICB7Ci0gICAgICAgIHByaW50aygieGVub3Byb2Y6IGludmFs aWQgb3BlcmF0aW9uICVkIGZvciBkb21haW4gJWRcbiIsCi0gICAgICAgICAg ICAgICBvcCwgY3VycmVudC0+ZG9tYWluLT5kb21haW5faWQpOworICAgICAg ICBnZHByaW50ayhYRU5MT0dfREVCVUcsICJpbnZhbGlkIG9wZXJhdGlvbiAl ZFxuIiwgb3ApOwogICAgICAgICByZXR1cm4gLUVJTlZBTDsKICAgICB9CiAK ICAgICBpZiAoICFOT05QUklWX09QKG9wKSAmJiAoY3VycmVudC0+ZG9tYWlu ICE9IHhlbm9wcm9mX3ByaW1hcnlfcHJvZmlsZXIpICkKICAgICB7Ci0gICAg ICAgIHByaW50aygieGVub3Byb2Y6IGRvbSAlZCBkZW5pZWQgcHJpdmlsZWdl ZCBvcGVyYXRpb24gJWRcbiIsCi0gICAgICAgICAgICAgICBjdXJyZW50LT5k b21haW4tPmRvbWFpbl9pZCwgb3ApOworICAgICAgICBnZHByaW50ayhYRU5M T0dfREVCVUcsICJkZW5pZWQgcHJpdmlsZWdlZCBvcGVyYXRpb24gJWRcbiIs IG9wKTsKICAgICAgICAgcmV0dXJuIC1FUEVSTTsKICAgICB9CiAKQEAgLTkw Nyw4ICs5MDUsNyBAQCByZXRfdCBkb194ZW5vcHJvZl9vcChpbnQgb3AsIFhF Tl9HVUVTVF9ICiAgICAgc3Bpbl91bmxvY2soJnhlbm9wcm9mX2xvY2spOwog CiAgICAgaWYgKCByZXQgPCAwICkKLSAgICAgICAgcHJpbnRrKCJ4ZW5vcHJv Zjogb3BlcmF0aW9uICVkIGZhaWxlZCBmb3IgZG9tICVkIChzdGF0dXMgOiAl ZClcbiIsCi0gICAgICAgICAgICAgICBvcCwgY3VycmVudC0+ZG9tYWluLT5k b21haW5faWQsIHJldCk7CisgICAgICAgIGdkcHJpbnRrKFhFTkxPR19ERUJV RywgIm9wZXJhdGlvbiAlZCBmYWlsZWQ6ICVkXG4iLCBvcCwgcmV0KTsKIAog ICAgIHJldHVybiByZXQ7CiB9Cg== --=separator Content-Type: application/octet-stream; name="xsa152-4.5.patch" Content-Disposition: attachment; filename="xsa152-4.5.patch" Content-Transfer-Encoding: base64 eDg2OiByYXRlLWxpbWl0IGxvZ2dpbmcgaW4gZG9feGVue29wcm9mLHBtdX1f b3AoKQoKU29tZSBvZiB0aGUgc3ViLW9wcyBhcmUgYWNlc3NpYmxlIHRvIGFs bCBndWVzdHMsIGFuZCBoZW5jZSBzaG91bGQgYmUKcmF0ZS1saW1pdGVkLiBJ biB0aGUgeGVub3Byb2YgY2FzZSwganVzdCBsaWtlIGZvciBYU0EtMTQ2LCBp bmNsdWRlIHRoZW0Kb25seSBpbiBkZWJ1ZyBidWlsZHMuIFNpbmNlIHRoZSB2 UE1VIGNvZGUgaXMgcmF0aGVyIG5ldywgYWxsb3cgdGhlbSB0bwpiZSBhbHdh eXMgcHJlc2VudCwgYnV0IGRvd25ncmFkZSB0aGVtIHRvIChyYXRlIGxpbWl0 ZWQpIGd1ZXN0IG1lc3NhZ2VzLgoKVGhpcyBpcyBYU0EtMTUyLgoKU2lnbmVk LW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgoKLS0t IGEveGVuL2NvbW1vbi94ZW5vcHJvZi5jCisrKyBiL3hlbi9jb21tb24veGVu b3Byb2YuYwpAQCAtNjc2LDE1ICs2NzYsMTMgQEAgcmV0X3QgZG9feGVub3By b2Zfb3AoaW50IG9wLCBYRU5fR1VFU1RfSAogICAgIAogICAgIGlmICggKG9w IDwgMCkgfHwgKG9wID4gWEVOT1BST0ZfbGFzdF9vcCkgKQogICAgIHsKLSAg ICAgICAgcHJpbnRrKCJ4ZW5vcHJvZjogaW52YWxpZCBvcGVyYXRpb24gJWQg Zm9yIGRvbWFpbiAlZFxuIiwKLSAgICAgICAgICAgICAgIG9wLCBjdXJyZW50 LT5kb21haW4tPmRvbWFpbl9pZCk7CisgICAgICAgIGdkcHJpbnRrKFhFTkxP R19ERUJVRywgImludmFsaWQgb3BlcmF0aW9uICVkXG4iLCBvcCk7CiAgICAg ICAgIHJldHVybiAtRUlOVkFMOwogICAgIH0KIAogICAgIGlmICggIU5PTlBS SVZfT1Aob3ApICYmIChjdXJyZW50LT5kb21haW4gIT0geGVub3Byb2ZfcHJp bWFyeV9wcm9maWxlcikgKQogICAgIHsKLSAgICAgICAgcHJpbnRrKCJ4ZW5v cHJvZjogZG9tICVkIGRlbmllZCBwcml2aWxlZ2VkIG9wZXJhdGlvbiAlZFxu IiwKLSAgICAgICAgICAgICAgIGN1cnJlbnQtPmRvbWFpbi0+ZG9tYWluX2lk LCBvcCk7CisgICAgICAgIGdkcHJpbnRrKFhFTkxPR19ERUJVRywgImRlbmll ZCBwcml2aWxlZ2VkIG9wZXJhdGlvbiAlZFxuIiwgb3ApOwogICAgICAgICBy ZXR1cm4gLUVQRVJNOwogICAgIH0KIApAQCAtOTA3LDggKzkwNSw3IEBAIHJl dF90IGRvX3hlbm9wcm9mX29wKGludCBvcCwgWEVOX0dVRVNUX0gKICAgICBz cGluX3VubG9jaygmeGVub3Byb2ZfbG9jayk7CiAKICAgICBpZiAoIHJldCA8 IDAgKQotICAgICAgICBwcmludGsoInhlbm9wcm9mOiBvcGVyYXRpb24gJWQg ZmFpbGVkIGZvciBkb20gJWQgKHN0YXR1cyA6ICVkKVxuIiwKLSAgICAgICAg ICAgICAgIG9wLCBjdXJyZW50LT5kb21haW4tPmRvbWFpbl9pZCwgcmV0KTsK KyAgICAgICAgZ2RwcmludGsoWEVOTE9HX0RFQlVHLCAib3BlcmF0aW9uICVk IGZhaWxlZDogJWRcbiIsIG9wLCByZXQpOwogCiAgICAgcmV0dXJuIHJldDsK IH0K --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Oct 29 12:01:24 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 29 Oct 2015 12:01:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsx-000860-MK; Thu, 29 Oct 2015 12:00:51 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsw-00083H-8R; Thu, 29 Oct 2015 12:00:50 +0000 Received: from [85.158.139.211] by server-14.bemta-5.messagelabs.com id 04/32-22142-17A02365; Thu, 29 Oct 2015 12:00:49 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-3.tower-206.messagelabs.com!1446120047!13980139!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 28951 invoked from network); 29 Oct 2015 12:00:48 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-3.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 29 Oct 2015 12:00:48 -0000 Received: from [50.57.170.242] (helo=xenbits.xen.org) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsh-0005jS-KR; Thu, 29 Oct 2015 12:00:35 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1Zrlsh-00026q-Iu; Thu, 29 Oct 2015 12:00:35 +0000 Date: Thu, 29 Oct 2015 12:00:35 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 150 (CVE-2015-7970) - x86: Long latency populate-on-demand operation is not preemptible X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-7970 / XSA-150 version 5 x86: Long latency populate-on-demand operation is not preemptible UPDATES IN VERSION 5 ==================== Updated patch. Compared to the version in XSA-150 v4 and earlier, this patch is simpler and involves less rearrangement of the code. It is therefore thought to be less risky. However, both this version and the earlier versions have been tested, and both versions eliminate the vulnerability. Readers who have already prepared updates with, and/or deployed, the earlier patch, do not necessarily need to update. Public release. ISSUE DESCRIPTION ================= When running an HVM domain in Populate-on-Demand mode, Xen would sometimes search the domain for memory to reclaim, in response to demands for population of other pages in the same domain. This search runs without preemption. The guest can, by suitable arrangement of its memory contents, create a situation where this search is a time-consuming linear scan of the guest's address space. The scan might be triggered by the guest's own actions, or by toolstack operations such as migration. In guests affected by XSA-153, this scan might be triggered simply by memory pressure in the guest. Even guests not started in PoD mode can create PoD entries. IMPACT ====== A malicious HVM guest administrator can cause a denial of service. Specifically, prevent use of a physical CPU for a significant period. If a host watchdog (Xen or dom0) is in use, this can lead to a watchdog timeout and consequently a reboot of the host. If another, innocent, guest, is configured with a watchdog, this issue can lead to a reboot of such a guest. In guests affected by XSA-153, this vulnerability may also be triggered by an unprivileged guest user, simply by imposing a workload which generates memory pressure. VULNERABLE SYSTEMS ================== The vulnerability is exposed to any x86 HVM guest. ARM is not vulnerable. x86 PV VMs are not vulnerable. Versions of Xen from 3.4 onwards are affected. MITIGATION ========== Running only PV guests will avoid this issue. On systems not also vulnerable to XSA-153, the vulnerability can be avoided by ensuring that only trusted guest kernels are used, and that further steps are taken to prevent a guest administrator from loading code into the kernel (e.g. by disabling loadable modules etc) or from using other mechanisms which allow them to run code at kernel privilege. CREDITS ======= This is issue was disclosed by Andrew Cooper of Citrix. RESOLUTION ========== Attached is a patch which resolves the issue by limiting the long-running "sweep" operation. This patch will resolve the issue on systems where PoD is not intentionally in use. (Ie, where all HVM guests are started with memory==maxmem.) When PoD is in use, there are concerns that there may be situations -- operating systems not tested, or buggy balloon drivers, for example -- where limiting the long-running operation may cause guests to crash which may otherwise not. Therefore, the patch should be used with caution. This patch can interact badly on configurations vulnerable to XSA-153. XSA-153 is triggerable by unprivileged guest users. The patch changes the consequences from a host-wide CPU denial problem (which might be tolerated without catastrophic symptoms in some configurations) into a likely guest crash; thus it limits the scope of the consequences to the specific guest, but may worsen the severity. xsa150.patch xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x $ sha256sum xsa150* 9054215f08cab48d2523efb456eb3c93ca6ac580d661f6e4f1feca115c67afa8 xsa150.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWMgobAAoJEIP+FMlX6CvZ7W4H/36Bx6Aj+4PX3kLPwzsheejj CWpOQjM4BZAVWkv1N9QInJagZ87qRFwFGlM8FzDuGy3dE7Df5MCs/BH9B1xrJ0E9 Ur30mpsw1IAf9YF/l/XlNLf9G6XCo/g2yS7Jfv5qk3953+0ZkqSd7t8ekFaQSKUz GGOkhQKJuFsnEmimQTLLBt6brHaYfFJtnbKIFzcBQtRExlKI3BYk3OHNLvIUlj6X MGij0fJTJggvGjaZ+Olthf0GLtDIZ8GbWD+0FQ4bJwEAacSJ1eVOYzVAdNfFIuVv 73MyN8QyEgu+HSc9RJnILV/g7oIfuGazo1A19KAjeImd81W4bQDVnZJ1KCkcbd0= =ISHR -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa150.patch" Content-Disposition: attachment; filename="xsa150.patch" Content-Transfer-Encoding: base64 eDg2L1BvRDogRWFnZXIgc3dlZXAgZm9yIHplcm9lZCBwYWdlcwoKQmFzZWQg b24gdGhlIGNvbnRlbnRzIG9mIGEgZ3Vlc3RzIHBoeXNpY2FsIGFkZHJlc3Mg c3BhY2UsCnAybV9wb2RfZW1lcmdlbmN5X3N3ZWVwKCkgY291bGQgZGVncmFk ZSBpbnRvIGEgbGluZWFyIG1lbWNtcCgpIGZyb20gMCB0bwptYXhfZ2ZuLCB3 aGljaCBydW5zIG5vbi1wcmVlbXB0aWJseS4KCkFzIHAybV9wb2RfZW1lcmdl bmN5X3N3ZWVwKCkgcnVucyBiZWhpbmQgdGhlIHNjZW5lcyBpbiBhIG51bWJl ciBvZiBjb250ZXh0cywKbWFraW5nIGl0IHByZWVtcHRpYmxlIGlzIG5vdCBm ZWFzaWJsZS4KCkluc3RlYWQsIGEgZGlmZmVyZW50IGFwcHJvYWNoIGlzIHRh a2VuLiAgUmVjZW50bHktcG9wdWxhdGVkIHBhZ2VzIGFyZSBlYWdlcmx5CmNo ZWNrZWQgZm9yIHJlY2xhaW1hdGlvbiwgd2hpY2ggYW1vcnRpc2VzIHRoZSBw Mm1fcG9kX2VtZXJnZW5jeV9zd2VlcCgpCm9wZXJhdGlvbiBhY3Jvc3MgZWFj aCBwMm1fcG9kX2RlbWFuZF9wb3B1bGF0ZSgpIG9wZXJhdGlvbi4KCk5vdGUg dGhhdCBpbiB0aGUgY2FzZSB0aGF0IGEgMk0gc3VwZXJwYWdlIGNhbid0IGJl IHJlY2xhaW1lZCBhcyBhIHN1cGVycGFnZSwKaXQgaXMgc2hhdHRlcmVkIGlm IDRLIHBhZ2VzIG9mIHplcm9zIGNhbiBiZSByZWNsYWltZWQuICBUaGlzIGlz IHVuZm9ydHVuYXRlCmJ1dCBtYXRjaGVzIHRoZSBwcmV2aW91cyBiZWhhdmlv dXIsIGFuZCBpcyByZXF1aXJlZCB0byBhdm9pZCByZWdyZXNzaW9ucwooZG9t YWluIGNyYXNoIGZyb20gUG9EIGV4aGF1c3Rpb24pIHdpdGggVk1zIGNvbmZp Z3VyZWQgY2xvc2UgdG8gdGhlIGxpbWl0LgoKVGhpcyBpcyBDVkUtMjAxNS03 OTcwIC8gWFNBLTE1MC4KClNpZ25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIg PGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4g QmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBHZW9y Z2UgRHVubGFwIDxnZW9yZ2UuZHVubGFwQGNpdHJpeC5jb20+CgotLS0gYS94 ZW4vYXJjaC94ODYvbW0vcDJtLXBvZC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9t bS9wMm0tcG9kLmMKQEAgLTkyMCwyOCArOTIwLDYgQEAgcDJtX3BvZF96ZXJv X2NoZWNrKHN0cnVjdCBwMm1fZG9tYWluICpwMgogfQogCiAjZGVmaW5lIFBP RF9TV0VFUF9MSU1JVCAxMDI0Ci0KLS8qIFdoZW4gcG9wdWxhdGluZyBhIG5l dyBzdXBlcnBhZ2UsIGxvb2sgYXQgcmVjZW50bHkgcG9wdWxhdGVkIHN1cGVy cGFnZXMKLSAqIGhvcGluZyB0aGF0IHRoZXkndmUgYmVlbiB6ZXJvZWQuICBU aGlzIHdpbGwgc25hcCB1cCB6ZXJvZWQgcGFnZXMgYXMgc29vbiBhcyAKLSAq IHRoZSBndWVzdCBPUyBpcyBkb25lIHdpdGggdGhlbS4gKi8KLXN0YXRpYyB2 b2lkCi1wMm1fcG9kX2NoZWNrX2xhc3Rfc3VwZXIoc3RydWN0IHAybV9kb21h aW4gKnAybSwgdW5zaWduZWQgbG9uZyBnZm5fYWxpZ25lZCkKLXsKLSAgICB1 bnNpZ25lZCBsb25nIGNoZWNrX2dmbjsKLQotICAgIEFTU0VSVChwMm0tPnBv ZC5sYXN0X3BvcHVsYXRlZF9pbmRleCA8IFBPRF9ISVNUT1JZX01BWCk7Ci0K LSAgICBjaGVja19nZm4gPSBwMm0tPnBvZC5sYXN0X3BvcHVsYXRlZFtwMm0t PnBvZC5sYXN0X3BvcHVsYXRlZF9pbmRleF07Ci0KLSAgICBwMm0tPnBvZC5s YXN0X3BvcHVsYXRlZFtwMm0tPnBvZC5sYXN0X3BvcHVsYXRlZF9pbmRleF0g PSBnZm5fYWxpZ25lZDsKLQotICAgIHAybS0+cG9kLmxhc3RfcG9wdWxhdGVk X2luZGV4ID0KLSAgICAgICAgKCBwMm0tPnBvZC5sYXN0X3BvcHVsYXRlZF9p bmRleCArIDEgKSAlIFBPRF9ISVNUT1JZX01BWDsKLQotICAgIHAybV9wb2Rf emVyb19jaGVja19zdXBlcnBhZ2UocDJtLCBjaGVja19nZm4pOwotfQotCi0K ICNkZWZpbmUgUE9EX1NXRUVQX1NUUklERSAgMTYKIHN0YXRpYyB2b2lkCiBw Mm1fcG9kX2VtZXJnZW5jeV9zd2VlcChzdHJ1Y3QgcDJtX2RvbWFpbiAqcDJt KQpAQCAtOTgyLDcgKzk2MCw3IEBAIHAybV9wb2RfZW1lcmdlbmN5X3N3ZWVw KHN0cnVjdCBwMm1fZG9tYWkKICAgICAgICAgICogTkIgdGhhdCB0aGlzIGlz IGEgemVyby1zdW0gZ2FtZTsgd2UncmUgaW5jcmVhc2luZyBvdXIgY2FjaGUg c2l6ZQogICAgICAgICAgKiBieSByZS1pbmNyZWFzaW5nIG91ciAnZGVidCcu ICBTaW5jZSB3ZSBob2xkIHRoZSBwb2QgbG9jaywKICAgICAgICAgICogKGVu dHJ5X2NvdW50IC0gY291bnQpIG11c3QgcmVtYWluIHRoZSBzYW1lLiAqLwot ICAgICAgICBpZiAoIHAybS0+cG9kLmNvdW50ID4gMCAmJiBpIDwgbGltaXQg KQorICAgICAgICBpZiAoIGkgPCBsaW1pdCAmJiAocDJtLT5wb2QuY291bnQg PiAwIHx8IGh5cGVyY2FsbF9wcmVlbXB0X2NoZWNrKCkpICkKICAgICAgICAg ICAgIGJyZWFrOwogICAgIH0KIApAQCAtOTk0LDYgKzk3Miw1OCBAQCBwMm1f cG9kX2VtZXJnZW5jeV9zd2VlcChzdHJ1Y3QgcDJtX2RvbWFpCiAKIH0KIAor c3RhdGljIHZvaWQgcG9kX2VhZ2VyX3JlY2xhaW0oc3RydWN0IHAybV9kb21h aW4gKnAybSkKK3sKKyAgICBzdHJ1Y3QgcG9kX21ycF9saXN0ICptcnAgPSAm cDJtLT5wb2QubXJwOworICAgIHVuc2lnbmVkIGludCBpID0gMDsKKworICAg IC8qCisgICAgICogQWx3YXlzIGNoZWNrIG9uZSBwYWdlIGZvciByZWNsYWlt YXRpb24uCisgICAgICoKKyAgICAgKiBJZiB0aGUgUG9EIHBvb2wgaXMgZW1w dHksIGtlZXAgY2hlY2tpbmcgc29tZSBzcGFjZSBpcyBmb3VuZCwgb3IgYWxs CisgICAgICogZW50cmllcyBoYXZlIGJlZW4gZXhoYXVzZWQuCisgICAgICov CisgICAgZG8KKyAgICB7CisgICAgICAgIHVuc2lnbmVkIGludCBpZHggPSAo bXJwLT5pZHggKyBpKyspICUgQVJSQVlfU0laRShtcnAtPmxpc3QpOworICAg ICAgICB1bnNpZ25lZCBsb25nIGdmbiA9IG1ycC0+bGlzdFtpZHhdOworCisg ICAgICAgIGlmICggZ2ZuICE9IElOVkFMSURfR0ZOICkKKyAgICAgICAgewor ICAgICAgICAgICAgaWYgKCBnZm4gJiBQT0RfTEFTVF9TVVBFUlBBR0UgKQor ICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIGdmbiAmPSB+UE9EX0xB U1RfU1VQRVJQQUdFOworCisgICAgICAgICAgICAgICAgaWYgKCBwMm1fcG9k X3plcm9fY2hlY2tfc3VwZXJwYWdlKHAybSwgZ2ZuKSA9PSAwICkKKyAgICAg ICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgICAgIHVuc2lnbmVkIGlu dCB4OworCisgICAgICAgICAgICAgICAgICAgIGZvciAoIHggPSAwOyB4IDwg U1VQRVJQQUdFX1BBR0VTOyArK3gsICsrZ2ZuICkKKyAgICAgICAgICAgICAg ICAgICAgICAgIHAybV9wb2RfemVyb19jaGVjayhwMm0sICZnZm4sIDEpOwor ICAgICAgICAgICAgICAgIH0KKyAgICAgICAgICAgIH0KKyAgICAgICAgICAg IGVsc2UKKyAgICAgICAgICAgICAgICBwMm1fcG9kX3plcm9fY2hlY2socDJt LCAmZ2ZuLCAxKTsKKworICAgICAgICAgICAgbXJwLT5saXN0W2lkeF0gPSBJ TlZBTElEX0dGTjsKKyAgICAgICAgfQorCisgICAgfSB3aGlsZSAoIChwMm0t PnBvZC5jb3VudCA9PSAwKSAmJiAoaSA8IEFSUkFZX1NJWkUobXJwLT5saXN0 KSkgKTsKK30KKworc3RhdGljIHZvaWQgcG9kX2VhZ2VyX3JlY29yZChzdHJ1 Y3QgcDJtX2RvbWFpbiAqcDJtLAorICAgICAgICAgICAgICAgICAgICAgICAg ICAgICB1bnNpZ25lZCBsb25nIGdmbiwgdW5zaWduZWQgaW50IG9yZGVyKQor eworICAgIHN0cnVjdCBwb2RfbXJwX2xpc3QgKm1ycCA9ICZwMm0tPnBvZC5t cnA7CisKKyAgICBBU1NFUlQobXJwLT5saXN0W21ycC0+aWR4XSA9PSBJTlZB TElEX0dGTik7CisgICAgQVNTRVJUKGdmbiAhPSBJTlZBTElEX0dGTik7CisK KyAgICBtcnAtPmxpc3RbbXJwLT5pZHgrK10gPQorICAgICAgICBnZm4gfCAo b3JkZXIgPT0gUEFHRV9PUkRFUl8yTSA/IFBPRF9MQVNUX1NVUEVSUEFHRSA6 IDApOworICAgIG1ycC0+aWR4ICU9IEFSUkFZX1NJWkUobXJwLT5saXN0KTsK K30KKwogaW50CiBwMm1fcG9kX2RlbWFuZF9wb3B1bGF0ZShzdHJ1Y3QgcDJt X2RvbWFpbiAqcDJtLCB1bnNpZ25lZCBsb25nIGdmbiwKICAgICAgICAgICAg ICAgICAgICAgICAgIHVuc2lnbmVkIGludCBvcmRlciwKQEAgLTEwMzQsNiAr MTA2NCw4IEBAIHAybV9wb2RfZGVtYW5kX3BvcHVsYXRlKHN0cnVjdCBwMm1f ZG9tYWkKICAgICAgICAgcmV0dXJuIDA7CiAgICAgfQogCisgICAgcG9kX2Vh Z2VyX3JlY2xhaW0ocDJtKTsKKwogICAgIC8qIE9ubHkgc3dlZXAgaWYgd2Un cmUgYWN0dWFsbHkgb3V0IG9mIG1lbW9yeS4gIERvaW5nIGFueXRoaW5nIGVs c2UKICAgICAgKiBjYXVzZXMgdW5uZWNlc3NhcnkgdGltZSBhbmQgZnJhZ21l bnRhdGlvbiBvZiBzdXBlcnBhZ2VzIGluIHRoZSBwMm0uICovCiAgICAgaWYg KCBwMm0tPnBvZC5jb3VudCA9PSAwICkKQEAgLTEwNzAsNiArMTEwMiw4IEBA IHAybV9wb2RfZGVtYW5kX3BvcHVsYXRlKHN0cnVjdCBwMm1fZG9tYWkKICAg ICBwMm0tPnBvZC5lbnRyeV9jb3VudCAtPSAoMSA8PCBvcmRlcik7CiAgICAg QlVHX09OKHAybS0+cG9kLmVudHJ5X2NvdW50IDwgMCk7CiAKKyAgICBwb2Rf ZWFnZXJfcmVjb3JkKHAybSwgZ2ZuX2FsaWduZWQsIG9yZGVyKTsKKwogICAg IGlmICggdGJfaW5pdF9kb25lICkKICAgICB7CiAgICAgICAgIHN0cnVjdCB7 CkBAIC0xMDg1LDEyICsxMTE5LDYgQEAgcDJtX3BvZF9kZW1hbmRfcG9wdWxh dGUoc3RydWN0IHAybV9kb21haQogICAgICAgICBfX3RyYWNlX3ZhcihUUkNf TUVNX1BPRF9QT1BVTEFURSwgMCwgc2l6ZW9mKHQpLCAmdCk7CiAgICAgfQog Ci0gICAgLyogQ2hlY2sgdGhlIGxhc3QgZ3Vlc3QgZGVtYW5kLXBvcHVsYXRl ICovCi0gICAgaWYgKCBwMm0tPnBvZC5lbnRyeV9jb3VudCA+IHAybS0+cG9k LmNvdW50IAotICAgICAgICAgJiYgKG9yZGVyID09IFBBR0VfT1JERVJfMk0p Ci0gICAgICAgICAmJiAocSAmIFAyTV9BTExPQykgKQotICAgICAgICBwMm1f cG9kX2NoZWNrX2xhc3Rfc3VwZXIocDJtLCBnZm5fYWxpZ25lZCk7Ci0KICAg ICBwb2RfdW5sb2NrKHAybSk7CiAgICAgcmV0dXJuIDA7CiBvdXRfb2ZfbWVt b3J5OgotLS0gYS94ZW4vYXJjaC94ODYvbW0vcDJtLmMKKysrIGIveGVuL2Fy Y2gveDg2L21tL3AybS5jCkBAIC01OCw2ICs1OCw3IEBAIGJvb2xlYW5fcGFy YW0oImhhcF8ybWIiLCBvcHRfaGFwXzJtYik7CiAvKiBJbml0IHRoZSBkYXRh c3RydWN0dXJlcyBmb3IgbGF0ZXIgdXNlIGJ5IHRoZSBwMm0gY29kZSAqLwog c3RhdGljIGludCBwMm1faW5pdGlhbGlzZShzdHJ1Y3QgZG9tYWluICpkLCBz dHJ1Y3QgcDJtX2RvbWFpbiAqcDJtKQogeworICAgIHVuc2lnbmVkIGludCBp OwogICAgIGludCByZXQgPSAwOwogCiAgICAgbW1fcndsb2NrX2luaXQoJnAy bS0+bG9jayk7CkBAIC03Myw2ICs3NCw5IEBAIHN0YXRpYyBpbnQgcDJtX2lu aXRpYWxpc2Uoc3RydWN0IGRvbWFpbiAKIAogICAgIHAybS0+bnAybV9iYXNl ID0gUDJNX0JBU0VfRUFERFI7CiAKKyAgICBmb3IgKCBpID0gMDsgaSA8IEFS UkFZX1NJWkUocDJtLT5wb2QubXJwLmxpc3QpOyArK2kgKQorICAgICAgICBw Mm0tPnBvZC5tcnAubGlzdFtpXSA9IElOVkFMSURfR0ZOOworCiAgICAgaWYg KCBoYXBfZW5hYmxlZChkKSAmJiBjcHVfaGFzX3ZteCApCiAgICAgICAgIHJl dCA9IGVwdF9wMm1faW5pdChwMm0pOwogICAgIGVsc2UKLS0tIGEveGVuL2lu Y2x1ZGUvYXNtLXg4Ni9wMm0uaAorKysgYi94ZW4vaW5jbHVkZS9hc20teDg2 L3AybS5oCkBAIC0yOTIsMTAgKzI5MiwyMCBAQCBzdHJ1Y3QgcDJtX2RvbWFp biB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgZW50cnlfY291bnQ7ICAv KiAjIG9mIHBhZ2VzIGluIHAybSBtYXJrZWQgcG9kICAgICAgKi8KICAgICAg ICAgdW5zaWduZWQgbG9uZyAgICByZWNsYWltX3NpbmdsZTsgLyogTGFzdCBn cGZuIG9mIGEgc2NhbiAqLwogICAgICAgICB1bnNpZ25lZCBsb25nICAgIG1h eF9ndWVzdDsgICAgLyogZ3BmbiBvZiBtYXggZ3Vlc3QgZGVtYW5kLXBvcHVs YXRlICovCi0jZGVmaW5lIFBPRF9ISVNUT1JZX01BWCAxMjgKLSAgICAgICAg LyogZ3BmbiBvZiBsYXN0IGd1ZXN0IHN1cGVycGFnZSBkZW1hbmQtcG9wdWxh dGVkICovCi0gICAgICAgIHVuc2lnbmVkIGxvbmcgICAgbGFzdF9wb3B1bGF0 ZWRbUE9EX0hJU1RPUllfTUFYXTsgCi0gICAgICAgIHVuc2lnbmVkIGludCAg ICAgbGFzdF9wb3B1bGF0ZWRfaW5kZXg7CisKKyAgICAgICAgLyoKKyAgICAg ICAgICogVHJhY2tpbmcgb2YgdGhlIG1vc3QgcmVjZW50bHkgcG9wdWxhdGVk IFBvRCBwYWdlcywgZm9yIGVhZ2VyCisgICAgICAgICAqIHJlY2xhbWF0aW9u LgorICAgICAgICAgKi8KKyAgICAgICAgc3RydWN0IHBvZF9tcnBfbGlzdCB7 CisjZGVmaW5lIE5SX1BPRF9NUlBfRU5UUklFUyAzMgorCisvKiBFbmNvZGUg T1JERVJfMk0gc3VwZXJwYWdlIGluIHRvcCBiaXQgb2YgR0ZOICovCisjZGVm aW5lIFBPRF9MQVNUX1NVUEVSUEFHRSAoSU5WQUxJRF9HRk4gJiB+KElOVkFM SURfR0ZOID4+IDEpKQorCisgICAgICAgICAgICB1bnNpZ25lZCBsb25nIGxp c3RbTlJfUE9EX01SUF9FTlRSSUVTXTsKKyAgICAgICAgICAgIHVuc2lnbmVk IGludCBpZHg7CisgICAgICAgIH0gbXJwOwogICAgICAgICBtbV9sb2NrX3Qg ICAgICAgIGxvY2s7ICAgICAgICAgLyogTG9ja2luZyBvZiBwcml2YXRlIHBv ZCBzdHJ1Y3RzLCAgICoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAqIG5vdCByZWx5aW5nIG9uIHRoZSBwMm0gbG9jay4gICAg ICAqLwogICAgIH0gcG9kOwo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Oct 29 12:01:24 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 29 Oct 2015 12:01:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZrltL-0000A1-QV; Thu, 29 Oct 2015 12:01:15 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZrltK-00007n-9v; Thu, 29 Oct 2015 12:01:14 +0000 Received: from [193.109.254.147] by server-1.bemta-14.messagelabs.com id 0F/0F-28791-88A02365; Thu, 29 Oct 2015 12:01:12 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-8.tower-27.messagelabs.com!1446120069!23725207!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 353 invoked from network); 29 Oct 2015 12:01:10 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-8.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 29 Oct 2015 12:01:10 -0000 Received: from [50.57.170.242] (helo=xenbits.xen.org) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlt4-0005kb-HM; Thu, 29 Oct 2015 12:00:58 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1Zrlt4-0002BW-DZ; Thu, 29 Oct 2015 12:00:58 +0000 Date: Thu, 29 Oct 2015 12:00:58 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 153 (CVE-2015-7972) - x86: populate-on-demand balloon size inaccuracy can crash guests X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-7972 / XSA-153 version 3 x86: populate-on-demand balloon size inaccuracy can crash guests UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The design of the memory populate-on-demand (PoD) system requires that a guest's memory ballooning driver reach its memory reduction target. The target is not entirely well-defined in terms of the information visible to the appropriate parts of the system, so some unknown set of guests (but probably most guests) will fail this criterion. If the guest memory balloon driver does not free sufficient memory to reach its target, the guest will proceed to run with a nonzero number of outstanding PoD pages. When the guest or management toolstack touches such a page, the hypervisor would search the guest memory for a page containing only zeroes. If no such page is found, the guest crashes. Prior to the patch for XSA-150, the search might lock up the relevant physical cpu for a while. After the patch to XSA-150, it might crash the guest even if a suitable zero page is available. This means that in the current arrangements toolstack software must apply an adjustment to a guest's PoD target as supplied to Xen. Neither xend nor libxl do this. IMPACT ====== Guests configured with PoD might be unstable, especially under load. In an affected guest, an unprivileged guest user might be able to cause a guest crash, perhaps simply by applying load so as to cause heavy memory pressure within the guest. This problem also allows an unprivileged guest user to exercise the separate vulnerability described in XSA-150: an unprivileged guest user might be able to cause a denial of service affecting the host. VULNERABLE SYSTEMS ================== The vulnerability is restricted to HVM guests which have been constructed in Populate-on-Demand mode (ie, with memory < maxmem). ARM is not vulnerable. x86 PV VMs are not vulnerable. x86 HVM domains without PoD (ie started with memory==maxmem, or without mentioning "maxmem" in the guest config file) are not vulnerable. Systems using libxl (whether via xl, or libvirt, or another higher layer) or xend (whether via xm, or libvirt, or another higher layer) are vulnerable. If the system has been stress-tested (by imposing memory load on the guest) and found to be stable, it is less likely that the guest is vulnerable. Combinations of Xen, guest, guest balloon driver, and toolstack software, which have an empirical adjustment as described in the Description, and which have been formally stress-tested in PoD mode, are less likely to be vulnerable. Migration is not capable of creating a guest with outstanding PoD. So migrating a guest which is vulnerable might crash it. However, if a guest has been migrated successfully since it booted, it is no longer vulnerable. Xen versions back to 3.4.x are affected. Vulnerability of a particular guest can be tested by the host administrator using the utility `xsa153-check.c', attached to this advisory. MITIGATION ========== Reducing the guest's memory target, after guest startup, can cause the guest's ballon driver to eliminate the PoD discrepancy. If the guest successfully balloons down, it will no longer be vulnerable. On systems using libxl this can be done with `xl mem-set', during or after each guest boot: # ./xsa153-check `xl domid name-of-guest` checked domain 621 for XSA-153: VULNERABLE (1 more outstanding pages) try using xl mem-set to reduce its memory by 1 (Mby) or perhaps reduce /local/domain/621/memory/target by 4 # xl list name-of-guest Name ID Mem VCPUs State Time(s) name-of-guest 621 512 2 r----- 156.9 # xl mem-set name-of-guest 511 # [ wait for guest to give up memory ] # ./xsa153-check `xl domid name-of-guest` checked domain 621 for XSA-153: NOT vulnerable # Alternatively, no matter the toolstack, it is possible for a host administrator to bypass the toolstack code and give ballooning instructions directly to the guest: [ suppose guest domid is 616, eg from xl domid name-of-guest ] # ./xsa153-check 616 checked domain 616 for XSA-153: VULNERABLE (1 more outstanding pages) try using xl mem-set to reduce its memory by 1 (Mby) or perhaps reduce /local/domain/616/memory/target by 4 # xenstore-read /local/domain/616/memory/target 520188 # xenstore-write /local/domain/616/memory/target 520184 # [ wait for guest to give up memory ] # ./xsa153-check `xl domid name-of-guest` checked domain 616 for XSA-153: NOT vulnerable # The memory/target value is in decimal, and is a number of kilobytes; it must be a multiple of 4, since a page is 4 Kb on affected systems. The value to write should be some amount less than the value read. It is not currently known whether use of the VM memory event inspection facilities (in-tree, this means the xc_monitor utility) might invalidate the workaround. Note that guests may become unstable if given too little memory, so large reductions of the memory target should be applied with caution, if at all. The expected offset related to XSA-153 is small (tens of pages, perhaps). If a large reduction is required, it is more likely that either the guest is still booting up (and still working to reduce the PoD memory), or that the guest's balloon driver is not functioning: # ./xsa153-check `xl domid name-of-guest` checked domain 623 for XSA-153: VULNERABLE (65536 more outstanding pages) difference is >1Mby ballon driver not running or guest still booting? # A guest without a working balloon driver will be unstable in PoD mode, especially under memory pressure; this is an inherent feature of the design of PoD. RESOLUTION ========== The attached patch fixes the problem for systems using libxl (via xl, or via libvirt, or another higher layer). At the time of writing there is no patch for xend-based systems. xsa153-libxl.patch xen-unstable, Xen 4.5, Xen 4.6 xsa153-libxl.patch Xen 4.1 to 4.4 inclusive, using libxl (Xend was removed in Xen 4.5; so the libxl-only patch is always sufficient for Xen 4.5 and later.) $ sha256sum xsa153* 633df5d970af49476c2d279e604150c444834bb906f6568070f0c2e0ceaa3af4 xsa153-check.c f5cbc98cba758e10da0a01d9379012ec56b98a85a92bfeb0c6b8132d4b91ce77 xsa153-libxl.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html NOTE REGARDING SHORT EMBARGO ============================ This issue was quickly encountered by the Security Team during our investigations of the scope and impact of XSA-150; this issue was originally discussed in the `Incomplete Information' section of XSA-150 v1. Accordingly XSA-153 is embargoed and the embargo will end at the same time as that of XSA-150. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWMgofAAoJEIP+FMlX6CvZaqUIAIzgbftJMwo2ywcWycAGzeDS 5iseCaCqx1OD8a00m+WvXTLX/yKKJQrgTJkDlJfgqEb4Y2NoVRUKShApSHsbFrFa qeocl7ipBdXTYk0FZZrsBd/aCjQgL/NlYf0BCaV+tpPuehOBgJwWpIf4RltOQVkv MxfRCGee52yUbWyFykmlKK3fxfGi4wXfMGN6zS9FXpudIBxjedRS4gyksERusXS7 hcRNEcLNzeQA+4PUmpkOzwS/NrtWiIU265kaHFsMUO8HbxcFgzFJ+15G0GK8JgY5 9XE0XWxn/B5Uc7IMiDxcFYT79C87XXvH4ctFArN9MJqss/ko0H25fz+Te8iWigc= =vBPN -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa153-check.c" Content-Disposition: attachment; filename="xsa153-check.c" Content-Transfer-Encoding: base64 LyoKICogUHJvZ3JhbSB0byB0ZXN0IHdoZXRoZXIgYSBkb21haW4gaXMgcG90 ZW50aWFsbHkgdnVsbmVyYWJsZSB0bwogKiBYU0EtMTUzLgogKgogKiBCdWls ZCBhbmQgcnVuOgogKiAgIGdjYyAtV2FsbCB4c2ExNTMtY2hlY2suYyAtbHhl bmN0cmwKICogICAuL2Eub3V0IGB4bCBkb21pZCBOQU1FLU9GLVlPVVItR1VF U1QtRE9NQUlOYAogKgogKiBGb3IgYnVpbGRpbmcgYWdhaW5zdCBhIGJ1aWx0 IFhlbiBzb3VyY2UgdHJlZSwgcmF0aGVyIHRoYW4gaW5zdGFsbGVkCiAqIGhl YWRlcnMgYW5kIGxpYnJhcmllczoKICogICBnY2MgLVdhbGwgLUkgLi4veGVu LmdpdC9kaXN0L2luc3RhbGwvdXNyL2luY2x1ZGUvIHhzYTE1My1jaGVjay5j IC1MIC4uL3hlbi5naXQvZGlzdC9pbnN0YWxsL3Vzci9saWIvIC1seGVuY3Ry bAogKgogKiBYZW4gNC4wIGFuZCBlYXJsaWVyIGxhY2sgeGNfZG9tYWluX2dl dF9wb2RfdGFyZ2V0LCBzbyB0aGlzIHV0aWxpdHkKICogY2FuIG9ubHkgYmUg YnVpbHQgYWdhaW5zdCBYZW4gNC4xIGFuZCBsYXRlci4KICoKICogSU1QT1JU QU5UOiBSZWFkIHRoZSBub3RlcyBpbiBhZHZpc29yeS0xNTMudHh0IHRvIHVu ZGVyc3RhbmQgbWVhbmluZwogKiBvZiB0aGUgb3V0cHV0IQogKi8KCiNpbmNs dWRlIDx4ZW5jdHJsLmg+CiNpbmNsdWRlIDxzdGRsaWIuaD4KI2luY2x1ZGUg PHN0ZGlvLmg+CgojaWZkZWYgWEVOQ1RSTF9IQVNfWENfSU5URVJGQUNFCnN0 YXRpYyB4Y19pbnRlcmZhY2UgKnhjaDsKI2RlZmluZSBCQURfWENIICh4Y2gg PT0gTlVMTCkKI2RlZmluZSBPUEVOWENIIHhjX2ludGVyZmFjZV9vcGVuKDAs MCwwKQojZWxzZQpzdGF0aWMgaW50IHhjaDsKI2RlZmluZSBCQURfWENIICh4 Y2ggPD0gMCkKI2RlZmluZSBPUEVOWENIIHhjX2ludGVyZmFjZV9vcGVuKCkK I2VuZGlmCgppbnQgbWFpbihpbnQgYXJnYywgY29uc3QgY2hhciAqKmFyZ3Yp IHsKICAgIGludCBkb21pZCwgZXN0YXR1cywgcjsKICAgIHVpbnQ2NF90IHRv dF9wYWdlcywgcG9kX2NhY2hlX3BhZ2VzLCBwb2RfZW50cmllczsKCiAgICBp ZiAoYXJnYyE9MiB8fCAhKGRvbWlkID0gYXRvaShhcmd2WzFdKSkpIHsKICAg ICAgICBmcHV0cygiYmFkIHVzYWdlXG4iLHN0ZGVycik7CiAgICAgICAgZXhp dCgtMSk7CiAgICB9CgogICAgeGNoID0gT1BFTlhDSDsKICAgIGlmIChCQURf WENIKSB7CiAgICAgICAgcGVycm9yKCJ4Y19pbnRlcmZhY2Vfb3BlbiIpOwog ICAgICAgIGV4aXQoLTEpOwogICAgfQoKICAgIHIgPSB4Y19kb21haW5fZ2V0 X3BvZF90YXJnZXQoeGNoLCBkb21pZCwKICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgJnRvdF9wYWdlcywKICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgJnBvZF9jYWNoZV9wYWdlcywKICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgJnBvZF9lbnRyaWVzKTsKICAgIGlmIChyKSB7 CiAgICAgICAgcGVycm9yKCJ4Y19kb21haW5fZ2V0X3BvZF90YXJnZXQiKTsK ICAgICAgICBleGl0KC0xKTsKICAgIH0KCiAgICBwcmludGYoImNoZWNrZWQg ZG9tYWluICVkIGZvciBYU0EtMTUzOiAiLCBkb21pZCk7CiAgICBpZiAocG9k X2NhY2hlX3BhZ2VzIDwgcG9kX2VudHJpZXMpIHsKICAgICAgICB1aW50NjRf dCBkaWZmZXJlbmNlID0gcG9kX2VudHJpZXMgLSBwb2RfY2FjaGVfcGFnZXM7 CiAgICAgICAgZXN0YXR1cyA9IDE7CiAgICAgICAgcHJpbnRmKCJWVUxORVJB QkxFICglbHUgbW9yZSBvdXRzdGFuZGluZyBwYWdlcylcbiIsCiAgICAgICAg ICAgICAgICh1bnNpZ25lZCBsb25nKWRpZmZlcmVuY2UpOwogICAgICAgIGlm IChkaWZmZXJlbmNlIDw9IDI1NikgewogICAgICAgICAgICBwcmludGYoInRy eSB1c2luZyAgIHhsIG1lbS1zZXQgICB0byByZWR1Y2UgaXRzIG1lbW9yeSBi eSAxIChNYnkpXG4iCiAgICAgICAgICAgICAgICAgICAib3IgcGVyaGFwcyBy ZWR1Y2UgL2xvY2FsL2RvbWFpbi8lZC9tZW1vcnkvdGFyZ2V0IGJ5ICVsdSIs CiAgICAgICAgICAgICAgIGRvbWlkLAogICAgICAgICAgICAgICAodW5zaWdu ZWQgbG9uZylkaWZmZXJlbmNlICogNCk7CiAgICAgICAgfSBlbHNlIHsKICAg ICAgICAgICAgcHJpbnRmKCJkaWZmZXJlbmNlIGlzID4xTWJ5XG4iCiAgICAg ICAgICAgICAgICAgICAiYmFsbG9uIGRyaXZlciBub3QgcnVubmluZyBvciBn dWVzdCBzdGlsbCBib290aW5nPyIpOwogICAgICAgIH0KICAgIH0gZWxzZSBp ZiAocG9kX2NhY2hlX3BhZ2VzID4gcG9kX2VudHJpZXMpIHsKICAgICAgICBl c3RhdHVzID0gMjsKICAgICAgICBwcmludGYoIlNIT1VMRCBOT1QgSEFQUEVO ISEhIGNhY2hlPSVsdSA+IG91dHN0YW5kaW5nPSVsdSIsCiAgICAgICAgICAg ICAgICh1bnNpZ25lZCBsb25nKXBvZF9jYWNoZV9wYWdlcywgKHVuc2lnbmVk IGxvbmcpcG9kX2VudHJpZXMpOwogICAgfSBlbHNlIGlmICghcG9kX2NhY2hl X3BhZ2VzKSB7CiAgICAgICAgZXN0YXR1cyA9IDA7CiAgICAgICAgcHJpbnRm KCJOT1QgdnVsbmVyYWJsZSAobm90IHVzaW5nIFBvRCAoYW55IG1vcmUpKSIp OwogICAgfSBlbHNlIHsKICAgICAgICBlc3RhdHVzID0gMDsKICAgICAgICBw cmludGYoIk5PVCB2dWxuZXJhYmxlIik7CiAgICB9CiAgICBwcmludGYoIlxu Iik7CgogICAgaWYgKGZlcnJvcihzdGRvdXQpIHx8IGZjbG9zZShzdGRvdXQp KSB7CiAgICAgICAgcGVycm9yKCJzdGRvdXQiKTsKICAgICAgICBleGl0KC0x KTsKICAgIH0KICAgIGV4aXQoZXN0YXR1cyk7Cn0K --=separator Content-Type: application/octet-stream; name="xsa153-libxl.patch" Content-Disposition: attachment; filename="xsa153-libxl.patch" Content-Transfer-Encoding: base64 RnJvbSAyNzU5M2VjNjJiZGFkODYyMWRmOTEwOTMxMzQ5ZDk2NGE2ZGJhYThj IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBJYW4gSmFja3NvbiA8 aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4KRGF0ZTogV2VkLCAyMSBPY3Qg MjAxNSAxNjoxODozMCArMDEwMApTdWJqZWN0OiBbUEFUQ0ggWFNBLTE1MyB2 M10gbGlieGw6IGFkanVzdCBQb0QgdGFyZ2V0IGJ5IG1lbW9yeSBmdWRnZSwg dG9vCgpQb0QgZ3Vlc3RzIG5lZWQgdG8gYmFsbG9vbiBhdCBsZWFzdCBhcyBm YXIgYXMgcmVxdWlyZWQgYnkgUG9ELCBvciByaXNrCmNyYXNoaW5nLiAgQ3Vy cmVudGx5IHRoZXkgZG9uJ3QgbmVjZXNzYXJpbHkga25vdyB3aGF0IHRoZSBy aWdodCB2YWx1ZQppcywgYmVjYXVzZSBvdXIgbWVtb3J5IGFjY291bnRpbmcg aXMgKGF0IHRoZSB2ZXJ5IGxlYXN0KSBjb25mdXNpbmcuCgpBcHBseSB0aGUg bWVtb3J5IGxpbWl0IGZ1ZGdlIGZhY3RvciB0byB0aGUgaW4taHlwZXJ2aXNv ciBQb0QgbWVtb3J5CnRhcmdldCwgdG9vLiAgVGhpcyB3aWxsIGluY3JlYXNl IHRoZSBzaXplIG9mIHRoZSBndWVzdCdzIFBvRCBjYWNoZSBieQp0aGUgZnVk Z2UgZmFjdG9yIExJQlhMX01BWE1FTV9DT05TVEFOVCAoY3VycmVudGx5IDFN YnkpLiAgVGhpcyBlbnN1cmVzCnRoYXQgZXZlbiB3aXRoIGEgc2xpZ2h0bHkt b2ZmIGJhbGxvb24gZHJpdmVyLCB0aGUgZ3Vlc3Qgd2lsbCBiZQpzdGFibGUg ZXZlbiB1bmRlciBtZW1vcnkgcHJlc3N1cmUuCgpUaGVyZSBhcmUgdHdvIGNh bGwgc2l0ZXMgb2YgeGNfZG9tYWluX3NldF9wb2RfdGFyZ2V0IHRoYXQgbmVl ZCBmaXhpbmc6CgpUaGUgb25lIGluIGxpYnhsX3NldF9tZW1vcnlfdGFyZ2V0 IGlzIHN0cmFpZ2h0Zm9yd2FyZC4KClRoZSBvbmUgaW4geGNfaHZtX2J1aWxk X3g4Ni5jOnNldHVwX2d1ZXN0IGlzIG1vcmUgYXdrd2FyZC4gIFNpbXBseQpz ZXR0aW5nIHRoZSBQb0QgdGFyZ2V0IGRpZmZlcmVudGx5IGRvZXMgbm90IHdv cmsgYmVjYXVzZSB0aGUgdmFyaW91cwphbW91bnRzIG9mIG1lbW9yeSBkdXJp bmcgZG9tYWluIGNvbnN0cnVjdGlvbiBubyBsb25nZXIgbWF0Y2ggdXAuCklu c3RlYWQsIHdlIGFkanVzdCB0aGUgZ3Vlc3QgbWVtb3J5IHRhcmdldCBpbiB4 ZW5zdG9yZSAoYnV0IG9ubHkgZm9yClBvRCBndWVzdHMpLgoKVGhpcyBpbnRy b2R1Y2VzIGEgMU1ieSBkaXNjcmVwYW5jeSBiZXR3ZWVuIHRoZSBiYWxsb29u IHRhcmdldCBvZiBhIFBvRApndWVzdCBhdCBib290LCBhbmQgdGhlIHRhcmdl dCBzZXQgYnkgYW4gYXBwYXJlbnRseS1lcXVpdmFsZW50IGB4bAptZW0tc2V0 JyAob3Igc2ltaWxhcikgbGF0ZXIuICBUaGlzIGFwcHJvYWNoIGlzIGxvdy1y aXNrIGZvciBhIHNlY3VyaXR5CmZpeCBidXQgd2UgbmVlZCB0byBmaXggdGhp cyB1cCBwcm9wZXJseSBpbiB4ZW4uZ2l0I3N0YWdpbmcgYW5kCnByb2JhYmx5 IGFsc28gaW4gc3RhYmxlIHRyZWVzLgoKVGhpcyBpcyBYU0EtMTUzLgoKU2ln bmVkLW9mZi1ieTogSWFuIEphY2tzb24gPElhbi5KYWNrc29uQGV1LmNpdHJp eC5jb20+Ci0tLQogdG9vbHMvbGlieGwvbGlieGwuYyAgICAgfCAgICAyICst CiB0b29scy9saWJ4bC9saWJ4bF9kb20uYyB8ICAgIDkgKysrKysrKystCiAy IGZpbGVzIGNoYW5nZWQsIDkgaW5zZXJ0aW9ucygrKSwgMiBkZWxldGlvbnMo LSkKCmRpZmYgLS1naXQgYS90b29scy9saWJ4bC9saWJ4bC5jIGIvdG9vbHMv bGlieGwvbGlieGwuYwppbmRleCBkMzhkMGM3Li4xMzY2MTc3IDEwMDY0NAot LS0gYS90b29scy9saWJ4bC9saWJ4bC5jCisrKyBiL3Rvb2xzL2xpYnhsL2xp YnhsLmMKQEAgLTQ4MTUsNyArNDgxNSw3IEBAIHJldHJ5X3RyYW5zYWN0aW9u OgogICAgIH0KIAogICAgIHJjID0geGNfZG9tYWluX3NldF9wb2RfdGFyZ2V0 KGN0eC0+eGNoLCBkb21pZCwKLSAgICAgICAgICAgIG5ld190YXJnZXRfbWVt a2IgLyA0LCBOVUxMLCBOVUxMLCBOVUxMKTsKKyAgICAgICAgICAgIChuZXdf dGFyZ2V0X21lbWtiICsgTElCWExfTUFYTUVNX0NPTlNUQU5UKSAvIDQsIE5V TEwsIE5VTEwsIE5VTEwpOwogICAgIGlmIChyYyAhPSAwKSB7CiAgICAgICAg IExJQlhMX19MT0dfRVJSTk8oY3R4LCBMSUJYTF9fTE9HX0VSUk9SLAogICAg ICAgICAgICAgICAgICJ4Y19kb21haW5fc2V0X3BvZF90YXJnZXQgZG9taWQ9 JWQsIG1lbWtiPSVkICIKZGlmZiAtLWdpdCBhL3Rvb2xzL2xpYnhsL2xpYnhs X2RvbS5jIGIvdG9vbHMvbGlieGwvbGlieGxfZG9tLmMKaW5kZXggYjUxNDM3 Ny4uODAxOWY0ZSAxMDA2NDQKLS0tIGEvdG9vbHMvbGlieGwvbGlieGxfZG9t LmMKKysrIGIvdG9vbHMvbGlieGwvbGlieGxfZG9tLmMKQEAgLTQ4Niw2ICs0 ODYsNyBAQCBpbnQgbGlieGxfX2J1aWxkX3Bvc3QobGlieGxfX2djICpnYywg dWludDMyX3QgZG9taWQsCiAgICAgeHNfdHJhbnNhY3Rpb25fdCB0OwogICAg IGNoYXIgKiplbnRzOwogICAgIGludCBpLCByYzsKKyAgICBpbnQ2NF90IG1l bV90YXJnZXRfZnVkZ2U7CiAKICAgICBpZiAoaW5mby0+bnVtX3ZudW1hX25v ZGVzICYmICFpbmZvLT5udW1fdmNwdV9zb2Z0X2FmZmluaXR5KSB7CiAgICAg ICAgIHJjID0gc2V0X3ZudW1hX2FmZmluaXR5KGdjLCBkb21pZCwgaW5mbyk7 CkBAIC01MTgsMTEgKzUxOSwxNyBAQCBpbnQgbGlieGxfX2J1aWxkX3Bvc3Qo bGlieGxfX2djICpnYywgdWludDMyX3QgZG9taWQsCiAgICAgICAgIH0KICAg ICB9CiAKKyAgICBtZW1fdGFyZ2V0X2Z1ZGdlID0KKyAgICAgICAgKGluZm8t PnR5cGUgPT0gTElCWExfRE9NQUlOX1RZUEVfSFZNICYmCisgICAgICAgICBp bmZvLT5tYXhfbWVta2IgPiBpbmZvLT50YXJnZXRfbWVta2IpCisgICAgICAg ID8gTElCWExfTUFYTUVNX0NPTlNUQU5UIDogMDsKKwogICAgIGVudHMgPSBs aWJ4bF9fY2FsbG9jKGdjLCAxMiArIChpbmZvLT5tYXhfdmNwdXMgKiAyKSAr IDIsIHNpemVvZihjaGFyICopKTsKICAgICBlbnRzWzBdID0gIm1lbW9yeS9z dGF0aWMtbWF4IjsKICAgICBlbnRzWzFdID0gR0NTUFJJTlRGKCIlIlBSSWQ2 NCwgaW5mby0+bWF4X21lbWtiKTsKICAgICBlbnRzWzJdID0gIm1lbW9yeS90 YXJnZXQiOwotICAgIGVudHNbM10gPSBHQ1NQUklOVEYoIiUiUFJJZDY0LCBp bmZvLT50YXJnZXRfbWVta2IgLSBpbmZvLT52aWRlb19tZW1rYik7CisgICAg ZW50c1szXSA9IEdDU1BSSU5URigiJSJQUklkNjQsIGluZm8tPnRhcmdldF9t ZW1rYiAtIGluZm8tPnZpZGVvX21lbWtiCisgICAgICAgICAgICAgICAgICAg ICAgICAtIG1lbV90YXJnZXRfZnVkZ2UpOwogICAgIGVudHNbNF0gPSAibWVt b3J5L3ZpZGVvcmFtIjsKICAgICBlbnRzWzVdID0gR0NTUFJJTlRGKCIlIlBS SWQ2NCwgaW5mby0+dmlkZW9fbWVta2IpOwogICAgIGVudHNbNl0gPSAiZG9t aWQiOwotLSAKMS43LjEwLjQKCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Oct 29 12:01:24 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 29 Oct 2015 12:01:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsn-0007t7-JA; Thu, 29 Oct 2015 12:00:41 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsk-0007kk-Jo; Thu, 29 Oct 2015 12:00:38 +0000 Received: from [85.158.139.211] by server-7.bemta-5.messagelabs.com id 1C/B6-13905-66A02365; Thu, 29 Oct 2015 12:00:38 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-10.tower-206.messagelabs.com!1446120036!40807847!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 11562 invoked from network); 29 Oct 2015 12:00:37 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-10.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 29 Oct 2015 12:00:37 -0000 Received: from [50.57.170.242] (helo=xenbits.xen.org) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsd-0005j7-Ef; Thu, 29 Oct 2015 12:00:31 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1Zrlsd-00025q-DJ; Thu, 29 Oct 2015 12:00:31 +0000 Date: Thu, 29 Oct 2015 12:00:31 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 149 (CVE-2015-7969) - leak of main per-domain vcpu pointer array X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-7969 / XSA-149 version 3 leak of main per-domain vcpu pointer array UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= A domain's primary array of vcpu pointers can be allocated by a toolstack exactly once in the lifetime of a domain via the XEN_DOMCTL_max_vcpus hypercall. This array is leaked on domain teardown. This memory leak could -- over time -- exhaust the host's memory. IMPACT ====== A domain given partial management control via XEN_DOMCTL_max_vcpus can mount a denial of service attack affecting the whole system. The ability to also restart or create suitable domains is also required to fully exploit the issue. Without this the leak is limited to a small multiple of the maximum number of vcpus for the domain. The maximum leak is 64kbytes per domain (re)boot (less on ARM). VULNERABLE SYSTEMS ================== This issue is only relevant to systems which intend to increase security through the use of advanced disaggregated management techniques. This does not include systems using libxl, libvirt, or OpenStack (unless substantially modified or supplemented, as compared to versions supplied by the respective upstreams). Versions of Xen from 4.0 onwards are vulnerable. All architectures are affected. MITIGATION ========== The leak is small. Preventing the creation of large numbers of new domains, and limiting the number of times an existing domain can be rebooted, can reduce the impact of this vulnerability. Switching from disaggregated to a non-disaggregated operation does NOT mitigate the XEN_DOMCTL_max_vcpus vulnerability. Rather, it simply recategorises the vulnerability to hostile management code, regarding it "as designed"; thus it merely reclassifies these issues as "not a bug". Users and vendors of disaggregated systems should not change their configuration. NOTE REGARDING CVE ================== Note that CVE-2015-7969 covers both this issue and XSA-151. CREDITS ======= This issue was discovered by Ian Campbell of Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. (To resolve CVE-2015-7969, the patch from XSA-151 is required too.) xsa149.patch xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x $ sha256sum xsa149*.patch e01628400b81c4bb7bafba348f2ecb1fe80f16e3162cee5013e0be1d7311738b xsa149.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the PATCH (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. However deployment of the (RE)BOOT LIMIT MITIGATION is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because applying domain creation and reboot limits in connection with a security issue would be a user-visible change which could lead to the rediscovery of the vulnerability. Deployment of the mitigation is permitted only AFTER the embargo ends. Also: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWMgm7AAoJEIP+FMlX6CvZ5EEH/RpWXVKVpA5JdTGGfWan9ojV +9Froz+RdUJmINLHE/sIIAudfCIlc7zA1Ap/ukSUC9YfBZvjwMpiouTz2IJV+kgp C0zTjTHrqf0RG7k9aXKTqDNhHWP/FukVv6V4KZ+vmC9CluV8ODhnvogO0bS4wO2y dzJAtQZxhD1r0rgvLWlT0Wq0LylTqW6mXg0lHiBv+HFonKJAIEeg/0dJbriKsc0N 1+vI4DujVzE1Q3LuhkGtaxdGyZ/4rcfMexmIYHzpvehHLXKa63oHg7IGX2SchiKb YFumc9K3sYdv+AHkqM9FdtKEgDvwcHL9+d4YVgGfQm9ukh2onEC6uw7VeVnPlXY= =/Ww0 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa149.patch" Content-Disposition: attachment; filename="xsa149.patch" Content-Transfer-Encoding: base64 eGVuOiBmcmVlIGRvbWFpbidzIHZjcHUgYXJyYXkKClRoaXMgd2FzIG92ZXJs b29rZWQgaW4gZmI0NDJlMjE3MSAoIng4Nl82NDogYWxsb3cgbW9yZSB2Q1BV LXMgcGVyCmd1ZXN0IikuCgpUaGlzIGlzIFhTQS0xNDkuCgpTaWduZWQtb2Zm LWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmlld2Vk LWJ5OiBJYW4gQ2FtcGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgoK LS0tIGEveGVuL2NvbW1vbi9kb21haW4uYworKysgYi94ZW4vY29tbW9uL2Rv bWFpbi5jCkBAIC04NDEsNiArODQxLDcgQEAgc3RhdGljIHZvaWQgY29tcGxl dGVfZG9tYWluX2Rlc3Ryb3koc3RydQogCiAgICAgeHNtX2ZyZWVfc2VjdXJp dHlfZG9tYWluKGQpOwogICAgIGZyZWVfY3B1bWFza192YXIoZC0+ZG9tYWlu X2RpcnR5X2NwdW1hc2spOworICAgIHhmcmVlKGQtPnZjcHUpOwogICAgIGZy ZWVfZG9tYWluX3N0cnVjdChkKTsKIAogICAgIHNlbmRfZ2xvYmFsX3ZpcnEo VklSUV9ET01fRVhDKTsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Oct 29 12:01:24 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 29 Oct 2015 12:01:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsj-0007nn-9Z; Thu, 29 Oct 2015 12:00:37 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsh-0007kk-E8; Thu, 29 Oct 2015 12:00:35 +0000 Received: from [85.158.139.211] by server-7.bemta-5.messagelabs.com id 1C/86-13905-26A02365; Thu, 29 Oct 2015 12:00:34 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-10.tower-206.messagelabs.com!1446120029!40807795!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 9980 invoked from network); 29 Oct 2015 12:00:33 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-10.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 29 Oct 2015 12:00:33 -0000 Received: from [50.57.170.242] (helo=xenbits.xen.org) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZrlsV-0005iQ-Ne; Thu, 29 Oct 2015 12:00:23 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1ZrlsV-00023G-Eo; Thu, 29 Oct 2015 12:00:23 +0000 Date: Thu, 29 Oct 2015 12:00:23 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 147 (CVE-2015-7814) - arm: Race between domain destruction and memory allocation decrease X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-7814 / XSA-147 version 3 arm: Race between domain destruction and memory allocation decrease UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= While freeing the memory associated with a domain during domain destruction Xen could race with a toolstack domain reducing the amount of memory associated with that same domain via the XENMEM_decrease_reservation. In the case where this race is hit the host will crash. The race is not exposed via the XENMEM_remove_from_physmap or XENMEM_exchange interfaces. IMPACT ====== Domains deliberately given partial management control may be able to deny service by crashing the host. Such a domain needs to be granted access to at least one of XENMEM_decrease_reservation or XEN_DOMCTL_destroydomain over another domain. As a result, in a system designed to enhance security by radically disaggregating the management, the security may be reduced. But, the security will be no worse than a non-disaggregated design. VULNERABLE SYSTEMS ================== This issue is only relevant to systems which intend to increase security through the use of advanced disaggregated management techniques. This does not include systems using libxl, libvirt, or OpenStack (unless substantially modified or supplemented, as compared to versions supplied by the respective upstreams). Only ARM systems are potentially affected. All Xen versions which support ARM are potentially affected. x86 systems are not affected. MITIGATION ========== There is no known mitigation. Switching from disaggregated to a non-disaggregated operation does NOT mitigate these vulnerabilities. Rather, it simply recategorises the vulnerability to hostile management code, regarding it "as designed"; thus it merely reclassifies these issues as "not a bug". Users and vendors of disaggregated systems should not change their configuration. CREDITS ======= This issue was discovered by Ian Campbell of Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa147.patch xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x $ sha256sum xsa147*.patch 35cd9c5dabd5af6756957cf7378d527b2fcbff35dcf578769769a364a98ea6ac xsa147.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWMgm3AAoJEIP+FMlX6CvZHPAIAIgXu4741IJeO/Pb187gxO3Z IXpSSJF1Fvof/Ma6LLSGRth94WiafF91MKKqlEAKFPyfRUOkJXHAoahDUe7lF1Lr V5qSA4jAu69ZIhg3AAKuI+xBV/PNx7rlaG0duRI9nHmLRhbIU3EF9YJbKntdZzZr gdE/zLk+moW4U2/quEIEQGqtDGr/RAm5N0MqGwW4mcHUhlp4XcNuqrC8+b5qaeJ3 8/pc9whzyHM04De5Ve9/iFUu0J6KxNK+hN9V14mO8bcPXzK/K8X4C3qUD6HtZx+U VsaKT/N4INNDg7wqULcjg/Vp23SE/mUPM8Fernee9KnI2CY3pnS9DB1KEYMry5s= =7g7l -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa147.patch" Content-Disposition: attachment; filename="xsa147.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGhhbmRsZSByYWNlcyBiZXR3ZWVuIHJlbGlucXVpc2hfbWVt b3J5IGFuZCBmcmVlX2RvbWhlYXBfcGFnZXMKClByaW1hcmlseSB0aGlzIG1l YW5zIFhFTk1FTV9kZWNyZWFzZV9yZXNlcnZhdGlvbiBmcm9tIGEgdG9vbHN0 YWNrCmRvbWFpbi4KClVubGlrZSB4ODYgd2UgaGF2ZSBubyByZXF1aXJlbWVu dCByaWdodCBub3cgdG8gcXVldWUgc3VjaCBwYWdlcyBvbnRvCmEgc2VwYXJh dGUgbGlzdCwgaWYgd2UgaGl0IHRoaXMgcmFjZSB0aGVuIHRoZSBvdGhlciBj b2RlIGhhcyBhbHJlYWR5CmZ1bGx5IGFjY2VwdGVkIHJlc3BvbnNpYmlsaXR5 IGZvciBmcmVlaW5nIHRoaXMgcGFnZSBhbmQgdGhlcmVmb3JlCnRoZXJlIGlz IG5vIG1vcmUgZm9yIHJlbGlucXVpc2hfbWVtb3J5IHRvIGRvLgoKVGhpcyBp cyBYU0EtMTQ3LgoKU2lnbmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxpYW4u Y2FtcGJlbGxAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBHcmFs bCA8anVsaWVuLmdyYWxsQGNpdHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4g QmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgpkaWZmIC0tZ2l0IGEveGVu L2FyY2gvYXJtL2RvbWFpbi5jIGIveGVuL2FyY2gvYXJtL2RvbWFpbi5jCmlu ZGV4IDU3NTc0NWMuLmFhYzY0Y2IgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL2Fy bS9kb21haW4uYworKysgYi94ZW4vYXJjaC9hcm0vZG9tYWluLmMKQEAgLTc2 NCw4ICs3NjQsMTUgQEAgc3RhdGljIGludCByZWxpbnF1aXNoX21lbW9yeShz dHJ1Y3QgZG9tYWluICpkLCBzdHJ1Y3QgcGFnZV9saXN0X2hlYWQgKmxpc3Qp CiAgICAgewogICAgICAgICAvKiBHcmFiIGEgcmVmZXJlbmNlIHRvIHRoZSBw YWdlIHNvIGl0IHdvbid0IGRpc2FwcGVhciBmcm9tIHVuZGVyIHVzLiAqLwog ICAgICAgICBpZiAoIHVubGlrZWx5KCFnZXRfcGFnZShwYWdlLCBkKSkgKQot ICAgICAgICAgICAgLyogQ291bGRuJ3QgZ2V0IGEgcmVmZXJlbmNlIC0tIHNv bWVvbmUgaXMgZnJlZWluZyB0aGlzIHBhZ2UuICovCi0gICAgICAgICAgICBC VUcoKTsKKyAgICAgICAgICAgIC8qCisgICAgICAgICAgICAgKiBDb3VsZG4n dCBnZXQgYSByZWZlcmVuY2UgLS0gc29tZW9uZSBpcyBmcmVlaW5nIHRoaXMg cGFnZSBhbmQKKyAgICAgICAgICAgICAqIGhhcyBhbHJlYWR5IGNvbW1pdHRl ZCB0byBkb2luZyBzbywgc28gbm8gbW9yZSB0byBkbyBoZXJlLgorICAgICAg ICAgICAgICoKKyAgICAgICAgICAgICAqIE5vdGUgdGhhdCB0aGUgcGFnZSBt dXN0IGJlIGxlZnQgb24gdGhlIGxpc3QsIGEgbGlzdF9kZWwKKyAgICAgICAg ICAgICAqIGhlcmUgd2lsbCBjbGFzaCB3aXRoIHRoZSBsaXN0X2RlbCBkb25l IGJ5IHRoZSBvdGhlcgorICAgICAgICAgICAgICogcGFydHkgaW4gdGhlIHJh Y2UgYW5kIGNvcnJ1cHQgdGhlIGxpc3QgaGVhZC4KKyAgICAgICAgICAgICAq LworICAgICAgICAgICAgY29udGludWU7CiAKICAgICAgICAgaWYgKCB0ZXN0 X2FuZF9jbGVhcl9iaXQoX1BHQ19hbGxvY2F0ZWQsICZwYWdlLT5jb3VudF9p bmZvKSApCiAgICAgICAgICAgICBwdXRfcGFnZShwYWdlKTsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Oct 29 12:01:24 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 29 Oct 2015 12:01:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsf-0007jq-SF; Thu, 29 Oct 2015 12:00:33 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlse-0007iy-Cn; Thu, 29 Oct 2015 12:00:32 +0000 Received: from [85.158.139.211] by server-12.bemta-5.messagelabs.com id 41/2E-12831-F5A02365; Thu, 29 Oct 2015 12:00:31 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-2.tower-206.messagelabs.com!1446120029!22620404!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 16108 invoked from network); 29 Oct 2015 12:00:30 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-2.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 29 Oct 2015 12:00:30 -0000 Received: from [50.57.170.242] (helo=xenbits.xen.org) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZrlsQ-0005i7-Ue; Thu, 29 Oct 2015 12:00:18 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1ZrlsQ-00022F-QY; Thu, 29 Oct 2015 12:00:18 +0000 Date: Thu, 29 Oct 2015 12:00:18 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 146 (CVE-2015-7813) - arm: various unimplemented hypercalls log without rate limiting X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-7813 / XSA-146 version 3 arm: various unimplemented hypercalls log without rate limiting UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The HYPERVISOR_physdev_op hypercall and most suboperations of the HYPERVISOR_hvm_op hypercall are not currently implemented by Xen on ARM and when called will log the use to the hypervisor console. However these guest accessible log messages are not rate-limited. IMPACT ====== A malicious guest could cause repeated logging to the hypervisor console, leading to a Denial of Service attack. VULNERABLE SYSTEMS ================== Xen 4.4 and later systems running on ARM hardware are vulnerable. x86 systems are not affected. MITIGATION ========== The problematic log messages are issued with priority Warning. Therefore they can be rate limited by adding "loglvl=error/warning" to the hypervisor command line or suppressed entirely by adding "loglvl=error". On systems where the guest kernel is controlled by the host rather than guest administrator, running only kernels which do not call these hypercalls will also prevent untrusted guest users from exploiting this issue. However untrusted guest administrators can still trigger it unless further steps are taken to prevent them from loading code into the kernel (e.g. by disabling loadable modules etc) or from using other mechanisms which allow them to run code at kernel privilege. CREDITS ======= This issue was discovered by Julien Grall of Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa146.patch xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x $ sha256sum xsa146*.patch 1d0ff203581ac5bcc0ec4469a4909da968b218ed83280efd217020c396028591 xsa146.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWMgm1AAoJEIP+FMlX6CvZGjMH/iYvPwiZU0iKkgADyMBek6A6 fmkHlmd5z7EC7eSwKn2SzRcw8KsE9E4Hdo4IaPoWx+ElSKlHwteo8vdHq3zYXWsb vpYFvlD5wiWRYpTDiBtDZC7cwOx1qqelDMwwN8k3p1g+eNqEB5VrfjVWWxp7xE6a +gqEea9+ASJmZ1K3cczOGIzWSrGSGcC7v715nECCwBkquYlsdP8L7I+K2IiCL45i ymRm+fD3CvDtLT+Q3ZG9I/C78CH5O4INATrdz6Syqtti+jPoYY7+6LmLZXR0tIk2 v47g/mAoDNwJAaWDfZL9GnzXTZIm+Lri+qh/4LkunnMGgHIF4Ah4HhsNJlX4h7M= =lDV8 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa146.patch" Content-Disposition: attachment; filename="xsa146.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IHJhdGUtbGltaXQgbG9nZ2luZyBmcm9tIHVuaW1wbGVtZW50 ZWQgUEhZU0RFVk9QIGFuZCBIVk1PUC4KClRoZXNlIGFyZSBndWVzdCBhY2Nl c3NpYmxlIGFuZCBzaG91bGQgdGhlcmVmb3JlIGJlIHJhdGUtbGltaXRlZC4K TW9yZW92ZXIsIGluY2x1ZGUgdGhlbSBvbmx5IGluIGRlYnVnIGJ1aWxkcy4K ClRoaXMgaXMgWFNBLTE0Ni4KClNpZ25lZC1vZmYtYnk6IElhbiBDYW1wYmVs bCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4g QmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgpkaWZmIC0tZ2l0IGEveGVu L2FyY2gvYXJtL2h2bS5jIGIveGVuL2FyY2gvYXJtL2h2bS5jCmluZGV4IDQ3 MWM0Y2QuLjFkZTI5MGYgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL2FybS9odm0u YworKysgYi94ZW4vYXJjaC9hcm0vaHZtLmMKQEAgLTU3LDcgKzU3LDcgQEAg bG9uZyBkb19odm1fb3AodW5zaWduZWQgbG9uZyBvcCwgWEVOX0dVRVNUX0hB TkRMRV9QQVJBTSh2b2lkKSBhcmcpCiAKICAgICBkZWZhdWx0OgogICAgIHsK LSAgICAgICAgcHJpbnRrKCIlczogQmFkIEhWTSBvcCAlbGQuXG4iLCBfX2Z1 bmNfXywgb3ApOworICAgICAgICBnZHByaW50ayhYRU5MT0dfREVCVUcsICJI Vk1PUCBvcD0lbHU6IG5vdCBpbXBsZW1lbnRlZFxuIiwgb3ApOwogICAgICAg ICByYyA9IC1FTk9TWVM7CiAgICAgICAgIGJyZWFrOwogICAgIH0KZGlmZiAt LWdpdCBhL3hlbi9hcmNoL2FybS9waHlzZGV2LmMgYi94ZW4vYXJjaC9hcm0v cGh5c2Rldi5jCmluZGV4IDYxYjRhMTguLmIxYmEyMmUgMTAwNjQ0Ci0tLSBh L3hlbi9hcmNoL2FybS9waHlzZGV2LmMKKysrIGIveGVuL2FyY2gvYXJtL3Bo eXNkZXYuYwpAQCAtOCwxMiArOCwxMyBAQAogI2luY2x1ZGUgPHhlbi90eXBl cy5oPgogI2luY2x1ZGUgPHhlbi9saWIuaD4KICNpbmNsdWRlIDx4ZW4vZXJy bm8uaD4KKyNpbmNsdWRlIDx4ZW4vc2NoZWQuaD4KICNpbmNsdWRlIDxhc20v aHlwZXJjYWxsLmg+CiAKIAogaW50IGRvX3BoeXNkZXZfb3AoaW50IGNtZCwg WEVOX0dVRVNUX0hBTkRMRV9QQVJBTSh2b2lkKSBhcmcpCiB7Ci0gICAgcHJp bnRrKCIlcyAlZCBjbWQ9JWQ6IG5vdCBpbXBsZW1lbnRlZCB5ZXRcbiIsIF9f ZnVuY19fLCBfX0xJTkVfXywgY21kKTsKKyAgICBnZHByaW50ayhYRU5MT0df REVCVUcsICJQSFlTREVWT1AgY21kPSVkOiBub3QgaW1wbGVtZW50ZWRcbiIs IGNtZCk7CiAgICAgcmV0dXJuIC1FTk9TWVM7CiB9CiAK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Oct 29 12:01:24 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 29 Oct 2015 12:01:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZrlsX-0007g9-B3; Thu, 29 Oct 2015 12:00:25 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZrlsV-0007fW-V6; Thu, 29 Oct 2015 12:00:24 +0000 Received: from [85.158.137.68] by server-12.bemta-3.messagelabs.com id C5/C4-14900-65A02365; Thu, 29 Oct 2015 12:00:22 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-12.tower-31.messagelabs.com!1446120020!21062736!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 28787 invoked from network); 29 Oct 2015 12:00:21 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-12.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 29 Oct 2015 12:00:21 -0000 Received: from [50.57.170.242] (helo=xenbits.xen.org) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZrlsM-0005ht-Pc; Thu, 29 Oct 2015 12:00:14 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1ZrlsM-00021I-Bt; Thu, 29 Oct 2015 12:00:14 +0000 Date: Thu, 29 Oct 2015 12:00:14 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 145 (CVE-2015-7812) - arm: Host crash when preempting a multicall X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-7812 / XSA-145 version 3 arm: Host crash when preempting a multicall UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Early versions of Xen on ARM did not support "multicall" functionality (the ability to perform multiple operations via a single hypercall) and therefore stubbed out the functionality needed to support preemption of multicalls in a manner which crashed the host. When multicall support was subsequently added these stubs were not replaced with the correct functionality and therefore exposed to guests a code path which crashes the host. Any guest can issue a preemptable hypercall via the multicall interface to exploit this vulnerability. IMPACT ====== A malicious guest can crash the host. VULNERABLE SYSTEMS ================== Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward. x86 systems are not vulnerable. MITIGATION ========== On systems where the guest kernel is controlled by the host rather than guest administrator, running only kernels which do not make use of multicall functionality will prevent untrusted guest users from exploiting this issue. However untrusted guest administrators can still trigger it unless further steps are taken to prevent them from loading code into the kernel (e.g. by disabling loadable modules etc) or from using other mechanisms which allow them to run code at kernel privilege. CREDITS ======= This issue was discovered by Julien Grall of Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa145.patch xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x $ sha256sum xsa145*.patch 4d4a4724e4d367ddfc9ac1b43dfe81bce873c65fe9bb13f443266dd12c002db1 xsa145.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWMgmzAAoJEIP+FMlX6CvZUV0H/2uDN/R1KaR1x2OljM5toEUR vGrEN1LX/AzQ1f4DADZO4LIvth2BLdFEB6OsaaKThFdnZjJWQ0fbfxIzb6eGOpMR XzuToUEIBTA01JHKNUo5ovWQ36gePyvxkFWDjk8Ixj22YpbuyUDU5HiHH5UpTovg 0QLfJdKDij7Sp3/r9quQ5KSO86kw9CZqut5qRvMI8VKRa03O2jDch5iKkyDTcuCL md7r5+k6O3F4/TVPrlET+BAHOqgOtuQd6EMFfqXolsr12OpzzBz2/ntK4srmqlZc wa7PgAoELAaLnv4nBtFEtIyjg9YI4RIKnMwBbeD9suM305ohi3yDCxDj9eaYJwo= =eNQ5 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa145.patch" Content-Disposition: attachment; filename="xsa145.patch" Content-Transfer-Encoding: base64 eGVuL2FybTogU3VwcG9ydCBoeXBlcmNhbGxfY3JlYXRlX2NvbnRpbnVhdGlv biBmb3IgbXVsdGljYWxsCgpNdWx0aWNhbGwgZm9yIEFSTSBoYXMgYmVlbiBz dXBwb3J0ZWQgc2luY2UgY29tbWl0IGYwZGJkYzYgInhlbjogYXJtOiBmdWxs eQppbXBsZW1lbnQgbXVsdGljYWxsIGludGVyZmFjZS4iLiBBbHRob3VnaCwg aWYgYW4gaHlwZXJjYWxsIGluIG11bHRpY2FsbApyZXF1aXJlcyBwcmVlbXB0 aW9uLCBpdCB3aWxsIGNyYXNoIHRoZSBob3N0OgoKKFhFTikgWGVuIEJVRyBh dCBkb21haW4uYzozNDcKKFhFTikgLS0tLVsgWGVuLTQuNy11bnN0YWJsZSAg YXJtNjQgIGRlYnVnPXkgIFRhaW50ZWQ6ICAgIEMgXS0tLS0KWy4uLl0KKFhF TikgWGVuIGNhbGwgdHJhY2U6CihYRU4pICAgIFs8MDAwMDAwMDAwMDI0MjBj Yz5dIGh5cGVyY2FsbF9jcmVhdGVfY29udGludWF0aW9uKzB4NjQvMHgzODAg KFBDKQooWEVOKSAgICBbPDAwMDAwMDAwMDAyMTcyNzQ+XSBkb19tZW1vcnlf b3ArMHgxYjAwLzB4MjMzNCAoTFIpCihYRU4pICAgIFs8MDAwMDAwMDAwMDI1 MGQyYz5dIGRvX211bHRpY2FsbF9jYWxsKzB4MTE0LzB4MTI0CihYRU4pICAg IFs8MDAwMDAwMDAwMDIxN2ZmMD5dIGRvX211bHRpY2FsbCsweDE3Yy8weDIz YwooWEVOKSAgICBbPDAwMDAwMDAwMDAyNGY5N2M+XSBkb190cmFwX2h5cGVy Y2FsbCsweDkwLzB4MTJjCihYRU4pICAgIFs8MDAwMDAwMDAwMDI1MWNhOD5d IGRvX3RyYXBfaHlwZXJ2aXNvcisweGQyYy8weDFiYTQKKFhFTikgICAgWzww MDAwMDAwMDAwMjU4MmNjPl0gZ3Vlc3Rfc3luYysweDg4LzB4YjgKKFhFTikK KFhFTikKKFhFTikgKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKgooWEVOKSBQYW5pYyBvbiBDUFUgNToKKFhFTikgWGVuIEJVRyBh dCBkb21haW4uYzozNDcKKFhFTikgKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKgooWEVOKQooWEVOKSBNYW51YWwgcmVzZXQgcmVx dWlyZWQgKCdub3JlYm9vdCcgc3BlY2lmaWVkKQoKTG9va2luZyB0byB0aGUg Y29kZSwgdGhlIHN1cHBvcnQgb2YgbXVsdGljYWxsIGxvb2tzIHZhbGlkIHRv IG1lLCBhcyB3ZSBvbmx5Cm5lZWQgdG8gZmlsbCBjYWxsLmFyZ3NbLi4uXS4g U28gZHJvcCB0aGUgQlVHKCk7CgpUaGlzIGlzIFhTQS0xNDUuCgpBY2tlZC1i eTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJlbGxAY2l0cml4LmNvbT4KCmRp ZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0vZG9tYWluLmMgYi94ZW4vYXJjaC9h cm0vZG9tYWluLmMKaW5kZXggNTc1NzQ1Yy4uNWM1YWM5ZSAxMDA2NDQKLS0t IGEveGVuL2FyY2gvYXJtL2RvbWFpbi5jCisrKyBiL3hlbi9hcmNoL2FybS9k b21haW4uYwpAQCAtMzQ0LDggKzM0NCw2IEBAIHVuc2lnbmVkIGxvbmcgaHlw ZXJjYWxsX2NyZWF0ZV9jb250aW51YXRpb24oCiAKICAgICBpZiAoIHRlc3Rf Yml0KF9NQ1NGX2luX211bHRpY2FsbCwgJm1jcy0+ZmxhZ3MpICkKICAgICB7 Ci0gICAgICAgIEJVRygpOyAvKiBYWFggbXVsdGljYWxscyBub3QgaW1wbGVt ZW50ZWQgeWV0LiAqLwotCiAgICAgICAgIF9fc2V0X2JpdChfTUNTRl9jYWxs X3ByZWVtcHRlZCwgJm1jcy0+ZmxhZ3MpOwogCiAgICAgICAgIGZvciAoIGkg PSAwOyAqcCAhPSAnXDAnOyBpKysgKQo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Oct 29 12:01:24 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 29 Oct 2015 12:01:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlt3-0008Da-2i; Thu, 29 Oct 2015 12:00:57 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsz-000889-Tm; Thu, 29 Oct 2015 12:00:54 +0000 Received: from [85.158.139.211] by server-15.bemta-5.messagelabs.com id B3/90-16870-57A02365; Thu, 29 Oct 2015 12:00:53 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-13.tower-206.messagelabs.com!1446120051!16204749!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 3864 invoked from network); 29 Oct 2015 12:00:52 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-13.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 29 Oct 2015 12:00:52 -0000 Received: from [50.57.170.242] (helo=xenbits.xen.org) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsk-0005jj-Li; Thu, 29 Oct 2015 12:00:38 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1Zrlsk-00027q-In; Thu, 29 Oct 2015 12:00:38 +0000 Date: Thu, 29 Oct 2015 12:00:38 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 151 (CVE-2015-7969) - x86: leak of per-domain profiling-related vcpu pointer array X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-7969 / XSA-151 version 3 x86: leak of per-domain profiling-related vcpu pointer array UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= A domain's xenoprofile state contains an array of per-vcpu information, which is allocated once in the lifetime of a domain in response to that domain using the XENOPROF_get_buffer hypercall on itself or by a domain with the privilege to profile a target domain using the XENOPROF_set_passive hypercall. This array is leaked on domain teardown. This memory leak could -- over time -- exhaust the host's memory. IMPACT ====== The following parties can mount a denial of service attack affecting the whole system: - A malicious guest administrator via XENOPROF_get_buffer. - A domain given suitable privilege over another domain via XENOPROF_set_passive (this would usually be a domain being used to profile another domain, eg with the xenoprof tool). The ability to also restart or create suitable domains is also required to fully exploit the issue. Without this the leak is limited to a small multiple of the maximum number of vcpus for the domain. The maximum leak is 128kbytes per domain (re)boot. VULNERABLE SYSTEMS ================== Versions of Xen from 4.0 onwards are vulnerable. The XENOPROF hypercalls are only implemented on x86. ARM is therefore not vulnerable. MITIGATION ========== On systems where the guest kernel is controlled by the host rather than guest administrator, running only kernels (in the target and profiling domain respectively) which do not call these hypercalls will also prevent untrusted guest users from exploiting this issue. However untrusted guest administrators can still trigger it unless further steps are taken to prevent them from loading code into the kernel (e.g. by disabling loadable modules etc) or from using other mechanisms which allow them to run code at kernel privilege. The leak is small. Preventing the creation of large numbers of new domains, and limiting the number of times an existing domain can be rebooted, can reduce the impact of this vulnerability. NOTE REGARDING CVE ================== Note that CVE-2015-7969 covers both this issue and XSA-149. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. (To resolve CVE-2015-7969, the patch from XSA-149 is required too.) xsa151.patch xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x $ sha256sum xsa151*.patch e247a9dbbe236ffa3c5aa5e2d41047fa67da80f2b0474eef3440b5b3da2d5617 xsa151.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the PATCH or the TRUSTED KERNEL MITIGATION (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. However deployment of the (RE)BOOT LIMIT MITIGATION is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because applying domain creation and reboot limits in connection with a security issue would be a user-visible change which could lead to the rediscovery of the vulnerability. Deployment of the reboot mitigation is permitted only AFTER the embargo ends. Also: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWMgm9AAoJEIP+FMlX6CvZticH+waAPTUnRA9CTnPs1BDjiTcc kBuVb8ouvffinj+FCVQ/CIC1IAkClU8vBcOb3NAe9/PaCYPe9OlAxpvAAxxlgr05 N1Py8rBUEemKcCS9T4jTT2TNLYm9lzFihcTMOp+Y2diavcdmnhXj+kjO/FpD7tG/ TRDBnCVsxA4m+yxQJO8xXWIE+lYCoF+42Qc8Dyi2tcaN4WaBjjD5DyqNHIuf1ISF DljnT3TsgDIlxmgeQsufX0VIh45FdZXExOmGAgRS3JCn0cTmQwONecyM5NjKaljZ LEwk5sMSRa4cmb8naJRxPf30CydjmLBMdzU8KRjg+d6M46jTGTV794k/AKc4VxI= =u9LH -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa151.patch" Content-Disposition: attachment; filename="xsa151.patch" Content-Transfer-Encoding: base64 eGVub3Byb2Y6IGZyZWUgZG9tYWluJ3MgdmNwdSBhcnJheQoKVGhpcyB3YXMg b3Zlcmxvb2tlZCBpbiBmYjQ0MmUyMTcxICgieDg2XzY0OiBhbGxvdyBtb3Jl IHZDUFUtcyBwZXIKZ3Vlc3QiKS4KClRoaXMgaXMgWFNBLTE1MS4KClNpZ25l ZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2 aWV3ZWQtYnk6IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5j b20+CgotLS0gYS94ZW4vY29tbW9uL3hlbm9wcm9mLmMKKysrIGIveGVuL2Nv bW1vbi94ZW5vcHJvZi5jCkBAIC0yMzksNiArMjM5LDcgQEAgc3RhdGljIGlu dCBhbGxvY194ZW5vcHJvZl9zdHJ1Y3QoCiAgICAgZC0+eGVub3Byb2YtPnJh d2J1ZiA9IGFsbG9jX3hlbmhlYXBfcGFnZXMoZ2V0X29yZGVyX2Zyb21fcGFn ZXMobnBhZ2VzKSwgMCk7CiAgICAgaWYgKCBkLT54ZW5vcHJvZi0+cmF3YnVm ID09IE5VTEwgKQogICAgIHsKKyAgICAgICAgeGZyZWUoZC0+eGVub3Byb2Yt PnZjcHUpOwogICAgICAgICB4ZnJlZShkLT54ZW5vcHJvZik7CiAgICAgICAg IGQtPnhlbm9wcm9mID0gTlVMTDsKICAgICAgICAgcmV0dXJuIC1FTk9NRU07 CkBAIC0yODYsNiArMjg3LDcgQEAgdm9pZCBmcmVlX3hlbm9wcm9mX3BhZ2Vz KHN0cnVjdCBkb21haW4gKgogICAgICAgICBmcmVlX3hlbmhlYXBfcGFnZXMo eC0+cmF3YnVmLCBvcmRlcik7CiAgICAgfQogCisgICAgeGZyZWUoeC0+dmNw dSk7CiAgICAgeGZyZWUoeCk7CiAgICAgZC0+eGVub3Byb2YgPSBOVUxMOwog fQo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Oct 29 12:01:24 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 29 Oct 2015 12:01:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsf-0007jq-SF; Thu, 29 Oct 2015 12:00:33 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlse-0007iy-Cn; Thu, 29 Oct 2015 12:00:32 +0000 Received: from [85.158.139.211] by server-12.bemta-5.messagelabs.com id 41/2E-12831-F5A02365; Thu, 29 Oct 2015 12:00:31 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-2.tower-206.messagelabs.com!1446120029!22620404!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 16108 invoked from network); 29 Oct 2015 12:00:30 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-2.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 29 Oct 2015 12:00:30 -0000 Received: from [50.57.170.242] (helo=xenbits.xen.org) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZrlsQ-0005i7-Ue; Thu, 29 Oct 2015 12:00:18 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1ZrlsQ-00022F-QY; Thu, 29 Oct 2015 12:00:18 +0000 Date: Thu, 29 Oct 2015 12:00:18 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 146 (CVE-2015-7813) - arm: various unimplemented hypercalls log without rate limiting X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-7813 / XSA-146 version 3 arm: various unimplemented hypercalls log without rate limiting UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The HYPERVISOR_physdev_op hypercall and most suboperations of the HYPERVISOR_hvm_op hypercall are not currently implemented by Xen on ARM and when called will log the use to the hypervisor console. However these guest accessible log messages are not rate-limited. IMPACT ====== A malicious guest could cause repeated logging to the hypervisor console, leading to a Denial of Service attack. VULNERABLE SYSTEMS ================== Xen 4.4 and later systems running on ARM hardware are vulnerable. x86 systems are not affected. MITIGATION ========== The problematic log messages are issued with priority Warning. Therefore they can be rate limited by adding "loglvl=error/warning" to the hypervisor command line or suppressed entirely by adding "loglvl=error". On systems where the guest kernel is controlled by the host rather than guest administrator, running only kernels which do not call these hypercalls will also prevent untrusted guest users from exploiting this issue. However untrusted guest administrators can still trigger it unless further steps are taken to prevent them from loading code into the kernel (e.g. by disabling loadable modules etc) or from using other mechanisms which allow them to run code at kernel privilege. CREDITS ======= This issue was discovered by Julien Grall of Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa146.patch xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x $ sha256sum xsa146*.patch 1d0ff203581ac5bcc0ec4469a4909da968b218ed83280efd217020c396028591 xsa146.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWMgm1AAoJEIP+FMlX6CvZGjMH/iYvPwiZU0iKkgADyMBek6A6 fmkHlmd5z7EC7eSwKn2SzRcw8KsE9E4Hdo4IaPoWx+ElSKlHwteo8vdHq3zYXWsb vpYFvlD5wiWRYpTDiBtDZC7cwOx1qqelDMwwN8k3p1g+eNqEB5VrfjVWWxp7xE6a +gqEea9+ASJmZ1K3cczOGIzWSrGSGcC7v715nECCwBkquYlsdP8L7I+K2IiCL45i ymRm+fD3CvDtLT+Q3ZG9I/C78CH5O4INATrdz6Syqtti+jPoYY7+6LmLZXR0tIk2 v47g/mAoDNwJAaWDfZL9GnzXTZIm+Lri+qh/4LkunnMGgHIF4Ah4HhsNJlX4h7M= =lDV8 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa146.patch" Content-Disposition: attachment; filename="xsa146.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IHJhdGUtbGltaXQgbG9nZ2luZyBmcm9tIHVuaW1wbGVtZW50 ZWQgUEhZU0RFVk9QIGFuZCBIVk1PUC4KClRoZXNlIGFyZSBndWVzdCBhY2Nl c3NpYmxlIGFuZCBzaG91bGQgdGhlcmVmb3JlIGJlIHJhdGUtbGltaXRlZC4K TW9yZW92ZXIsIGluY2x1ZGUgdGhlbSBvbmx5IGluIGRlYnVnIGJ1aWxkcy4K ClRoaXMgaXMgWFNBLTE0Ni4KClNpZ25lZC1vZmYtYnk6IElhbiBDYW1wYmVs bCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4g QmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgpkaWZmIC0tZ2l0IGEveGVu L2FyY2gvYXJtL2h2bS5jIGIveGVuL2FyY2gvYXJtL2h2bS5jCmluZGV4IDQ3 MWM0Y2QuLjFkZTI5MGYgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL2FybS9odm0u YworKysgYi94ZW4vYXJjaC9hcm0vaHZtLmMKQEAgLTU3LDcgKzU3LDcgQEAg bG9uZyBkb19odm1fb3AodW5zaWduZWQgbG9uZyBvcCwgWEVOX0dVRVNUX0hB TkRMRV9QQVJBTSh2b2lkKSBhcmcpCiAKICAgICBkZWZhdWx0OgogICAgIHsK LSAgICAgICAgcHJpbnRrKCIlczogQmFkIEhWTSBvcCAlbGQuXG4iLCBfX2Z1 bmNfXywgb3ApOworICAgICAgICBnZHByaW50ayhYRU5MT0dfREVCVUcsICJI Vk1PUCBvcD0lbHU6IG5vdCBpbXBsZW1lbnRlZFxuIiwgb3ApOwogICAgICAg ICByYyA9IC1FTk9TWVM7CiAgICAgICAgIGJyZWFrOwogICAgIH0KZGlmZiAt LWdpdCBhL3hlbi9hcmNoL2FybS9waHlzZGV2LmMgYi94ZW4vYXJjaC9hcm0v cGh5c2Rldi5jCmluZGV4IDYxYjRhMTguLmIxYmEyMmUgMTAwNjQ0Ci0tLSBh L3hlbi9hcmNoL2FybS9waHlzZGV2LmMKKysrIGIveGVuL2FyY2gvYXJtL3Bo eXNkZXYuYwpAQCAtOCwxMiArOCwxMyBAQAogI2luY2x1ZGUgPHhlbi90eXBl cy5oPgogI2luY2x1ZGUgPHhlbi9saWIuaD4KICNpbmNsdWRlIDx4ZW4vZXJy bm8uaD4KKyNpbmNsdWRlIDx4ZW4vc2NoZWQuaD4KICNpbmNsdWRlIDxhc20v aHlwZXJjYWxsLmg+CiAKIAogaW50IGRvX3BoeXNkZXZfb3AoaW50IGNtZCwg WEVOX0dVRVNUX0hBTkRMRV9QQVJBTSh2b2lkKSBhcmcpCiB7Ci0gICAgcHJp bnRrKCIlcyAlZCBjbWQ9JWQ6IG5vdCBpbXBsZW1lbnRlZCB5ZXRcbiIsIF9f ZnVuY19fLCBfX0xJTkVfXywgY21kKTsKKyAgICBnZHByaW50ayhYRU5MT0df REVCVUcsICJQSFlTREVWT1AgY21kPSVkOiBub3QgaW1wbGVtZW50ZWRcbiIs IGNtZCk7CiAgICAgcmV0dXJuIC1FTk9TWVM7CiB9CiAK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Oct 29 12:01:24 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 29 Oct 2015 12:01:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZrltL-0000A1-QV; Thu, 29 Oct 2015 12:01:15 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZrltK-00007n-9v; Thu, 29 Oct 2015 12:01:14 +0000 Received: from [193.109.254.147] by server-1.bemta-14.messagelabs.com id 0F/0F-28791-88A02365; Thu, 29 Oct 2015 12:01:12 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-8.tower-27.messagelabs.com!1446120069!23725207!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 353 invoked from network); 29 Oct 2015 12:01:10 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-8.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 29 Oct 2015 12:01:10 -0000 Received: from [50.57.170.242] (helo=xenbits.xen.org) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlt4-0005kb-HM; Thu, 29 Oct 2015 12:00:58 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1Zrlt4-0002BW-DZ; Thu, 29 Oct 2015 12:00:58 +0000 Date: Thu, 29 Oct 2015 12:00:58 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 153 (CVE-2015-7972) - x86: populate-on-demand balloon size inaccuracy can crash guests X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-7972 / XSA-153 version 3 x86: populate-on-demand balloon size inaccuracy can crash guests UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The design of the memory populate-on-demand (PoD) system requires that a guest's memory ballooning driver reach its memory reduction target. The target is not entirely well-defined in terms of the information visible to the appropriate parts of the system, so some unknown set of guests (but probably most guests) will fail this criterion. If the guest memory balloon driver does not free sufficient memory to reach its target, the guest will proceed to run with a nonzero number of outstanding PoD pages. When the guest or management toolstack touches such a page, the hypervisor would search the guest memory for a page containing only zeroes. If no such page is found, the guest crashes. Prior to the patch for XSA-150, the search might lock up the relevant physical cpu for a while. After the patch to XSA-150, it might crash the guest even if a suitable zero page is available. This means that in the current arrangements toolstack software must apply an adjustment to a guest's PoD target as supplied to Xen. Neither xend nor libxl do this. IMPACT ====== Guests configured with PoD might be unstable, especially under load. In an affected guest, an unprivileged guest user might be able to cause a guest crash, perhaps simply by applying load so as to cause heavy memory pressure within the guest. This problem also allows an unprivileged guest user to exercise the separate vulnerability described in XSA-150: an unprivileged guest user might be able to cause a denial of service affecting the host. VULNERABLE SYSTEMS ================== The vulnerability is restricted to HVM guests which have been constructed in Populate-on-Demand mode (ie, with memory < maxmem). ARM is not vulnerable. x86 PV VMs are not vulnerable. x86 HVM domains without PoD (ie started with memory==maxmem, or without mentioning "maxmem" in the guest config file) are not vulnerable. Systems using libxl (whether via xl, or libvirt, or another higher layer) or xend (whether via xm, or libvirt, or another higher layer) are vulnerable. If the system has been stress-tested (by imposing memory load on the guest) and found to be stable, it is less likely that the guest is vulnerable. Combinations of Xen, guest, guest balloon driver, and toolstack software, which have an empirical adjustment as described in the Description, and which have been formally stress-tested in PoD mode, are less likely to be vulnerable. Migration is not capable of creating a guest with outstanding PoD. So migrating a guest which is vulnerable might crash it. However, if a guest has been migrated successfully since it booted, it is no longer vulnerable. Xen versions back to 3.4.x are affected. Vulnerability of a particular guest can be tested by the host administrator using the utility `xsa153-check.c', attached to this advisory. MITIGATION ========== Reducing the guest's memory target, after guest startup, can cause the guest's ballon driver to eliminate the PoD discrepancy. If the guest successfully balloons down, it will no longer be vulnerable. On systems using libxl this can be done with `xl mem-set', during or after each guest boot: # ./xsa153-check `xl domid name-of-guest` checked domain 621 for XSA-153: VULNERABLE (1 more outstanding pages) try using xl mem-set to reduce its memory by 1 (Mby) or perhaps reduce /local/domain/621/memory/target by 4 # xl list name-of-guest Name ID Mem VCPUs State Time(s) name-of-guest 621 512 2 r----- 156.9 # xl mem-set name-of-guest 511 # [ wait for guest to give up memory ] # ./xsa153-check `xl domid name-of-guest` checked domain 621 for XSA-153: NOT vulnerable # Alternatively, no matter the toolstack, it is possible for a host administrator to bypass the toolstack code and give ballooning instructions directly to the guest: [ suppose guest domid is 616, eg from xl domid name-of-guest ] # ./xsa153-check 616 checked domain 616 for XSA-153: VULNERABLE (1 more outstanding pages) try using xl mem-set to reduce its memory by 1 (Mby) or perhaps reduce /local/domain/616/memory/target by 4 # xenstore-read /local/domain/616/memory/target 520188 # xenstore-write /local/domain/616/memory/target 520184 # [ wait for guest to give up memory ] # ./xsa153-check `xl domid name-of-guest` checked domain 616 for XSA-153: NOT vulnerable # The memory/target value is in decimal, and is a number of kilobytes; it must be a multiple of 4, since a page is 4 Kb on affected systems. The value to write should be some amount less than the value read. It is not currently known whether use of the VM memory event inspection facilities (in-tree, this means the xc_monitor utility) might invalidate the workaround. Note that guests may become unstable if given too little memory, so large reductions of the memory target should be applied with caution, if at all. The expected offset related to XSA-153 is small (tens of pages, perhaps). If a large reduction is required, it is more likely that either the guest is still booting up (and still working to reduce the PoD memory), or that the guest's balloon driver is not functioning: # ./xsa153-check `xl domid name-of-guest` checked domain 623 for XSA-153: VULNERABLE (65536 more outstanding pages) difference is >1Mby ballon driver not running or guest still booting? # A guest without a working balloon driver will be unstable in PoD mode, especially under memory pressure; this is an inherent feature of the design of PoD. RESOLUTION ========== The attached patch fixes the problem for systems using libxl (via xl, or via libvirt, or another higher layer). At the time of writing there is no patch for xend-based systems. xsa153-libxl.patch xen-unstable, Xen 4.5, Xen 4.6 xsa153-libxl.patch Xen 4.1 to 4.4 inclusive, using libxl (Xend was removed in Xen 4.5; so the libxl-only patch is always sufficient for Xen 4.5 and later.) $ sha256sum xsa153* 633df5d970af49476c2d279e604150c444834bb906f6568070f0c2e0ceaa3af4 xsa153-check.c f5cbc98cba758e10da0a01d9379012ec56b98a85a92bfeb0c6b8132d4b91ce77 xsa153-libxl.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html NOTE REGARDING SHORT EMBARGO ============================ This issue was quickly encountered by the Security Team during our investigations of the scope and impact of XSA-150; this issue was originally discussed in the `Incomplete Information' section of XSA-150 v1. Accordingly XSA-153 is embargoed and the embargo will end at the same time as that of XSA-150. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWMgofAAoJEIP+FMlX6CvZaqUIAIzgbftJMwo2ywcWycAGzeDS 5iseCaCqx1OD8a00m+WvXTLX/yKKJQrgTJkDlJfgqEb4Y2NoVRUKShApSHsbFrFa qeocl7ipBdXTYk0FZZrsBd/aCjQgL/NlYf0BCaV+tpPuehOBgJwWpIf4RltOQVkv MxfRCGee52yUbWyFykmlKK3fxfGi4wXfMGN6zS9FXpudIBxjedRS4gyksERusXS7 hcRNEcLNzeQA+4PUmpkOzwS/NrtWiIU265kaHFsMUO8HbxcFgzFJ+15G0GK8JgY5 9XE0XWxn/B5Uc7IMiDxcFYT79C87XXvH4ctFArN9MJqss/ko0H25fz+Te8iWigc= =vBPN -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa153-check.c" Content-Disposition: attachment; filename="xsa153-check.c" Content-Transfer-Encoding: base64 LyoKICogUHJvZ3JhbSB0byB0ZXN0IHdoZXRoZXIgYSBkb21haW4gaXMgcG90 ZW50aWFsbHkgdnVsbmVyYWJsZSB0bwogKiBYU0EtMTUzLgogKgogKiBCdWls ZCBhbmQgcnVuOgogKiAgIGdjYyAtV2FsbCB4c2ExNTMtY2hlY2suYyAtbHhl bmN0cmwKICogICAuL2Eub3V0IGB4bCBkb21pZCBOQU1FLU9GLVlPVVItR1VF U1QtRE9NQUlOYAogKgogKiBGb3IgYnVpbGRpbmcgYWdhaW5zdCBhIGJ1aWx0 IFhlbiBzb3VyY2UgdHJlZSwgcmF0aGVyIHRoYW4gaW5zdGFsbGVkCiAqIGhl YWRlcnMgYW5kIGxpYnJhcmllczoKICogICBnY2MgLVdhbGwgLUkgLi4veGVu LmdpdC9kaXN0L2luc3RhbGwvdXNyL2luY2x1ZGUvIHhzYTE1My1jaGVjay5j IC1MIC4uL3hlbi5naXQvZGlzdC9pbnN0YWxsL3Vzci9saWIvIC1seGVuY3Ry bAogKgogKiBYZW4gNC4wIGFuZCBlYXJsaWVyIGxhY2sgeGNfZG9tYWluX2dl dF9wb2RfdGFyZ2V0LCBzbyB0aGlzIHV0aWxpdHkKICogY2FuIG9ubHkgYmUg YnVpbHQgYWdhaW5zdCBYZW4gNC4xIGFuZCBsYXRlci4KICoKICogSU1QT1JU QU5UOiBSZWFkIHRoZSBub3RlcyBpbiBhZHZpc29yeS0xNTMudHh0IHRvIHVu ZGVyc3RhbmQgbWVhbmluZwogKiBvZiB0aGUgb3V0cHV0IQogKi8KCiNpbmNs dWRlIDx4ZW5jdHJsLmg+CiNpbmNsdWRlIDxzdGRsaWIuaD4KI2luY2x1ZGUg PHN0ZGlvLmg+CgojaWZkZWYgWEVOQ1RSTF9IQVNfWENfSU5URVJGQUNFCnN0 YXRpYyB4Y19pbnRlcmZhY2UgKnhjaDsKI2RlZmluZSBCQURfWENIICh4Y2gg PT0gTlVMTCkKI2RlZmluZSBPUEVOWENIIHhjX2ludGVyZmFjZV9vcGVuKDAs MCwwKQojZWxzZQpzdGF0aWMgaW50IHhjaDsKI2RlZmluZSBCQURfWENIICh4 Y2ggPD0gMCkKI2RlZmluZSBPUEVOWENIIHhjX2ludGVyZmFjZV9vcGVuKCkK I2VuZGlmCgppbnQgbWFpbihpbnQgYXJnYywgY29uc3QgY2hhciAqKmFyZ3Yp IHsKICAgIGludCBkb21pZCwgZXN0YXR1cywgcjsKICAgIHVpbnQ2NF90IHRv dF9wYWdlcywgcG9kX2NhY2hlX3BhZ2VzLCBwb2RfZW50cmllczsKCiAgICBp ZiAoYXJnYyE9MiB8fCAhKGRvbWlkID0gYXRvaShhcmd2WzFdKSkpIHsKICAg ICAgICBmcHV0cygiYmFkIHVzYWdlXG4iLHN0ZGVycik7CiAgICAgICAgZXhp dCgtMSk7CiAgICB9CgogICAgeGNoID0gT1BFTlhDSDsKICAgIGlmIChCQURf WENIKSB7CiAgICAgICAgcGVycm9yKCJ4Y19pbnRlcmZhY2Vfb3BlbiIpOwog ICAgICAgIGV4aXQoLTEpOwogICAgfQoKICAgIHIgPSB4Y19kb21haW5fZ2V0 X3BvZF90YXJnZXQoeGNoLCBkb21pZCwKICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgJnRvdF9wYWdlcywKICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgJnBvZF9jYWNoZV9wYWdlcywKICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgJnBvZF9lbnRyaWVzKTsKICAgIGlmIChyKSB7 CiAgICAgICAgcGVycm9yKCJ4Y19kb21haW5fZ2V0X3BvZF90YXJnZXQiKTsK ICAgICAgICBleGl0KC0xKTsKICAgIH0KCiAgICBwcmludGYoImNoZWNrZWQg ZG9tYWluICVkIGZvciBYU0EtMTUzOiAiLCBkb21pZCk7CiAgICBpZiAocG9k X2NhY2hlX3BhZ2VzIDwgcG9kX2VudHJpZXMpIHsKICAgICAgICB1aW50NjRf dCBkaWZmZXJlbmNlID0gcG9kX2VudHJpZXMgLSBwb2RfY2FjaGVfcGFnZXM7 CiAgICAgICAgZXN0YXR1cyA9IDE7CiAgICAgICAgcHJpbnRmKCJWVUxORVJB QkxFICglbHUgbW9yZSBvdXRzdGFuZGluZyBwYWdlcylcbiIsCiAgICAgICAg ICAgICAgICh1bnNpZ25lZCBsb25nKWRpZmZlcmVuY2UpOwogICAgICAgIGlm IChkaWZmZXJlbmNlIDw9IDI1NikgewogICAgICAgICAgICBwcmludGYoInRy eSB1c2luZyAgIHhsIG1lbS1zZXQgICB0byByZWR1Y2UgaXRzIG1lbW9yeSBi eSAxIChNYnkpXG4iCiAgICAgICAgICAgICAgICAgICAib3IgcGVyaGFwcyBy ZWR1Y2UgL2xvY2FsL2RvbWFpbi8lZC9tZW1vcnkvdGFyZ2V0IGJ5ICVsdSIs CiAgICAgICAgICAgICAgIGRvbWlkLAogICAgICAgICAgICAgICAodW5zaWdu ZWQgbG9uZylkaWZmZXJlbmNlICogNCk7CiAgICAgICAgfSBlbHNlIHsKICAg ICAgICAgICAgcHJpbnRmKCJkaWZmZXJlbmNlIGlzID4xTWJ5XG4iCiAgICAg ICAgICAgICAgICAgICAiYmFsbG9uIGRyaXZlciBub3QgcnVubmluZyBvciBn dWVzdCBzdGlsbCBib290aW5nPyIpOwogICAgICAgIH0KICAgIH0gZWxzZSBp ZiAocG9kX2NhY2hlX3BhZ2VzID4gcG9kX2VudHJpZXMpIHsKICAgICAgICBl c3RhdHVzID0gMjsKICAgICAgICBwcmludGYoIlNIT1VMRCBOT1QgSEFQUEVO ISEhIGNhY2hlPSVsdSA+IG91dHN0YW5kaW5nPSVsdSIsCiAgICAgICAgICAg ICAgICh1bnNpZ25lZCBsb25nKXBvZF9jYWNoZV9wYWdlcywgKHVuc2lnbmVk IGxvbmcpcG9kX2VudHJpZXMpOwogICAgfSBlbHNlIGlmICghcG9kX2NhY2hl X3BhZ2VzKSB7CiAgICAgICAgZXN0YXR1cyA9IDA7CiAgICAgICAgcHJpbnRm KCJOT1QgdnVsbmVyYWJsZSAobm90IHVzaW5nIFBvRCAoYW55IG1vcmUpKSIp OwogICAgfSBlbHNlIHsKICAgICAgICBlc3RhdHVzID0gMDsKICAgICAgICBw cmludGYoIk5PVCB2dWxuZXJhYmxlIik7CiAgICB9CiAgICBwcmludGYoIlxu Iik7CgogICAgaWYgKGZlcnJvcihzdGRvdXQpIHx8IGZjbG9zZShzdGRvdXQp KSB7CiAgICAgICAgcGVycm9yKCJzdGRvdXQiKTsKICAgICAgICBleGl0KC0x KTsKICAgIH0KICAgIGV4aXQoZXN0YXR1cyk7Cn0K --=separator Content-Type: application/octet-stream; name="xsa153-libxl.patch" Content-Disposition: attachment; filename="xsa153-libxl.patch" Content-Transfer-Encoding: base64 RnJvbSAyNzU5M2VjNjJiZGFkODYyMWRmOTEwOTMxMzQ5ZDk2NGE2ZGJhYThj IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBJYW4gSmFja3NvbiA8 aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4KRGF0ZTogV2VkLCAyMSBPY3Qg MjAxNSAxNjoxODozMCArMDEwMApTdWJqZWN0OiBbUEFUQ0ggWFNBLTE1MyB2 M10gbGlieGw6IGFkanVzdCBQb0QgdGFyZ2V0IGJ5IG1lbW9yeSBmdWRnZSwg dG9vCgpQb0QgZ3Vlc3RzIG5lZWQgdG8gYmFsbG9vbiBhdCBsZWFzdCBhcyBm YXIgYXMgcmVxdWlyZWQgYnkgUG9ELCBvciByaXNrCmNyYXNoaW5nLiAgQ3Vy cmVudGx5IHRoZXkgZG9uJ3QgbmVjZXNzYXJpbHkga25vdyB3aGF0IHRoZSBy aWdodCB2YWx1ZQppcywgYmVjYXVzZSBvdXIgbWVtb3J5IGFjY291bnRpbmcg aXMgKGF0IHRoZSB2ZXJ5IGxlYXN0KSBjb25mdXNpbmcuCgpBcHBseSB0aGUg bWVtb3J5IGxpbWl0IGZ1ZGdlIGZhY3RvciB0byB0aGUgaW4taHlwZXJ2aXNv ciBQb0QgbWVtb3J5CnRhcmdldCwgdG9vLiAgVGhpcyB3aWxsIGluY3JlYXNl IHRoZSBzaXplIG9mIHRoZSBndWVzdCdzIFBvRCBjYWNoZSBieQp0aGUgZnVk Z2UgZmFjdG9yIExJQlhMX01BWE1FTV9DT05TVEFOVCAoY3VycmVudGx5IDFN YnkpLiAgVGhpcyBlbnN1cmVzCnRoYXQgZXZlbiB3aXRoIGEgc2xpZ2h0bHkt b2ZmIGJhbGxvb24gZHJpdmVyLCB0aGUgZ3Vlc3Qgd2lsbCBiZQpzdGFibGUg ZXZlbiB1bmRlciBtZW1vcnkgcHJlc3N1cmUuCgpUaGVyZSBhcmUgdHdvIGNh bGwgc2l0ZXMgb2YgeGNfZG9tYWluX3NldF9wb2RfdGFyZ2V0IHRoYXQgbmVl ZCBmaXhpbmc6CgpUaGUgb25lIGluIGxpYnhsX3NldF9tZW1vcnlfdGFyZ2V0 IGlzIHN0cmFpZ2h0Zm9yd2FyZC4KClRoZSBvbmUgaW4geGNfaHZtX2J1aWxk X3g4Ni5jOnNldHVwX2d1ZXN0IGlzIG1vcmUgYXdrd2FyZC4gIFNpbXBseQpz ZXR0aW5nIHRoZSBQb0QgdGFyZ2V0IGRpZmZlcmVudGx5IGRvZXMgbm90IHdv cmsgYmVjYXVzZSB0aGUgdmFyaW91cwphbW91bnRzIG9mIG1lbW9yeSBkdXJp bmcgZG9tYWluIGNvbnN0cnVjdGlvbiBubyBsb25nZXIgbWF0Y2ggdXAuCklu c3RlYWQsIHdlIGFkanVzdCB0aGUgZ3Vlc3QgbWVtb3J5IHRhcmdldCBpbiB4 ZW5zdG9yZSAoYnV0IG9ubHkgZm9yClBvRCBndWVzdHMpLgoKVGhpcyBpbnRy b2R1Y2VzIGEgMU1ieSBkaXNjcmVwYW5jeSBiZXR3ZWVuIHRoZSBiYWxsb29u IHRhcmdldCBvZiBhIFBvRApndWVzdCBhdCBib290LCBhbmQgdGhlIHRhcmdl dCBzZXQgYnkgYW4gYXBwYXJlbnRseS1lcXVpdmFsZW50IGB4bAptZW0tc2V0 JyAob3Igc2ltaWxhcikgbGF0ZXIuICBUaGlzIGFwcHJvYWNoIGlzIGxvdy1y aXNrIGZvciBhIHNlY3VyaXR5CmZpeCBidXQgd2UgbmVlZCB0byBmaXggdGhp cyB1cCBwcm9wZXJseSBpbiB4ZW4uZ2l0I3N0YWdpbmcgYW5kCnByb2JhYmx5 IGFsc28gaW4gc3RhYmxlIHRyZWVzLgoKVGhpcyBpcyBYU0EtMTUzLgoKU2ln bmVkLW9mZi1ieTogSWFuIEphY2tzb24gPElhbi5KYWNrc29uQGV1LmNpdHJp eC5jb20+Ci0tLQogdG9vbHMvbGlieGwvbGlieGwuYyAgICAgfCAgICAyICst CiB0b29scy9saWJ4bC9saWJ4bF9kb20uYyB8ICAgIDkgKysrKysrKystCiAy IGZpbGVzIGNoYW5nZWQsIDkgaW5zZXJ0aW9ucygrKSwgMiBkZWxldGlvbnMo LSkKCmRpZmYgLS1naXQgYS90b29scy9saWJ4bC9saWJ4bC5jIGIvdG9vbHMv bGlieGwvbGlieGwuYwppbmRleCBkMzhkMGM3Li4xMzY2MTc3IDEwMDY0NAot LS0gYS90b29scy9saWJ4bC9saWJ4bC5jCisrKyBiL3Rvb2xzL2xpYnhsL2xp YnhsLmMKQEAgLTQ4MTUsNyArNDgxNSw3IEBAIHJldHJ5X3RyYW5zYWN0aW9u OgogICAgIH0KIAogICAgIHJjID0geGNfZG9tYWluX3NldF9wb2RfdGFyZ2V0 KGN0eC0+eGNoLCBkb21pZCwKLSAgICAgICAgICAgIG5ld190YXJnZXRfbWVt a2IgLyA0LCBOVUxMLCBOVUxMLCBOVUxMKTsKKyAgICAgICAgICAgIChuZXdf dGFyZ2V0X21lbWtiICsgTElCWExfTUFYTUVNX0NPTlNUQU5UKSAvIDQsIE5V TEwsIE5VTEwsIE5VTEwpOwogICAgIGlmIChyYyAhPSAwKSB7CiAgICAgICAg IExJQlhMX19MT0dfRVJSTk8oY3R4LCBMSUJYTF9fTE9HX0VSUk9SLAogICAg ICAgICAgICAgICAgICJ4Y19kb21haW5fc2V0X3BvZF90YXJnZXQgZG9taWQ9 JWQsIG1lbWtiPSVkICIKZGlmZiAtLWdpdCBhL3Rvb2xzL2xpYnhsL2xpYnhs X2RvbS5jIGIvdG9vbHMvbGlieGwvbGlieGxfZG9tLmMKaW5kZXggYjUxNDM3 Ny4uODAxOWY0ZSAxMDA2NDQKLS0tIGEvdG9vbHMvbGlieGwvbGlieGxfZG9t LmMKKysrIGIvdG9vbHMvbGlieGwvbGlieGxfZG9tLmMKQEAgLTQ4Niw2ICs0 ODYsNyBAQCBpbnQgbGlieGxfX2J1aWxkX3Bvc3QobGlieGxfX2djICpnYywg dWludDMyX3QgZG9taWQsCiAgICAgeHNfdHJhbnNhY3Rpb25fdCB0OwogICAg IGNoYXIgKiplbnRzOwogICAgIGludCBpLCByYzsKKyAgICBpbnQ2NF90IG1l bV90YXJnZXRfZnVkZ2U7CiAKICAgICBpZiAoaW5mby0+bnVtX3ZudW1hX25v ZGVzICYmICFpbmZvLT5udW1fdmNwdV9zb2Z0X2FmZmluaXR5KSB7CiAgICAg ICAgIHJjID0gc2V0X3ZudW1hX2FmZmluaXR5KGdjLCBkb21pZCwgaW5mbyk7 CkBAIC01MTgsMTEgKzUxOSwxNyBAQCBpbnQgbGlieGxfX2J1aWxkX3Bvc3Qo bGlieGxfX2djICpnYywgdWludDMyX3QgZG9taWQsCiAgICAgICAgIH0KICAg ICB9CiAKKyAgICBtZW1fdGFyZ2V0X2Z1ZGdlID0KKyAgICAgICAgKGluZm8t PnR5cGUgPT0gTElCWExfRE9NQUlOX1RZUEVfSFZNICYmCisgICAgICAgICBp bmZvLT5tYXhfbWVta2IgPiBpbmZvLT50YXJnZXRfbWVta2IpCisgICAgICAg ID8gTElCWExfTUFYTUVNX0NPTlNUQU5UIDogMDsKKwogICAgIGVudHMgPSBs aWJ4bF9fY2FsbG9jKGdjLCAxMiArIChpbmZvLT5tYXhfdmNwdXMgKiAyKSAr IDIsIHNpemVvZihjaGFyICopKTsKICAgICBlbnRzWzBdID0gIm1lbW9yeS9z dGF0aWMtbWF4IjsKICAgICBlbnRzWzFdID0gR0NTUFJJTlRGKCIlIlBSSWQ2 NCwgaW5mby0+bWF4X21lbWtiKTsKICAgICBlbnRzWzJdID0gIm1lbW9yeS90 YXJnZXQiOwotICAgIGVudHNbM10gPSBHQ1NQUklOVEYoIiUiUFJJZDY0LCBp bmZvLT50YXJnZXRfbWVta2IgLSBpbmZvLT52aWRlb19tZW1rYik7CisgICAg ZW50c1szXSA9IEdDU1BSSU5URigiJSJQUklkNjQsIGluZm8tPnRhcmdldF9t ZW1rYiAtIGluZm8tPnZpZGVvX21lbWtiCisgICAgICAgICAgICAgICAgICAg ICAgICAtIG1lbV90YXJnZXRfZnVkZ2UpOwogICAgIGVudHNbNF0gPSAibWVt b3J5L3ZpZGVvcmFtIjsKICAgICBlbnRzWzVdID0gR0NTUFJJTlRGKCIlIlBS SWQ2NCwgaW5mby0+dmlkZW9fbWVta2IpOwogICAgIGVudHNbNl0gPSAiZG9t aWQiOwotLSAKMS43LjEwLjQKCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Oct 29 12:01:24 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 29 Oct 2015 12:01:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsn-0007t7-JA; Thu, 29 Oct 2015 12:00:41 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsk-0007kk-Jo; Thu, 29 Oct 2015 12:00:38 +0000 Received: from [85.158.139.211] by server-7.bemta-5.messagelabs.com id 1C/B6-13905-66A02365; Thu, 29 Oct 2015 12:00:38 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-10.tower-206.messagelabs.com!1446120036!40807847!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 11562 invoked from network); 29 Oct 2015 12:00:37 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-10.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 29 Oct 2015 12:00:37 -0000 Received: from [50.57.170.242] (helo=xenbits.xen.org) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsd-0005j7-Ef; Thu, 29 Oct 2015 12:00:31 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1Zrlsd-00025q-DJ; Thu, 29 Oct 2015 12:00:31 +0000 Date: Thu, 29 Oct 2015 12:00:31 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 149 (CVE-2015-7969) - leak of main per-domain vcpu pointer array X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-7969 / XSA-149 version 3 leak of main per-domain vcpu pointer array UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= A domain's primary array of vcpu pointers can be allocated by a toolstack exactly once in the lifetime of a domain via the XEN_DOMCTL_max_vcpus hypercall. This array is leaked on domain teardown. This memory leak could -- over time -- exhaust the host's memory. IMPACT ====== A domain given partial management control via XEN_DOMCTL_max_vcpus can mount a denial of service attack affecting the whole system. The ability to also restart or create suitable domains is also required to fully exploit the issue. Without this the leak is limited to a small multiple of the maximum number of vcpus for the domain. The maximum leak is 64kbytes per domain (re)boot (less on ARM). VULNERABLE SYSTEMS ================== This issue is only relevant to systems which intend to increase security through the use of advanced disaggregated management techniques. This does not include systems using libxl, libvirt, or OpenStack (unless substantially modified or supplemented, as compared to versions supplied by the respective upstreams). Versions of Xen from 4.0 onwards are vulnerable. All architectures are affected. MITIGATION ========== The leak is small. Preventing the creation of large numbers of new domains, and limiting the number of times an existing domain can be rebooted, can reduce the impact of this vulnerability. Switching from disaggregated to a non-disaggregated operation does NOT mitigate the XEN_DOMCTL_max_vcpus vulnerability. Rather, it simply recategorises the vulnerability to hostile management code, regarding it "as designed"; thus it merely reclassifies these issues as "not a bug". Users and vendors of disaggregated systems should not change their configuration. NOTE REGARDING CVE ================== Note that CVE-2015-7969 covers both this issue and XSA-151. CREDITS ======= This issue was discovered by Ian Campbell of Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. (To resolve CVE-2015-7969, the patch from XSA-151 is required too.) xsa149.patch xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x $ sha256sum xsa149*.patch e01628400b81c4bb7bafba348f2ecb1fe80f16e3162cee5013e0be1d7311738b xsa149.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the PATCH (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. However deployment of the (RE)BOOT LIMIT MITIGATION is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because applying domain creation and reboot limits in connection with a security issue would be a user-visible change which could lead to the rediscovery of the vulnerability. Deployment of the mitigation is permitted only AFTER the embargo ends. Also: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWMgm7AAoJEIP+FMlX6CvZ5EEH/RpWXVKVpA5JdTGGfWan9ojV +9Froz+RdUJmINLHE/sIIAudfCIlc7zA1Ap/ukSUC9YfBZvjwMpiouTz2IJV+kgp C0zTjTHrqf0RG7k9aXKTqDNhHWP/FukVv6V4KZ+vmC9CluV8ODhnvogO0bS4wO2y dzJAtQZxhD1r0rgvLWlT0Wq0LylTqW6mXg0lHiBv+HFonKJAIEeg/0dJbriKsc0N 1+vI4DujVzE1Q3LuhkGtaxdGyZ/4rcfMexmIYHzpvehHLXKa63oHg7IGX2SchiKb YFumc9K3sYdv+AHkqM9FdtKEgDvwcHL9+d4YVgGfQm9ukh2onEC6uw7VeVnPlXY= =/Ww0 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa149.patch" Content-Disposition: attachment; filename="xsa149.patch" Content-Transfer-Encoding: base64 eGVuOiBmcmVlIGRvbWFpbidzIHZjcHUgYXJyYXkKClRoaXMgd2FzIG92ZXJs b29rZWQgaW4gZmI0NDJlMjE3MSAoIng4Nl82NDogYWxsb3cgbW9yZSB2Q1BV LXMgcGVyCmd1ZXN0IikuCgpUaGlzIGlzIFhTQS0xNDkuCgpTaWduZWQtb2Zm LWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmlld2Vk LWJ5OiBJYW4gQ2FtcGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgoK LS0tIGEveGVuL2NvbW1vbi9kb21haW4uYworKysgYi94ZW4vY29tbW9uL2Rv bWFpbi5jCkBAIC04NDEsNiArODQxLDcgQEAgc3RhdGljIHZvaWQgY29tcGxl dGVfZG9tYWluX2Rlc3Ryb3koc3RydQogCiAgICAgeHNtX2ZyZWVfc2VjdXJp dHlfZG9tYWluKGQpOwogICAgIGZyZWVfY3B1bWFza192YXIoZC0+ZG9tYWlu X2RpcnR5X2NwdW1hc2spOworICAgIHhmcmVlKGQtPnZjcHUpOwogICAgIGZy ZWVfZG9tYWluX3N0cnVjdChkKTsKIAogICAgIHNlbmRfZ2xvYmFsX3ZpcnEo VklSUV9ET01fRVhDKTsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Oct 29 12:01:24 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 29 Oct 2015 12:01:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsl-0007qr-SH; Thu, 29 Oct 2015 12:00:39 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsk-0007ns-5t; Thu, 29 Oct 2015 12:00:38 +0000 Received: from [85.158.137.68] by server-16.bemta-3.messagelabs.com id 2F/65-03763-56A02365; Thu, 29 Oct 2015 12:00:37 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-10.tower-31.messagelabs.com!1446120034!57957892!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 32598 invoked from network); 29 Oct 2015 12:00:35 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-10.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 29 Oct 2015 12:00:35 -0000 Received: from [50.57.170.242] (helo=xenbits.xen.org) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZrlsZ-0005im-M0; Thu, 29 Oct 2015 12:00:27 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1ZrlsZ-00024q-IX; Thu, 29 Oct 2015 12:00:27 +0000 Date: Thu, 29 Oct 2015 12:00:27 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 148 (CVE-2015-7835) - x86: Uncontrolled creation of large page mappings by PV guests X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-7835 / XSA-148 version 4 x86: Uncontrolled creation of large page mappings by PV guests UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= The code to validate level 2 page table entries is bypassed when certain conditions are satisfied. This means that a PV guest can create writeable mappings using super page mappings. Such writeable mappings can violate Xen intended invariants for pages which Xen is supposed to keep read-only. This is possible even if the "allowsuperpage" command line option is not used. IMPACT ====== Malicious PV guest administrators can escalate privilege so as to control the whole system. VULNERABLE SYSTEMS ================== Xen 3.4 and onward are vulnerable. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only PV guests can exploit the vulnerability. Both 32-bit and 64-bit PV guests can do so. MITIGATION ========== Running only HVM guests will avoid this vulnerability. On systems where the guest kernel is controlled by the host rather than guest administrator, running only kernels which do not call these hypercalls will also prevent untrusted guest users from exploiting this issue. However untrusted guest administrators can still trigger it unless further steps are taken to prevent them from loading code into the kernel (e.g. by disabling loadable modules etc) or from using other mechanisms which allow them to run code at kernel privilege. CREDITS ======= This issue was discovered by 栾尚聪 (好风) of Alibaba. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa148.patch xen-unstable, Xen 4.6.x xsa148-4.5.patch Xen 4.5.x xsa148-4.4.patch Xen 4.4.x, Xen 4.3.x $ sha256sum xsa148*.patch f320d105a4832124910f46c50acd4803fe289bd7c4702ec15f97fb611b70944d xsa148.patch 7f78efd001f041a0e5502546664d28011cb881d72c94ea564585efb3ca01ddfe xsa148-4.4.patch 272a729048471cea851d4a881f3f2c32c7be101e2a452d2b2ceb9d66908ee4a3 xsa148-4.5.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWMgm4AAoJEIP+FMlX6CvZPl0IAI7uPHn9OiDqQlKnvuF5DJkx WkmX6lNgIXd9arkZ2gUvlenPArfJV2Rv75TP/0LLuITrv+AcylFEBd7T7rdbXeAT w5TaYI1wnixu8D+klyMGDjIt8Oy0gG1D8tpJYB4SETmT/Knv9FmFmUrShPD5kEVW 6W3j3PulCpPX6+8rpmD+1CD8DDH/FHvr3xc/mK9gaWTSfPvYX0wcUbVR5GK63SHy 6smdmcbyMz6RLlq9MRSs1ifYuAOFel3bFi0NaUm+w3luVozgg6MiEopmnmLZXgbu 93iMDiKbQmr6XdsqvqWexJ7hAiWD5Sp+ztUW0iyNLKpj482VU9wSm0vwneZpgCg= =WDZi -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa148.patch" Content-Disposition: attachment; filename="xsa148.patch" Content-Transfer-Encoding: base64 eDg2OiBndWFyZCBhZ2FpbnN0IHVuZHVlIHN1cGVyIHBhZ2UgUFRFIGNyZWF0 aW9uCgpXaGVuIG9wdGlvbmFsIHN1cGVyIHBhZ2Ugc3VwcG9ydCBnb3QgYWRk ZWQgKGNvbW1pdCBiZDFjZDgxZDY0ICJ4ODY6IFBWCnN1cHBvcnQgZm9yIGh1 Z2VwYWdlcyIpLCB0d28gYWRqdXN0bWVudHMgd2VyZSBtaXNzZWQ6IG1vZF9s Ml9lbnRyeSgpCm5lZWRzIHRvIGNvbnNpZGVyIHRoZSBQU0UgYW5kIFJXIGJp dHMgd2hlbiBkZWNpZGluZyB3aGV0aGVyIHRvIHVzZSB0aGUKZmFzdCBwYXRo LCBhbmQgdGhlIFBTRSBiaXQgbXVzdCBub3QgYmUgcmVtb3ZlZCBmcm9tIEwy X0RJU0FMTE9XX01BU0sKdW5jb25kaXRpb25hbGx5LgoKVGhpcyBpcyBYU0Et MTQ4LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1 c2UuY29tPgpSZXZpZXdlZC1ieTogVGltIERlZWdhbiA8dGltQHhlbi5vcmc+ CgotLS0gYS94ZW4vYXJjaC94ODYvbW0uYworKysgYi94ZW4vYXJjaC94ODYv bW0uYwpAQCAtMTYwLDcgKzE2MCwxMCBAQCBzdGF0aWMgdm9pZCBwdXRfc3Vw ZXJwYWdlKHVuc2lnbmVkIGxvbmcgCiBzdGF0aWMgdWludDMyX3QgYmFzZV9k aXNhbGxvd19tYXNrOwogLyogR2xvYmFsIGJpdCBpcyBhbGxvd2VkIHRvIGJl IHNldCBvbiBMMSBQVEVzLiBJbnRlbmRlZCBmb3IgdXNlciBtYXBwaW5ncy4g Ki8KICNkZWZpbmUgTDFfRElTQUxMT1dfTUFTSyAoKGJhc2VfZGlzYWxsb3df bWFzayB8IF9QQUdFX0dOVFRBQikgJiB+X1BBR0VfR0xPQkFMKQotI2RlZmlu ZSBMMl9ESVNBTExPV19NQVNLIChiYXNlX2Rpc2FsbG93X21hc2sgJiB+X1BB R0VfUFNFKQorCisjZGVmaW5lIEwyX0RJU0FMTE9XX01BU0sgKHVubGlrZWx5 KG9wdF9hbGxvd19zdXBlcnBhZ2UpIFwKKyAgICAgICAgICAgICAgICAgICAg ICAgICAgPyBiYXNlX2Rpc2FsbG93X21hc2sgJiB+X1BBR0VfUFNFIFwKKyAg ICAgICAgICAgICAgICAgICAgICAgICAgOiBiYXNlX2Rpc2FsbG93X21hc2sp CiAKICNkZWZpbmUgbDNfZGlzYWxsb3dfbWFzayhkKSAoIWlzX3B2XzMyYml0 X2RvbWFpbihkKSA/IFwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg YmFzZV9kaXNhbGxvd19tYXNrIDogMHhGRkZGRjE5OFUpCkBAIC0xODQxLDcg KzE4NDQsMTAgQEAgc3RhdGljIGludCBtb2RfbDJfZW50cnkobDJfcGdlbnRy eV90ICpwbAogICAgICAgICB9CiAKICAgICAgICAgLyogRmFzdCBwYXRoIGZv ciBpZGVudGljYWwgbWFwcGluZyBhbmQgcHJlc2VuY2UuICovCi0gICAgICAg IGlmICggIWwyZV9oYXNfY2hhbmdlZChvbDJlLCBubDJlLCBfUEFHRV9QUkVT RU5UKSApCisgICAgICAgIGlmICggIWwyZV9oYXNfY2hhbmdlZChvbDJlLCBu bDJlLAorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdW5saWtlbHko b3B0X2FsbG93X3N1cGVycGFnZSkKKyAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgID8gX1BBR0VfUFNFIHwgX1BBR0VfUlcgfCBfUEFHRV9QUkVTRU5U CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA6IF9QQUdFX1BSRVNF TlQpICkKICAgICAgICAgewogICAgICAgICAgICAgYWRqdXN0X2d1ZXN0X2wy ZShubDJlLCBkKTsKICAgICAgICAgICAgIGlmICggVVBEQVRFX0VOVFJZKGwy LCBwbDJlLCBvbDJlLCBubDJlLCBwZm4sIHZjcHUsIHByZXNlcnZlX2FkKSAp Cg== --=separator Content-Type: application/octet-stream; name="xsa148-4.4.patch" Content-Disposition: attachment; filename="xsa148-4.4.patch" Content-Transfer-Encoding: base64 eDg2OiBndWFyZCBhZ2FpbnN0IHVuZHVlIHN1cGVyIHBhZ2UgUFRFIGNyZWF0 aW9uCgpXaGVuIG9wdGlvbmFsIHN1cGVyIHBhZ2Ugc3VwcG9ydCBnb3QgYWRk ZWQgKGNvbW1pdCBiZDFjZDgxZDY0ICJ4ODY6IFBWCnN1cHBvcnQgZm9yIGh1 Z2VwYWdlcyIpLCB0d28gYWRqdXN0bWVudHMgd2VyZSBtaXNzZWQ6IG1vZF9s Ml9lbnRyeSgpCm5lZWRzIHRvIGNvbnNpZGVyIHRoZSBQU0UgYW5kIFJXIGJp dHMgd2hlbiBkZWNpZGluZyB3aGV0aGVyIHRvIHVzZSB0aGUKZmFzdCBwYXRo LCBhbmQgdGhlIFBTRSBiaXQgbXVzdCBub3QgYmUgcmVtb3ZlZCBmcm9tIEwy X0RJU0FMTE9XX01BU0sKdW5jb25kaXRpb25hbGx5LgoKVGhpcyBpcyBYU0Et MTQ4LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1 c2UuY29tPgpSZXZpZXdlZC1ieTogVGltIERlZWdhbiA8dGltQHhlbi5vcmc+ CgotLS0gYS94ZW4vYXJjaC94ODYvbW0uYworKysgYi94ZW4vYXJjaC94ODYv bW0uYwpAQCAtMTYzLDcgKzE2MywxMCBAQCBzdGF0aWMgdm9pZCBwdXRfc3Vw ZXJwYWdlKHVuc2lnbmVkIGxvbmcgCiAKIHN0YXRpYyB1aW50MzJfdCBiYXNl X2Rpc2FsbG93X21hc2s7CiAjZGVmaW5lIEwxX0RJU0FMTE9XX01BU0sgKGJh c2VfZGlzYWxsb3dfbWFzayB8IF9QQUdFX0dOVFRBQikKLSNkZWZpbmUgTDJf RElTQUxMT1dfTUFTSyAoYmFzZV9kaXNhbGxvd19tYXNrICYgfl9QQUdFX1BT RSkKKworI2RlZmluZSBMMl9ESVNBTExPV19NQVNLICh1bmxpa2VseShvcHRf YWxsb3dfc3VwZXJwYWdlKSBcCisgICAgICAgICAgICAgICAgICAgICAgICAg ID8gYmFzZV9kaXNhbGxvd19tYXNrICYgfl9QQUdFX1BTRSBcCisgICAgICAg ICAgICAgICAgICAgICAgICAgIDogYmFzZV9kaXNhbGxvd19tYXNrKQogCiAj ZGVmaW5lIGwzX2Rpc2FsbG93X21hc2soZCkgKCFpc19wdl8zMm9uNjRfZG9t YWluKGQpID8gIFwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYmFz ZV9kaXNhbGxvd19tYXNrIDogICAgICAgXApAQCAtMTc4Niw3ICsxNzg5LDEw IEBAIHN0YXRpYyBpbnQgbW9kX2wyX2VudHJ5KGwyX3BnZW50cnlfdCAqcGwK ICAgICAgICAgfQogCiAgICAgICAgIC8qIEZhc3QgcGF0aCBmb3IgaWRlbnRp Y2FsIG1hcHBpbmcgYW5kIHByZXNlbmNlLiAqLwotICAgICAgICBpZiAoICFs MmVfaGFzX2NoYW5nZWQob2wyZSwgbmwyZSwgX1BBR0VfUFJFU0VOVCkgKQor ICAgICAgICBpZiAoICFsMmVfaGFzX2NoYW5nZWQob2wyZSwgbmwyZSwKKyAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVubGlrZWx5KG9wdF9hbGxv d19zdXBlcnBhZ2UpCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA/ IF9QQUdFX1BTRSB8IF9QQUdFX1JXIHwgX1BBR0VfUFJFU0VOVAorICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgOiBfUEFHRV9QUkVTRU5UKSApCiAg ICAgICAgIHsKICAgICAgICAgICAgIGFkanVzdF9ndWVzdF9sMmUobmwyZSwg ZCk7CiAgICAgICAgICAgICBpZiAoIFVQREFURV9FTlRSWShsMiwgcGwyZSwg b2wyZSwgbmwyZSwgcGZuLCB2Y3B1LCBwcmVzZXJ2ZV9hZCkgKQo= --=separator Content-Type: application/octet-stream; name="xsa148-4.5.patch" Content-Disposition: attachment; filename="xsa148-4.5.patch" Content-Transfer-Encoding: base64 eDg2OiBndWFyZCBhZ2FpbnN0IHVuZHVlIHN1cGVyIHBhZ2UgUFRFIGNyZWF0 aW9uCgpXaGVuIG9wdGlvbmFsIHN1cGVyIHBhZ2Ugc3VwcG9ydCBnb3QgYWRk ZWQgKGNvbW1pdCBiZDFjZDgxZDY0ICJ4ODY6IFBWCnN1cHBvcnQgZm9yIGh1 Z2VwYWdlcyIpLCB0d28gYWRqdXN0bWVudHMgd2VyZSBtaXNzZWQ6IG1vZF9s Ml9lbnRyeSgpCm5lZWRzIHRvIGNvbnNpZGVyIHRoZSBQU0UgYW5kIFJXIGJp dHMgd2hlbiBkZWNpZGluZyB3aGV0aGVyIHRvIHVzZSB0aGUKZmFzdCBwYXRo LCBhbmQgdGhlIFBTRSBiaXQgbXVzdCBub3QgYmUgcmVtb3ZlZCBmcm9tIEwy X0RJU0FMTE9XX01BU0sKdW5jb25kaXRpb25hbGx5LgoKVGhpcyBpcyBYU0Et MTQ4LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1 c2UuY29tPgpSZXZpZXdlZC1ieTogVGltIERlZWdhbiA8dGltQHhlbi5vcmc+ CgotLS0gYS94ZW4vYXJjaC94ODYvbW0uYworKysgYi94ZW4vYXJjaC94ODYv bW0uYwpAQCAtMTYyLDcgKzE2MiwxMCBAQCBzdGF0aWMgdm9pZCBwdXRfc3Vw ZXJwYWdlKHVuc2lnbmVkIGxvbmcgCiBzdGF0aWMgdWludDMyX3QgYmFzZV9k aXNhbGxvd19tYXNrOwogLyogR2xvYmFsIGJpdCBpcyBhbGxvd2VkIHRvIGJl IHNldCBvbiBMMSBQVEVzLiBJbnRlbmRlZCBmb3IgdXNlciBtYXBwaW5ncy4g Ki8KICNkZWZpbmUgTDFfRElTQUxMT1dfTUFTSyAoKGJhc2VfZGlzYWxsb3df bWFzayB8IF9QQUdFX0dOVFRBQikgJiB+X1BBR0VfR0xPQkFMKQotI2RlZmlu ZSBMMl9ESVNBTExPV19NQVNLIChiYXNlX2Rpc2FsbG93X21hc2sgJiB+X1BB R0VfUFNFKQorCisjZGVmaW5lIEwyX0RJU0FMTE9XX01BU0sgKHVubGlrZWx5 KG9wdF9hbGxvd19zdXBlcnBhZ2UpIFwKKyAgICAgICAgICAgICAgICAgICAg ICAgICAgPyBiYXNlX2Rpc2FsbG93X21hc2sgJiB+X1BBR0VfUFNFIFwKKyAg ICAgICAgICAgICAgICAgICAgICAgICAgOiBiYXNlX2Rpc2FsbG93X21hc2sp CiAKICNkZWZpbmUgbDNfZGlzYWxsb3dfbWFzayhkKSAoIWlzX3B2XzMyb242 NF9kb21haW4oZCkgPyAgXAogICAgICAgICAgICAgICAgICAgICAgICAgICAg ICBiYXNlX2Rpc2FsbG93X21hc2sgOiAgICAgICBcCkBAIC0xNzcwLDcgKzE3 NzMsMTAgQEAgc3RhdGljIGludCBtb2RfbDJfZW50cnkobDJfcGdlbnRyeV90 ICpwbAogICAgICAgICB9CiAKICAgICAgICAgLyogRmFzdCBwYXRoIGZvciBp ZGVudGljYWwgbWFwcGluZyBhbmQgcHJlc2VuY2UuICovCi0gICAgICAgIGlm ICggIWwyZV9oYXNfY2hhbmdlZChvbDJlLCBubDJlLCBfUEFHRV9QUkVTRU5U KSApCisgICAgICAgIGlmICggIWwyZV9oYXNfY2hhbmdlZChvbDJlLCBubDJl LAorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdW5saWtlbHkob3B0 X2FsbG93X3N1cGVycGFnZSkKKyAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgID8gX1BBR0VfUFNFIHwgX1BBR0VfUlcgfCBfUEFHRV9QUkVTRU5UCisg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICA6IF9QQUdFX1BSRVNFTlQp ICkKICAgICAgICAgewogICAgICAgICAgICAgYWRqdXN0X2d1ZXN0X2wyZShu bDJlLCBkKTsKICAgICAgICAgICAgIGlmICggVVBEQVRFX0VOVFJZKGwyLCBw bDJlLCBvbDJlLCBubDJlLCBwZm4sIHZjcHUsIHByZXNlcnZlX2FkKSApCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Oct 29 12:01:24 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 29 Oct 2015 12:01:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlt1-0008BA-Ba; Thu, 29 Oct 2015 12:00:55 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsz-00087Y-FC; Thu, 29 Oct 2015 12:00:53 +0000 Received: from [85.158.139.211] by server-1.bemta-5.messagelabs.com id 8B/D4-32615-47A02365; Thu, 29 Oct 2015 12:00:52 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-7.tower-206.messagelabs.com!1446120050!21741987!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 16346 invoked from network); 29 Oct 2015 12:00:51 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-7.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 29 Oct 2015 12:00:51 -0000 Received: from [50.57.170.242] (helo=xenbits.xen.org) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsq-0005jy-VN; Thu, 29 Oct 2015 12:00:44 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1Zrlsq-00029M-TQ; Thu, 29 Oct 2015 12:00:44 +0000 Date: Thu, 29 Oct 2015 12:00:44 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 152 (CVE-2015-7971) - x86: some pmu and profiling hypercalls log without rate limiting X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-7971 / XSA-152 version 3 x86: some pmu and profiling hypercalls log without rate limiting UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= HYPERCALL_xenoprof_op and HYPERVISOR_xenpmu_op log some errors and attempts at invalid operations. These log messages are not rate-limited, even though they can be triggered by guests. IMPACT ====== A malicious guest could cause repeated logging to the hypervisor console, leading to a Denial of Service attack. VULNERABLE SYSTEMS ================== Xen versions 3.2.x and later are affected. (The VPMU part of the vulnerability is applicable only to Xen 4.6 and later.) ARM systems are not affected. (The pmu hypercall is x86-specific, and xenoprof is not supported on ARM.) MITIGATION ========== The problematic log messages are issued with priority Warning. Therefore they can be rate limited by adding "loglvl=error/warning" to the hypervisor command line or suppressed entirely by adding "loglvl=error". On systems where the guest kernel is controlled by the host rather than guest administrator, running only kernels which do not call these hypercalls will also prevent untrusted guest users from exploiting this issue. However untrusted guest administrators can still trigger it unless further steps are taken to prevent them from loading code into the kernel (e.g. by disabling loadable modules etc) or from using other mechanisms which allow them to run code at kernel privilege. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa152-unstable.patch xen-unstable, Xen 4.6.x xsa152-4.5.patch Xen 4.5.x, Xen 4.4.x, Xen 4.3.x $ sha256sum xsa152*.patch 596f51797aa591b5abd068ead03e21215cf70997c98a4a562392499afe47b81c xsa152.patch 7ae2811ea80da29ee234ad5a2cbb5908e03db8fb6c50774d378d77d273e74e39 xsa152-4.5.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWMgm/AAoJEIP+FMlX6CvZzPwIAJs/NTew5AJA3bTO6QZtVC2T sRt2F11prjjeklrAcqSC03q2bBpyylLB6PJ1jmmtT0MKtST5BszGA+sJt3G8nxw1 XKN8zNX5Yzfmltgi6ZeWk/1ps6kceb4evhkIUzt1v8Ttge148rEedGrJD9eLeRht XdZr8ujXwP3NGBAesKNf0DugPTR7diYyUzvwven+OXVPg0ZT53t1r6Xref7Vl4p6 5b9uOK3rh/QVRbPGTOA1vzObk0MssBTGA615JGG0da4fr4vVUQsVK/MV/N6oc4fJ iUHUcH83ldLGB9kt3+kq1S6KBESInriytPrKxNFvaKOrPlaOTOKRGvJSW0QZpos= =BsWE -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa152.patch" Content-Disposition: attachment; filename="xsa152.patch" Content-Transfer-Encoding: base64 eDg2OiByYXRlLWxpbWl0IGxvZ2dpbmcgaW4gZG9feGVue29wcm9mLHBtdX1f b3AoKQoKU29tZSBvZiB0aGUgc3ViLW9wcyBhcmUgYWNlc3NpYmxlIHRvIGFs bCBndWVzdHMsIGFuZCBoZW5jZSBzaG91bGQgYmUKcmF0ZS1saW1pdGVkLiBJ biB0aGUgeGVub3Byb2YgY2FzZSwganVzdCBsaWtlIGZvciBYU0EtMTQ2LCBp bmNsdWRlIHRoZW0Kb25seSBpbiBkZWJ1ZyBidWlsZHMuIFNpbmNlIHRoZSB2 UE1VIGNvZGUgaXMgcmF0aGVyIG5ldywgYWxsb3cgdGhlbSB0bwpiZSBhbHdh eXMgcHJlc2VudCwgYnV0IGRvd25ncmFkZSB0aGVtIHRvIChyYXRlIGxpbWl0 ZWQpIGd1ZXN0IG1lc3NhZ2VzLgoKVGhpcyBpcyBYU0EtMTUyLgoKU2lnbmVk LW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpSZXZp ZXdlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJlbGxAY2l0cml4LmNv bT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9jcHUvdnBtdS5jCisrKyBiL3hlbi9h cmNoL3g4Ni9jcHUvdnBtdS5jCkBAIC02ODIsOCArNjgyLDggQEAgbG9uZyBk b194ZW5wbXVfb3AodW5zaWduZWQgaW50IG9wLCBYRU5fRwogICAgICAgICAg ICAgdnBtdV9tb2RlID0gcG11X3BhcmFtcy52YWw7CiAgICAgICAgIGVsc2Ug aWYgKCB2cG11X21vZGUgIT0gcG11X3BhcmFtcy52YWwgKQogICAgICAgICB7 Ci0gICAgICAgICAgICBwcmludGsoWEVOTE9HX1dBUk5JTkcKLSAgICAgICAg ICAgICAgICAgICAiVlBNVTogQ2Fubm90IGNoYW5nZSBtb2RlIHdoaWxlIGFj dGl2ZSBWUE1VcyBleGlzdFxuIik7CisgICAgICAgICAgICBncHJpbnRrKFhF TkxPR19XQVJOSU5HLAorICAgICAgICAgICAgICAgICAgICAiVlBNVTogQ2Fu bm90IGNoYW5nZSBtb2RlIHdoaWxlIGFjdGl2ZSBWUE1VcyBleGlzdFxuIik7 CiAgICAgICAgICAgICByZXQgPSAtRUJVU1k7CiAgICAgICAgIH0KIApAQCAt NzE0LDggKzcxNCw4IEBAIGxvbmcgZG9feGVucG11X29wKHVuc2lnbmVkIGlu dCBvcCwgWEVOX0cKICAgICAgICAgICAgIHZwbXVfZmVhdHVyZXMgPSBwbXVf cGFyYW1zLnZhbDsKICAgICAgICAgZWxzZQogICAgICAgICB7Ci0gICAgICAg ICAgICBwcmludGsoWEVOTE9HX1dBUk5JTkcgIlZQTVU6IENhbm5vdCBjaGFu Z2UgZmVhdHVyZXMgd2hpbGUiCi0gICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIiBhY3RpdmUgVlBNVXMgZXhpc3RcbiIpOworICAgICAgICAg ICAgZ3ByaW50ayhYRU5MT0dfV0FSTklORywKKyAgICAgICAgICAgICAgICAg ICAgIlZQTVU6IENhbm5vdCBjaGFuZ2UgZmVhdHVyZXMgd2hpbGUgYWN0aXZl IFZQTVVzIGV4aXN0XG4iKTsKICAgICAgICAgICAgIHJldCA9IC1FQlVTWTsK ICAgICAgICAgfQogCi0tLSBhL3hlbi9jb21tb24veGVub3Byb2YuYworKysg Yi94ZW4vY29tbW9uL3hlbm9wcm9mLmMKQEAgLTY3NiwxNSArNjc2LDEzIEBA IHJldF90IGRvX3hlbm9wcm9mX29wKGludCBvcCwgWEVOX0dVRVNUX0gKICAg ICAKICAgICBpZiAoIChvcCA8IDApIHx8IChvcCA+IFhFTk9QUk9GX2xhc3Rf b3ApICkKICAgICB7Ci0gICAgICAgIHByaW50aygieGVub3Byb2Y6IGludmFs aWQgb3BlcmF0aW9uICVkIGZvciBkb21haW4gJWRcbiIsCi0gICAgICAgICAg ICAgICBvcCwgY3VycmVudC0+ZG9tYWluLT5kb21haW5faWQpOworICAgICAg ICBnZHByaW50ayhYRU5MT0dfREVCVUcsICJpbnZhbGlkIG9wZXJhdGlvbiAl ZFxuIiwgb3ApOwogICAgICAgICByZXR1cm4gLUVJTlZBTDsKICAgICB9CiAK ICAgICBpZiAoICFOT05QUklWX09QKG9wKSAmJiAoY3VycmVudC0+ZG9tYWlu ICE9IHhlbm9wcm9mX3ByaW1hcnlfcHJvZmlsZXIpICkKICAgICB7Ci0gICAg ICAgIHByaW50aygieGVub3Byb2Y6IGRvbSAlZCBkZW5pZWQgcHJpdmlsZWdl ZCBvcGVyYXRpb24gJWRcbiIsCi0gICAgICAgICAgICAgICBjdXJyZW50LT5k b21haW4tPmRvbWFpbl9pZCwgb3ApOworICAgICAgICBnZHByaW50ayhYRU5M T0dfREVCVUcsICJkZW5pZWQgcHJpdmlsZWdlZCBvcGVyYXRpb24gJWRcbiIs IG9wKTsKICAgICAgICAgcmV0dXJuIC1FUEVSTTsKICAgICB9CiAKQEAgLTkw Nyw4ICs5MDUsNyBAQCByZXRfdCBkb194ZW5vcHJvZl9vcChpbnQgb3AsIFhF Tl9HVUVTVF9ICiAgICAgc3Bpbl91bmxvY2soJnhlbm9wcm9mX2xvY2spOwog CiAgICAgaWYgKCByZXQgPCAwICkKLSAgICAgICAgcHJpbnRrKCJ4ZW5vcHJv Zjogb3BlcmF0aW9uICVkIGZhaWxlZCBmb3IgZG9tICVkIChzdGF0dXMgOiAl ZClcbiIsCi0gICAgICAgICAgICAgICBvcCwgY3VycmVudC0+ZG9tYWluLT5k b21haW5faWQsIHJldCk7CisgICAgICAgIGdkcHJpbnRrKFhFTkxPR19ERUJV RywgIm9wZXJhdGlvbiAlZCBmYWlsZWQ6ICVkXG4iLCBvcCwgcmV0KTsKIAog ICAgIHJldHVybiByZXQ7CiB9Cg== --=separator Content-Type: application/octet-stream; name="xsa152-4.5.patch" Content-Disposition: attachment; filename="xsa152-4.5.patch" Content-Transfer-Encoding: base64 eDg2OiByYXRlLWxpbWl0IGxvZ2dpbmcgaW4gZG9feGVue29wcm9mLHBtdX1f b3AoKQoKU29tZSBvZiB0aGUgc3ViLW9wcyBhcmUgYWNlc3NpYmxlIHRvIGFs bCBndWVzdHMsIGFuZCBoZW5jZSBzaG91bGQgYmUKcmF0ZS1saW1pdGVkLiBJ biB0aGUgeGVub3Byb2YgY2FzZSwganVzdCBsaWtlIGZvciBYU0EtMTQ2LCBp bmNsdWRlIHRoZW0Kb25seSBpbiBkZWJ1ZyBidWlsZHMuIFNpbmNlIHRoZSB2 UE1VIGNvZGUgaXMgcmF0aGVyIG5ldywgYWxsb3cgdGhlbSB0bwpiZSBhbHdh eXMgcHJlc2VudCwgYnV0IGRvd25ncmFkZSB0aGVtIHRvIChyYXRlIGxpbWl0 ZWQpIGd1ZXN0IG1lc3NhZ2VzLgoKVGhpcyBpcyBYU0EtMTUyLgoKU2lnbmVk LW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgoKLS0t IGEveGVuL2NvbW1vbi94ZW5vcHJvZi5jCisrKyBiL3hlbi9jb21tb24veGVu b3Byb2YuYwpAQCAtNjc2LDE1ICs2NzYsMTMgQEAgcmV0X3QgZG9feGVub3By b2Zfb3AoaW50IG9wLCBYRU5fR1VFU1RfSAogICAgIAogICAgIGlmICggKG9w IDwgMCkgfHwgKG9wID4gWEVOT1BST0ZfbGFzdF9vcCkgKQogICAgIHsKLSAg ICAgICAgcHJpbnRrKCJ4ZW5vcHJvZjogaW52YWxpZCBvcGVyYXRpb24gJWQg Zm9yIGRvbWFpbiAlZFxuIiwKLSAgICAgICAgICAgICAgIG9wLCBjdXJyZW50 LT5kb21haW4tPmRvbWFpbl9pZCk7CisgICAgICAgIGdkcHJpbnRrKFhFTkxP R19ERUJVRywgImludmFsaWQgb3BlcmF0aW9uICVkXG4iLCBvcCk7CiAgICAg ICAgIHJldHVybiAtRUlOVkFMOwogICAgIH0KIAogICAgIGlmICggIU5PTlBS SVZfT1Aob3ApICYmIChjdXJyZW50LT5kb21haW4gIT0geGVub3Byb2ZfcHJp bWFyeV9wcm9maWxlcikgKQogICAgIHsKLSAgICAgICAgcHJpbnRrKCJ4ZW5v cHJvZjogZG9tICVkIGRlbmllZCBwcml2aWxlZ2VkIG9wZXJhdGlvbiAlZFxu IiwKLSAgICAgICAgICAgICAgIGN1cnJlbnQtPmRvbWFpbi0+ZG9tYWluX2lk LCBvcCk7CisgICAgICAgIGdkcHJpbnRrKFhFTkxPR19ERUJVRywgImRlbmll ZCBwcml2aWxlZ2VkIG9wZXJhdGlvbiAlZFxuIiwgb3ApOwogICAgICAgICBy ZXR1cm4gLUVQRVJNOwogICAgIH0KIApAQCAtOTA3LDggKzkwNSw3IEBAIHJl dF90IGRvX3hlbm9wcm9mX29wKGludCBvcCwgWEVOX0dVRVNUX0gKICAgICBz cGluX3VubG9jaygmeGVub3Byb2ZfbG9jayk7CiAKICAgICBpZiAoIHJldCA8 IDAgKQotICAgICAgICBwcmludGsoInhlbm9wcm9mOiBvcGVyYXRpb24gJWQg ZmFpbGVkIGZvciBkb20gJWQgKHN0YXR1cyA6ICVkKVxuIiwKLSAgICAgICAg ICAgICAgIG9wLCBjdXJyZW50LT5kb21haW4tPmRvbWFpbl9pZCwgcmV0KTsK KyAgICAgICAgZ2RwcmludGsoWEVOTE9HX0RFQlVHLCAib3BlcmF0aW9uICVk IGZhaWxlZDogJWRcbiIsIG9wLCByZXQpOwogCiAgICAgcmV0dXJuIHJldDsK IH0K --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Oct 29 12:01:24 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 29 Oct 2015 12:01:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsj-0007nn-9Z; Thu, 29 Oct 2015 12:00:37 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsh-0007kk-E8; Thu, 29 Oct 2015 12:00:35 +0000 Received: from [85.158.139.211] by server-7.bemta-5.messagelabs.com id 1C/86-13905-26A02365; Thu, 29 Oct 2015 12:00:34 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-10.tower-206.messagelabs.com!1446120029!40807795!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 9980 invoked from network); 29 Oct 2015 12:00:33 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-10.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 29 Oct 2015 12:00:33 -0000 Received: from [50.57.170.242] (helo=xenbits.xen.org) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZrlsV-0005iQ-Ne; Thu, 29 Oct 2015 12:00:23 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1ZrlsV-00023G-Eo; Thu, 29 Oct 2015 12:00:23 +0000 Date: Thu, 29 Oct 2015 12:00:23 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 147 (CVE-2015-7814) - arm: Race between domain destruction and memory allocation decrease X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-7814 / XSA-147 version 3 arm: Race between domain destruction and memory allocation decrease UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= While freeing the memory associated with a domain during domain destruction Xen could race with a toolstack domain reducing the amount of memory associated with that same domain via the XENMEM_decrease_reservation. In the case where this race is hit the host will crash. The race is not exposed via the XENMEM_remove_from_physmap or XENMEM_exchange interfaces. IMPACT ====== Domains deliberately given partial management control may be able to deny service by crashing the host. Such a domain needs to be granted access to at least one of XENMEM_decrease_reservation or XEN_DOMCTL_destroydomain over another domain. As a result, in a system designed to enhance security by radically disaggregating the management, the security may be reduced. But, the security will be no worse than a non-disaggregated design. VULNERABLE SYSTEMS ================== This issue is only relevant to systems which intend to increase security through the use of advanced disaggregated management techniques. This does not include systems using libxl, libvirt, or OpenStack (unless substantially modified or supplemented, as compared to versions supplied by the respective upstreams). Only ARM systems are potentially affected. All Xen versions which support ARM are potentially affected. x86 systems are not affected. MITIGATION ========== There is no known mitigation. Switching from disaggregated to a non-disaggregated operation does NOT mitigate these vulnerabilities. Rather, it simply recategorises the vulnerability to hostile management code, regarding it "as designed"; thus it merely reclassifies these issues as "not a bug". Users and vendors of disaggregated systems should not change their configuration. CREDITS ======= This issue was discovered by Ian Campbell of Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa147.patch xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x $ sha256sum xsa147*.patch 35cd9c5dabd5af6756957cf7378d527b2fcbff35dcf578769769a364a98ea6ac xsa147.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWMgm3AAoJEIP+FMlX6CvZHPAIAIgXu4741IJeO/Pb187gxO3Z IXpSSJF1Fvof/Ma6LLSGRth94WiafF91MKKqlEAKFPyfRUOkJXHAoahDUe7lF1Lr V5qSA4jAu69ZIhg3AAKuI+xBV/PNx7rlaG0duRI9nHmLRhbIU3EF9YJbKntdZzZr gdE/zLk+moW4U2/quEIEQGqtDGr/RAm5N0MqGwW4mcHUhlp4XcNuqrC8+b5qaeJ3 8/pc9whzyHM04De5Ve9/iFUu0J6KxNK+hN9V14mO8bcPXzK/K8X4C3qUD6HtZx+U VsaKT/N4INNDg7wqULcjg/Vp23SE/mUPM8Fernee9KnI2CY3pnS9DB1KEYMry5s= =7g7l -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa147.patch" Content-Disposition: attachment; filename="xsa147.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGhhbmRsZSByYWNlcyBiZXR3ZWVuIHJlbGlucXVpc2hfbWVt b3J5IGFuZCBmcmVlX2RvbWhlYXBfcGFnZXMKClByaW1hcmlseSB0aGlzIG1l YW5zIFhFTk1FTV9kZWNyZWFzZV9yZXNlcnZhdGlvbiBmcm9tIGEgdG9vbHN0 YWNrCmRvbWFpbi4KClVubGlrZSB4ODYgd2UgaGF2ZSBubyByZXF1aXJlbWVu dCByaWdodCBub3cgdG8gcXVldWUgc3VjaCBwYWdlcyBvbnRvCmEgc2VwYXJh dGUgbGlzdCwgaWYgd2UgaGl0IHRoaXMgcmFjZSB0aGVuIHRoZSBvdGhlciBj b2RlIGhhcyBhbHJlYWR5CmZ1bGx5IGFjY2VwdGVkIHJlc3BvbnNpYmlsaXR5 IGZvciBmcmVlaW5nIHRoaXMgcGFnZSBhbmQgdGhlcmVmb3JlCnRoZXJlIGlz IG5vIG1vcmUgZm9yIHJlbGlucXVpc2hfbWVtb3J5IHRvIGRvLgoKVGhpcyBp cyBYU0EtMTQ3LgoKU2lnbmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxpYW4u Y2FtcGJlbGxAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBHcmFs bCA8anVsaWVuLmdyYWxsQGNpdHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4g QmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgpkaWZmIC0tZ2l0IGEveGVu L2FyY2gvYXJtL2RvbWFpbi5jIGIveGVuL2FyY2gvYXJtL2RvbWFpbi5jCmlu ZGV4IDU3NTc0NWMuLmFhYzY0Y2IgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL2Fy bS9kb21haW4uYworKysgYi94ZW4vYXJjaC9hcm0vZG9tYWluLmMKQEAgLTc2 NCw4ICs3NjQsMTUgQEAgc3RhdGljIGludCByZWxpbnF1aXNoX21lbW9yeShz dHJ1Y3QgZG9tYWluICpkLCBzdHJ1Y3QgcGFnZV9saXN0X2hlYWQgKmxpc3Qp CiAgICAgewogICAgICAgICAvKiBHcmFiIGEgcmVmZXJlbmNlIHRvIHRoZSBw YWdlIHNvIGl0IHdvbid0IGRpc2FwcGVhciBmcm9tIHVuZGVyIHVzLiAqLwog ICAgICAgICBpZiAoIHVubGlrZWx5KCFnZXRfcGFnZShwYWdlLCBkKSkgKQot ICAgICAgICAgICAgLyogQ291bGRuJ3QgZ2V0IGEgcmVmZXJlbmNlIC0tIHNv bWVvbmUgaXMgZnJlZWluZyB0aGlzIHBhZ2UuICovCi0gICAgICAgICAgICBC VUcoKTsKKyAgICAgICAgICAgIC8qCisgICAgICAgICAgICAgKiBDb3VsZG4n dCBnZXQgYSByZWZlcmVuY2UgLS0gc29tZW9uZSBpcyBmcmVlaW5nIHRoaXMg cGFnZSBhbmQKKyAgICAgICAgICAgICAqIGhhcyBhbHJlYWR5IGNvbW1pdHRl ZCB0byBkb2luZyBzbywgc28gbm8gbW9yZSB0byBkbyBoZXJlLgorICAgICAg ICAgICAgICoKKyAgICAgICAgICAgICAqIE5vdGUgdGhhdCB0aGUgcGFnZSBt dXN0IGJlIGxlZnQgb24gdGhlIGxpc3QsIGEgbGlzdF9kZWwKKyAgICAgICAg ICAgICAqIGhlcmUgd2lsbCBjbGFzaCB3aXRoIHRoZSBsaXN0X2RlbCBkb25l IGJ5IHRoZSBvdGhlcgorICAgICAgICAgICAgICogcGFydHkgaW4gdGhlIHJh Y2UgYW5kIGNvcnJ1cHQgdGhlIGxpc3QgaGVhZC4KKyAgICAgICAgICAgICAq LworICAgICAgICAgICAgY29udGludWU7CiAKICAgICAgICAgaWYgKCB0ZXN0 X2FuZF9jbGVhcl9iaXQoX1BHQ19hbGxvY2F0ZWQsICZwYWdlLT5jb3VudF9p bmZvKSApCiAgICAgICAgICAgICBwdXRfcGFnZShwYWdlKTsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Oct 29 12:01:24 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 29 Oct 2015 12:01:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsx-000860-MK; Thu, 29 Oct 2015 12:00:51 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsw-00083H-8R; Thu, 29 Oct 2015 12:00:50 +0000 Received: from [85.158.139.211] by server-14.bemta-5.messagelabs.com id 04/32-22142-17A02365; Thu, 29 Oct 2015 12:00:49 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-3.tower-206.messagelabs.com!1446120047!13980139!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 28951 invoked from network); 29 Oct 2015 12:00:48 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-3.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 29 Oct 2015 12:00:48 -0000 Received: from [50.57.170.242] (helo=xenbits.xen.org) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsh-0005jS-KR; Thu, 29 Oct 2015 12:00:35 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1Zrlsh-00026q-Iu; Thu, 29 Oct 2015 12:00:35 +0000 Date: Thu, 29 Oct 2015 12:00:35 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 150 (CVE-2015-7970) - x86: Long latency populate-on-demand operation is not preemptible X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-7970 / XSA-150 version 5 x86: Long latency populate-on-demand operation is not preemptible UPDATES IN VERSION 5 ==================== Updated patch. Compared to the version in XSA-150 v4 and earlier, this patch is simpler and involves less rearrangement of the code. It is therefore thought to be less risky. However, both this version and the earlier versions have been tested, and both versions eliminate the vulnerability. Readers who have already prepared updates with, and/or deployed, the earlier patch, do not necessarily need to update. Public release. ISSUE DESCRIPTION ================= When running an HVM domain in Populate-on-Demand mode, Xen would sometimes search the domain for memory to reclaim, in response to demands for population of other pages in the same domain. This search runs without preemption. The guest can, by suitable arrangement of its memory contents, create a situation where this search is a time-consuming linear scan of the guest's address space. The scan might be triggered by the guest's own actions, or by toolstack operations such as migration. In guests affected by XSA-153, this scan might be triggered simply by memory pressure in the guest. Even guests not started in PoD mode can create PoD entries. IMPACT ====== A malicious HVM guest administrator can cause a denial of service. Specifically, prevent use of a physical CPU for a significant period. If a host watchdog (Xen or dom0) is in use, this can lead to a watchdog timeout and consequently a reboot of the host. If another, innocent, guest, is configured with a watchdog, this issue can lead to a reboot of such a guest. In guests affected by XSA-153, this vulnerability may also be triggered by an unprivileged guest user, simply by imposing a workload which generates memory pressure. VULNERABLE SYSTEMS ================== The vulnerability is exposed to any x86 HVM guest. ARM is not vulnerable. x86 PV VMs are not vulnerable. Versions of Xen from 3.4 onwards are affected. MITIGATION ========== Running only PV guests will avoid this issue. On systems not also vulnerable to XSA-153, the vulnerability can be avoided by ensuring that only trusted guest kernels are used, and that further steps are taken to prevent a guest administrator from loading code into the kernel (e.g. by disabling loadable modules etc) or from using other mechanisms which allow them to run code at kernel privilege. CREDITS ======= This is issue was disclosed by Andrew Cooper of Citrix. RESOLUTION ========== Attached is a patch which resolves the issue by limiting the long-running "sweep" operation. This patch will resolve the issue on systems where PoD is not intentionally in use. (Ie, where all HVM guests are started with memory==maxmem.) When PoD is in use, there are concerns that there may be situations -- operating systems not tested, or buggy balloon drivers, for example -- where limiting the long-running operation may cause guests to crash which may otherwise not. Therefore, the patch should be used with caution. This patch can interact badly on configurations vulnerable to XSA-153. XSA-153 is triggerable by unprivileged guest users. The patch changes the consequences from a host-wide CPU denial problem (which might be tolerated without catastrophic symptoms in some configurations) into a likely guest crash; thus it limits the scope of the consequences to the specific guest, but may worsen the severity. xsa150.patch xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x $ sha256sum xsa150* 9054215f08cab48d2523efb456eb3c93ca6ac580d661f6e4f1feca115c67afa8 xsa150.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWMgobAAoJEIP+FMlX6CvZ7W4H/36Bx6Aj+4PX3kLPwzsheejj CWpOQjM4BZAVWkv1N9QInJagZ87qRFwFGlM8FzDuGy3dE7Df5MCs/BH9B1xrJ0E9 Ur30mpsw1IAf9YF/l/XlNLf9G6XCo/g2yS7Jfv5qk3953+0ZkqSd7t8ekFaQSKUz GGOkhQKJuFsnEmimQTLLBt6brHaYfFJtnbKIFzcBQtRExlKI3BYk3OHNLvIUlj6X MGij0fJTJggvGjaZ+Olthf0GLtDIZ8GbWD+0FQ4bJwEAacSJ1eVOYzVAdNfFIuVv 73MyN8QyEgu+HSc9RJnILV/g7oIfuGazo1A19KAjeImd81W4bQDVnZJ1KCkcbd0= =ISHR -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa150.patch" Content-Disposition: attachment; filename="xsa150.patch" Content-Transfer-Encoding: base64 eDg2L1BvRDogRWFnZXIgc3dlZXAgZm9yIHplcm9lZCBwYWdlcwoKQmFzZWQg b24gdGhlIGNvbnRlbnRzIG9mIGEgZ3Vlc3RzIHBoeXNpY2FsIGFkZHJlc3Mg c3BhY2UsCnAybV9wb2RfZW1lcmdlbmN5X3N3ZWVwKCkgY291bGQgZGVncmFk ZSBpbnRvIGEgbGluZWFyIG1lbWNtcCgpIGZyb20gMCB0bwptYXhfZ2ZuLCB3 aGljaCBydW5zIG5vbi1wcmVlbXB0aWJseS4KCkFzIHAybV9wb2RfZW1lcmdl bmN5X3N3ZWVwKCkgcnVucyBiZWhpbmQgdGhlIHNjZW5lcyBpbiBhIG51bWJl ciBvZiBjb250ZXh0cywKbWFraW5nIGl0IHByZWVtcHRpYmxlIGlzIG5vdCBm ZWFzaWJsZS4KCkluc3RlYWQsIGEgZGlmZmVyZW50IGFwcHJvYWNoIGlzIHRh a2VuLiAgUmVjZW50bHktcG9wdWxhdGVkIHBhZ2VzIGFyZSBlYWdlcmx5CmNo ZWNrZWQgZm9yIHJlY2xhaW1hdGlvbiwgd2hpY2ggYW1vcnRpc2VzIHRoZSBw Mm1fcG9kX2VtZXJnZW5jeV9zd2VlcCgpCm9wZXJhdGlvbiBhY3Jvc3MgZWFj aCBwMm1fcG9kX2RlbWFuZF9wb3B1bGF0ZSgpIG9wZXJhdGlvbi4KCk5vdGUg dGhhdCBpbiB0aGUgY2FzZSB0aGF0IGEgMk0gc3VwZXJwYWdlIGNhbid0IGJl IHJlY2xhaW1lZCBhcyBhIHN1cGVycGFnZSwKaXQgaXMgc2hhdHRlcmVkIGlm IDRLIHBhZ2VzIG9mIHplcm9zIGNhbiBiZSByZWNsYWltZWQuICBUaGlzIGlz IHVuZm9ydHVuYXRlCmJ1dCBtYXRjaGVzIHRoZSBwcmV2aW91cyBiZWhhdmlv dXIsIGFuZCBpcyByZXF1aXJlZCB0byBhdm9pZCByZWdyZXNzaW9ucwooZG9t YWluIGNyYXNoIGZyb20gUG9EIGV4aGF1c3Rpb24pIHdpdGggVk1zIGNvbmZp Z3VyZWQgY2xvc2UgdG8gdGhlIGxpbWl0LgoKVGhpcyBpcyBDVkUtMjAxNS03 OTcwIC8gWFNBLTE1MC4KClNpZ25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIg PGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4g QmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBHZW9y Z2UgRHVubGFwIDxnZW9yZ2UuZHVubGFwQGNpdHJpeC5jb20+CgotLS0gYS94 ZW4vYXJjaC94ODYvbW0vcDJtLXBvZC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9t bS9wMm0tcG9kLmMKQEAgLTkyMCwyOCArOTIwLDYgQEAgcDJtX3BvZF96ZXJv X2NoZWNrKHN0cnVjdCBwMm1fZG9tYWluICpwMgogfQogCiAjZGVmaW5lIFBP RF9TV0VFUF9MSU1JVCAxMDI0Ci0KLS8qIFdoZW4gcG9wdWxhdGluZyBhIG5l dyBzdXBlcnBhZ2UsIGxvb2sgYXQgcmVjZW50bHkgcG9wdWxhdGVkIHN1cGVy cGFnZXMKLSAqIGhvcGluZyB0aGF0IHRoZXkndmUgYmVlbiB6ZXJvZWQuICBU aGlzIHdpbGwgc25hcCB1cCB6ZXJvZWQgcGFnZXMgYXMgc29vbiBhcyAKLSAq IHRoZSBndWVzdCBPUyBpcyBkb25lIHdpdGggdGhlbS4gKi8KLXN0YXRpYyB2 b2lkCi1wMm1fcG9kX2NoZWNrX2xhc3Rfc3VwZXIoc3RydWN0IHAybV9kb21h aW4gKnAybSwgdW5zaWduZWQgbG9uZyBnZm5fYWxpZ25lZCkKLXsKLSAgICB1 bnNpZ25lZCBsb25nIGNoZWNrX2dmbjsKLQotICAgIEFTU0VSVChwMm0tPnBv ZC5sYXN0X3BvcHVsYXRlZF9pbmRleCA8IFBPRF9ISVNUT1JZX01BWCk7Ci0K LSAgICBjaGVja19nZm4gPSBwMm0tPnBvZC5sYXN0X3BvcHVsYXRlZFtwMm0t PnBvZC5sYXN0X3BvcHVsYXRlZF9pbmRleF07Ci0KLSAgICBwMm0tPnBvZC5s YXN0X3BvcHVsYXRlZFtwMm0tPnBvZC5sYXN0X3BvcHVsYXRlZF9pbmRleF0g PSBnZm5fYWxpZ25lZDsKLQotICAgIHAybS0+cG9kLmxhc3RfcG9wdWxhdGVk X2luZGV4ID0KLSAgICAgICAgKCBwMm0tPnBvZC5sYXN0X3BvcHVsYXRlZF9p bmRleCArIDEgKSAlIFBPRF9ISVNUT1JZX01BWDsKLQotICAgIHAybV9wb2Rf emVyb19jaGVja19zdXBlcnBhZ2UocDJtLCBjaGVja19nZm4pOwotfQotCi0K ICNkZWZpbmUgUE9EX1NXRUVQX1NUUklERSAgMTYKIHN0YXRpYyB2b2lkCiBw Mm1fcG9kX2VtZXJnZW5jeV9zd2VlcChzdHJ1Y3QgcDJtX2RvbWFpbiAqcDJt KQpAQCAtOTgyLDcgKzk2MCw3IEBAIHAybV9wb2RfZW1lcmdlbmN5X3N3ZWVw KHN0cnVjdCBwMm1fZG9tYWkKICAgICAgICAgICogTkIgdGhhdCB0aGlzIGlz IGEgemVyby1zdW0gZ2FtZTsgd2UncmUgaW5jcmVhc2luZyBvdXIgY2FjaGUg c2l6ZQogICAgICAgICAgKiBieSByZS1pbmNyZWFzaW5nIG91ciAnZGVidCcu ICBTaW5jZSB3ZSBob2xkIHRoZSBwb2QgbG9jaywKICAgICAgICAgICogKGVu dHJ5X2NvdW50IC0gY291bnQpIG11c3QgcmVtYWluIHRoZSBzYW1lLiAqLwot ICAgICAgICBpZiAoIHAybS0+cG9kLmNvdW50ID4gMCAmJiBpIDwgbGltaXQg KQorICAgICAgICBpZiAoIGkgPCBsaW1pdCAmJiAocDJtLT5wb2QuY291bnQg PiAwIHx8IGh5cGVyY2FsbF9wcmVlbXB0X2NoZWNrKCkpICkKICAgICAgICAg ICAgIGJyZWFrOwogICAgIH0KIApAQCAtOTk0LDYgKzk3Miw1OCBAQCBwMm1f cG9kX2VtZXJnZW5jeV9zd2VlcChzdHJ1Y3QgcDJtX2RvbWFpCiAKIH0KIAor c3RhdGljIHZvaWQgcG9kX2VhZ2VyX3JlY2xhaW0oc3RydWN0IHAybV9kb21h aW4gKnAybSkKK3sKKyAgICBzdHJ1Y3QgcG9kX21ycF9saXN0ICptcnAgPSAm cDJtLT5wb2QubXJwOworICAgIHVuc2lnbmVkIGludCBpID0gMDsKKworICAg IC8qCisgICAgICogQWx3YXlzIGNoZWNrIG9uZSBwYWdlIGZvciByZWNsYWlt YXRpb24uCisgICAgICoKKyAgICAgKiBJZiB0aGUgUG9EIHBvb2wgaXMgZW1w dHksIGtlZXAgY2hlY2tpbmcgc29tZSBzcGFjZSBpcyBmb3VuZCwgb3IgYWxs CisgICAgICogZW50cmllcyBoYXZlIGJlZW4gZXhoYXVzZWQuCisgICAgICov CisgICAgZG8KKyAgICB7CisgICAgICAgIHVuc2lnbmVkIGludCBpZHggPSAo bXJwLT5pZHggKyBpKyspICUgQVJSQVlfU0laRShtcnAtPmxpc3QpOworICAg ICAgICB1bnNpZ25lZCBsb25nIGdmbiA9IG1ycC0+bGlzdFtpZHhdOworCisg ICAgICAgIGlmICggZ2ZuICE9IElOVkFMSURfR0ZOICkKKyAgICAgICAgewor ICAgICAgICAgICAgaWYgKCBnZm4gJiBQT0RfTEFTVF9TVVBFUlBBR0UgKQor ICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIGdmbiAmPSB+UE9EX0xB U1RfU1VQRVJQQUdFOworCisgICAgICAgICAgICAgICAgaWYgKCBwMm1fcG9k X3plcm9fY2hlY2tfc3VwZXJwYWdlKHAybSwgZ2ZuKSA9PSAwICkKKyAgICAg ICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgICAgIHVuc2lnbmVkIGlu dCB4OworCisgICAgICAgICAgICAgICAgICAgIGZvciAoIHggPSAwOyB4IDwg U1VQRVJQQUdFX1BBR0VTOyArK3gsICsrZ2ZuICkKKyAgICAgICAgICAgICAg ICAgICAgICAgIHAybV9wb2RfemVyb19jaGVjayhwMm0sICZnZm4sIDEpOwor ICAgICAgICAgICAgICAgIH0KKyAgICAgICAgICAgIH0KKyAgICAgICAgICAg IGVsc2UKKyAgICAgICAgICAgICAgICBwMm1fcG9kX3plcm9fY2hlY2socDJt LCAmZ2ZuLCAxKTsKKworICAgICAgICAgICAgbXJwLT5saXN0W2lkeF0gPSBJ TlZBTElEX0dGTjsKKyAgICAgICAgfQorCisgICAgfSB3aGlsZSAoIChwMm0t PnBvZC5jb3VudCA9PSAwKSAmJiAoaSA8IEFSUkFZX1NJWkUobXJwLT5saXN0 KSkgKTsKK30KKworc3RhdGljIHZvaWQgcG9kX2VhZ2VyX3JlY29yZChzdHJ1 Y3QgcDJtX2RvbWFpbiAqcDJtLAorICAgICAgICAgICAgICAgICAgICAgICAg ICAgICB1bnNpZ25lZCBsb25nIGdmbiwgdW5zaWduZWQgaW50IG9yZGVyKQor eworICAgIHN0cnVjdCBwb2RfbXJwX2xpc3QgKm1ycCA9ICZwMm0tPnBvZC5t cnA7CisKKyAgICBBU1NFUlQobXJwLT5saXN0W21ycC0+aWR4XSA9PSBJTlZB TElEX0dGTik7CisgICAgQVNTRVJUKGdmbiAhPSBJTlZBTElEX0dGTik7CisK KyAgICBtcnAtPmxpc3RbbXJwLT5pZHgrK10gPQorICAgICAgICBnZm4gfCAo b3JkZXIgPT0gUEFHRV9PUkRFUl8yTSA/IFBPRF9MQVNUX1NVUEVSUEFHRSA6 IDApOworICAgIG1ycC0+aWR4ICU9IEFSUkFZX1NJWkUobXJwLT5saXN0KTsK K30KKwogaW50CiBwMm1fcG9kX2RlbWFuZF9wb3B1bGF0ZShzdHJ1Y3QgcDJt X2RvbWFpbiAqcDJtLCB1bnNpZ25lZCBsb25nIGdmbiwKICAgICAgICAgICAg ICAgICAgICAgICAgIHVuc2lnbmVkIGludCBvcmRlciwKQEAgLTEwMzQsNiAr MTA2NCw4IEBAIHAybV9wb2RfZGVtYW5kX3BvcHVsYXRlKHN0cnVjdCBwMm1f ZG9tYWkKICAgICAgICAgcmV0dXJuIDA7CiAgICAgfQogCisgICAgcG9kX2Vh Z2VyX3JlY2xhaW0ocDJtKTsKKwogICAgIC8qIE9ubHkgc3dlZXAgaWYgd2Un cmUgYWN0dWFsbHkgb3V0IG9mIG1lbW9yeS4gIERvaW5nIGFueXRoaW5nIGVs c2UKICAgICAgKiBjYXVzZXMgdW5uZWNlc3NhcnkgdGltZSBhbmQgZnJhZ21l bnRhdGlvbiBvZiBzdXBlcnBhZ2VzIGluIHRoZSBwMm0uICovCiAgICAgaWYg KCBwMm0tPnBvZC5jb3VudCA9PSAwICkKQEAgLTEwNzAsNiArMTEwMiw4IEBA IHAybV9wb2RfZGVtYW5kX3BvcHVsYXRlKHN0cnVjdCBwMm1fZG9tYWkKICAg ICBwMm0tPnBvZC5lbnRyeV9jb3VudCAtPSAoMSA8PCBvcmRlcik7CiAgICAg QlVHX09OKHAybS0+cG9kLmVudHJ5X2NvdW50IDwgMCk7CiAKKyAgICBwb2Rf ZWFnZXJfcmVjb3JkKHAybSwgZ2ZuX2FsaWduZWQsIG9yZGVyKTsKKwogICAg IGlmICggdGJfaW5pdF9kb25lICkKICAgICB7CiAgICAgICAgIHN0cnVjdCB7 CkBAIC0xMDg1LDEyICsxMTE5LDYgQEAgcDJtX3BvZF9kZW1hbmRfcG9wdWxh dGUoc3RydWN0IHAybV9kb21haQogICAgICAgICBfX3RyYWNlX3ZhcihUUkNf TUVNX1BPRF9QT1BVTEFURSwgMCwgc2l6ZW9mKHQpLCAmdCk7CiAgICAgfQog Ci0gICAgLyogQ2hlY2sgdGhlIGxhc3QgZ3Vlc3QgZGVtYW5kLXBvcHVsYXRl ICovCi0gICAgaWYgKCBwMm0tPnBvZC5lbnRyeV9jb3VudCA+IHAybS0+cG9k LmNvdW50IAotICAgICAgICAgJiYgKG9yZGVyID09IFBBR0VfT1JERVJfMk0p Ci0gICAgICAgICAmJiAocSAmIFAyTV9BTExPQykgKQotICAgICAgICBwMm1f cG9kX2NoZWNrX2xhc3Rfc3VwZXIocDJtLCBnZm5fYWxpZ25lZCk7Ci0KICAg ICBwb2RfdW5sb2NrKHAybSk7CiAgICAgcmV0dXJuIDA7CiBvdXRfb2ZfbWVt b3J5OgotLS0gYS94ZW4vYXJjaC94ODYvbW0vcDJtLmMKKysrIGIveGVuL2Fy Y2gveDg2L21tL3AybS5jCkBAIC01OCw2ICs1OCw3IEBAIGJvb2xlYW5fcGFy YW0oImhhcF8ybWIiLCBvcHRfaGFwXzJtYik7CiAvKiBJbml0IHRoZSBkYXRh c3RydWN0dXJlcyBmb3IgbGF0ZXIgdXNlIGJ5IHRoZSBwMm0gY29kZSAqLwog c3RhdGljIGludCBwMm1faW5pdGlhbGlzZShzdHJ1Y3QgZG9tYWluICpkLCBz dHJ1Y3QgcDJtX2RvbWFpbiAqcDJtKQogeworICAgIHVuc2lnbmVkIGludCBp OwogICAgIGludCByZXQgPSAwOwogCiAgICAgbW1fcndsb2NrX2luaXQoJnAy bS0+bG9jayk7CkBAIC03Myw2ICs3NCw5IEBAIHN0YXRpYyBpbnQgcDJtX2lu aXRpYWxpc2Uoc3RydWN0IGRvbWFpbiAKIAogICAgIHAybS0+bnAybV9iYXNl ID0gUDJNX0JBU0VfRUFERFI7CiAKKyAgICBmb3IgKCBpID0gMDsgaSA8IEFS UkFZX1NJWkUocDJtLT5wb2QubXJwLmxpc3QpOyArK2kgKQorICAgICAgICBw Mm0tPnBvZC5tcnAubGlzdFtpXSA9IElOVkFMSURfR0ZOOworCiAgICAgaWYg KCBoYXBfZW5hYmxlZChkKSAmJiBjcHVfaGFzX3ZteCApCiAgICAgICAgIHJl dCA9IGVwdF9wMm1faW5pdChwMm0pOwogICAgIGVsc2UKLS0tIGEveGVuL2lu Y2x1ZGUvYXNtLXg4Ni9wMm0uaAorKysgYi94ZW4vaW5jbHVkZS9hc20teDg2 L3AybS5oCkBAIC0yOTIsMTAgKzI5MiwyMCBAQCBzdHJ1Y3QgcDJtX2RvbWFp biB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgZW50cnlfY291bnQ7ICAv KiAjIG9mIHBhZ2VzIGluIHAybSBtYXJrZWQgcG9kICAgICAgKi8KICAgICAg ICAgdW5zaWduZWQgbG9uZyAgICByZWNsYWltX3NpbmdsZTsgLyogTGFzdCBn cGZuIG9mIGEgc2NhbiAqLwogICAgICAgICB1bnNpZ25lZCBsb25nICAgIG1h eF9ndWVzdDsgICAgLyogZ3BmbiBvZiBtYXggZ3Vlc3QgZGVtYW5kLXBvcHVs YXRlICovCi0jZGVmaW5lIFBPRF9ISVNUT1JZX01BWCAxMjgKLSAgICAgICAg LyogZ3BmbiBvZiBsYXN0IGd1ZXN0IHN1cGVycGFnZSBkZW1hbmQtcG9wdWxh dGVkICovCi0gICAgICAgIHVuc2lnbmVkIGxvbmcgICAgbGFzdF9wb3B1bGF0 ZWRbUE9EX0hJU1RPUllfTUFYXTsgCi0gICAgICAgIHVuc2lnbmVkIGludCAg ICAgbGFzdF9wb3B1bGF0ZWRfaW5kZXg7CisKKyAgICAgICAgLyoKKyAgICAg ICAgICogVHJhY2tpbmcgb2YgdGhlIG1vc3QgcmVjZW50bHkgcG9wdWxhdGVk IFBvRCBwYWdlcywgZm9yIGVhZ2VyCisgICAgICAgICAqIHJlY2xhbWF0aW9u LgorICAgICAgICAgKi8KKyAgICAgICAgc3RydWN0IHBvZF9tcnBfbGlzdCB7 CisjZGVmaW5lIE5SX1BPRF9NUlBfRU5UUklFUyAzMgorCisvKiBFbmNvZGUg T1JERVJfMk0gc3VwZXJwYWdlIGluIHRvcCBiaXQgb2YgR0ZOICovCisjZGVm aW5lIFBPRF9MQVNUX1NVUEVSUEFHRSAoSU5WQUxJRF9HRk4gJiB+KElOVkFM SURfR0ZOID4+IDEpKQorCisgICAgICAgICAgICB1bnNpZ25lZCBsb25nIGxp c3RbTlJfUE9EX01SUF9FTlRSSUVTXTsKKyAgICAgICAgICAgIHVuc2lnbmVk IGludCBpZHg7CisgICAgICAgIH0gbXJwOwogICAgICAgICBtbV9sb2NrX3Qg ICAgICAgIGxvY2s7ICAgICAgICAgLyogTG9ja2luZyBvZiBwcml2YXRlIHBv ZCBzdHJ1Y3RzLCAgICoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAqIG5vdCByZWx5aW5nIG9uIHRoZSBwMm0gbG9jay4gICAg ICAqLwogICAgIH0gcG9kOwo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Oct 29 12:01:24 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 29 Oct 2015 12:01:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlt3-0008Da-2i; Thu, 29 Oct 2015 12:00:57 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsz-000889-Tm; Thu, 29 Oct 2015 12:00:54 +0000 Received: from [85.158.139.211] by server-15.bemta-5.messagelabs.com id B3/90-16870-57A02365; Thu, 29 Oct 2015 12:00:53 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-13.tower-206.messagelabs.com!1446120051!16204749!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 3864 invoked from network); 29 Oct 2015 12:00:52 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-13.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 29 Oct 2015 12:00:52 -0000 Received: from [50.57.170.242] (helo=xenbits.xen.org) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsk-0005jj-Li; Thu, 29 Oct 2015 12:00:38 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1Zrlsk-00027q-In; Thu, 29 Oct 2015 12:00:38 +0000 Date: Thu, 29 Oct 2015 12:00:38 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 151 (CVE-2015-7969) - x86: leak of per-domain profiling-related vcpu pointer array X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-7969 / XSA-151 version 3 x86: leak of per-domain profiling-related vcpu pointer array UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= A domain's xenoprofile state contains an array of per-vcpu information, which is allocated once in the lifetime of a domain in response to that domain using the XENOPROF_get_buffer hypercall on itself or by a domain with the privilege to profile a target domain using the XENOPROF_set_passive hypercall. This array is leaked on domain teardown. This memory leak could -- over time -- exhaust the host's memory. IMPACT ====== The following parties can mount a denial of service attack affecting the whole system: - A malicious guest administrator via XENOPROF_get_buffer. - A domain given suitable privilege over another domain via XENOPROF_set_passive (this would usually be a domain being used to profile another domain, eg with the xenoprof tool). The ability to also restart or create suitable domains is also required to fully exploit the issue. Without this the leak is limited to a small multiple of the maximum number of vcpus for the domain. The maximum leak is 128kbytes per domain (re)boot. VULNERABLE SYSTEMS ================== Versions of Xen from 4.0 onwards are vulnerable. The XENOPROF hypercalls are only implemented on x86. ARM is therefore not vulnerable. MITIGATION ========== On systems where the guest kernel is controlled by the host rather than guest administrator, running only kernels (in the target and profiling domain respectively) which do not call these hypercalls will also prevent untrusted guest users from exploiting this issue. However untrusted guest administrators can still trigger it unless further steps are taken to prevent them from loading code into the kernel (e.g. by disabling loadable modules etc) or from using other mechanisms which allow them to run code at kernel privilege. The leak is small. Preventing the creation of large numbers of new domains, and limiting the number of times an existing domain can be rebooted, can reduce the impact of this vulnerability. NOTE REGARDING CVE ================== Note that CVE-2015-7969 covers both this issue and XSA-149. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. (To resolve CVE-2015-7969, the patch from XSA-149 is required too.) xsa151.patch xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x $ sha256sum xsa151*.patch e247a9dbbe236ffa3c5aa5e2d41047fa67da80f2b0474eef3440b5b3da2d5617 xsa151.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the PATCH or the TRUSTED KERNEL MITIGATION (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. However deployment of the (RE)BOOT LIMIT MITIGATION is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because applying domain creation and reboot limits in connection with a security issue would be a user-visible change which could lead to the rediscovery of the vulnerability. Deployment of the reboot mitigation is permitted only AFTER the embargo ends. Also: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWMgm9AAoJEIP+FMlX6CvZticH+waAPTUnRA9CTnPs1BDjiTcc kBuVb8ouvffinj+FCVQ/CIC1IAkClU8vBcOb3NAe9/PaCYPe9OlAxpvAAxxlgr05 N1Py8rBUEemKcCS9T4jTT2TNLYm9lzFihcTMOp+Y2diavcdmnhXj+kjO/FpD7tG/ TRDBnCVsxA4m+yxQJO8xXWIE+lYCoF+42Qc8Dyi2tcaN4WaBjjD5DyqNHIuf1ISF DljnT3TsgDIlxmgeQsufX0VIh45FdZXExOmGAgRS3JCn0cTmQwONecyM5NjKaljZ LEwk5sMSRa4cmb8naJRxPf30CydjmLBMdzU8KRjg+d6M46jTGTV794k/AKc4VxI= =u9LH -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa151.patch" Content-Disposition: attachment; filename="xsa151.patch" Content-Transfer-Encoding: base64 eGVub3Byb2Y6IGZyZWUgZG9tYWluJ3MgdmNwdSBhcnJheQoKVGhpcyB3YXMg b3Zlcmxvb2tlZCBpbiBmYjQ0MmUyMTcxICgieDg2XzY0OiBhbGxvdyBtb3Jl IHZDUFUtcyBwZXIKZ3Vlc3QiKS4KClRoaXMgaXMgWFNBLTE1MS4KClNpZ25l ZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2 aWV3ZWQtYnk6IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5j b20+CgotLS0gYS94ZW4vY29tbW9uL3hlbm9wcm9mLmMKKysrIGIveGVuL2Nv bW1vbi94ZW5vcHJvZi5jCkBAIC0yMzksNiArMjM5LDcgQEAgc3RhdGljIGlu dCBhbGxvY194ZW5vcHJvZl9zdHJ1Y3QoCiAgICAgZC0+eGVub3Byb2YtPnJh d2J1ZiA9IGFsbG9jX3hlbmhlYXBfcGFnZXMoZ2V0X29yZGVyX2Zyb21fcGFn ZXMobnBhZ2VzKSwgMCk7CiAgICAgaWYgKCBkLT54ZW5vcHJvZi0+cmF3YnVm ID09IE5VTEwgKQogICAgIHsKKyAgICAgICAgeGZyZWUoZC0+eGVub3Byb2Yt PnZjcHUpOwogICAgICAgICB4ZnJlZShkLT54ZW5vcHJvZik7CiAgICAgICAg IGQtPnhlbm9wcm9mID0gTlVMTDsKICAgICAgICAgcmV0dXJuIC1FTk9NRU07 CkBAIC0yODYsNiArMjg3LDcgQEAgdm9pZCBmcmVlX3hlbm9wcm9mX3BhZ2Vz KHN0cnVjdCBkb21haW4gKgogICAgICAgICBmcmVlX3hlbmhlYXBfcGFnZXMo eC0+cmF3YnVmLCBvcmRlcik7CiAgICAgfQogCisgICAgeGZyZWUoeC0+dmNw dSk7CiAgICAgeGZyZWUoeCk7CiAgICAgZC0+eGVub3Byb2YgPSBOVUxMOwog fQo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Oct 29 12:01:24 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 29 Oct 2015 12:01:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsl-0007qr-SH; Thu, 29 Oct 2015 12:00:39 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Zrlsk-0007ns-5t; Thu, 29 Oct 2015 12:00:38 +0000 Received: from [85.158.137.68] by server-16.bemta-3.messagelabs.com id 2F/65-03763-56A02365; Thu, 29 Oct 2015 12:00:37 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-10.tower-31.messagelabs.com!1446120034!57957892!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 32598 invoked from network); 29 Oct 2015 12:00:35 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-10.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 29 Oct 2015 12:00:35 -0000 Received: from [50.57.170.242] (helo=xenbits.xen.org) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZrlsZ-0005im-M0; Thu, 29 Oct 2015 12:00:27 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1ZrlsZ-00024q-IX; Thu, 29 Oct 2015 12:00:27 +0000 Date: Thu, 29 Oct 2015 12:00:27 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 148 (CVE-2015-7835) - x86: Uncontrolled creation of large page mappings by PV guests X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-7835 / XSA-148 version 4 x86: Uncontrolled creation of large page mappings by PV guests UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= The code to validate level 2 page table entries is bypassed when certain conditions are satisfied. This means that a PV guest can create writeable mappings using super page mappings. Such writeable mappings can violate Xen intended invariants for pages which Xen is supposed to keep read-only. This is possible even if the "allowsuperpage" command line option is not used. IMPACT ====== Malicious PV guest administrators can escalate privilege so as to control the whole system. VULNERABLE SYSTEMS ================== Xen 3.4 and onward are vulnerable. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only PV guests can exploit the vulnerability. Both 32-bit and 64-bit PV guests can do so. MITIGATION ========== Running only HVM guests will avoid this vulnerability. On systems where the guest kernel is controlled by the host rather than guest administrator, running only kernels which do not call these hypercalls will also prevent untrusted guest users from exploiting this issue. However untrusted guest administrators can still trigger it unless further steps are taken to prevent them from loading code into the kernel (e.g. by disabling loadable modules etc) or from using other mechanisms which allow them to run code at kernel privilege. CREDITS ======= This issue was discovered by 栾尚聪 (好风) of Alibaba. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa148.patch xen-unstable, Xen 4.6.x xsa148-4.5.patch Xen 4.5.x xsa148-4.4.patch Xen 4.4.x, Xen 4.3.x $ sha256sum xsa148*.patch f320d105a4832124910f46c50acd4803fe289bd7c4702ec15f97fb611b70944d xsa148.patch 7f78efd001f041a0e5502546664d28011cb881d72c94ea564585efb3ca01ddfe xsa148-4.4.patch 272a729048471cea851d4a881f3f2c32c7be101e2a452d2b2ceb9d66908ee4a3 xsa148-4.5.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWMgm4AAoJEIP+FMlX6CvZPl0IAI7uPHn9OiDqQlKnvuF5DJkx WkmX6lNgIXd9arkZ2gUvlenPArfJV2Rv75TP/0LLuITrv+AcylFEBd7T7rdbXeAT w5TaYI1wnixu8D+klyMGDjIt8Oy0gG1D8tpJYB4SETmT/Knv9FmFmUrShPD5kEVW 6W3j3PulCpPX6+8rpmD+1CD8DDH/FHvr3xc/mK9gaWTSfPvYX0wcUbVR5GK63SHy 6smdmcbyMz6RLlq9MRSs1ifYuAOFel3bFi0NaUm+w3luVozgg6MiEopmnmLZXgbu 93iMDiKbQmr6XdsqvqWexJ7hAiWD5Sp+ztUW0iyNLKpj482VU9wSm0vwneZpgCg= =WDZi -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa148.patch" Content-Disposition: attachment; filename="xsa148.patch" Content-Transfer-Encoding: base64 eDg2OiBndWFyZCBhZ2FpbnN0IHVuZHVlIHN1cGVyIHBhZ2UgUFRFIGNyZWF0 aW9uCgpXaGVuIG9wdGlvbmFsIHN1cGVyIHBhZ2Ugc3VwcG9ydCBnb3QgYWRk ZWQgKGNvbW1pdCBiZDFjZDgxZDY0ICJ4ODY6IFBWCnN1cHBvcnQgZm9yIGh1 Z2VwYWdlcyIpLCB0d28gYWRqdXN0bWVudHMgd2VyZSBtaXNzZWQ6IG1vZF9s Ml9lbnRyeSgpCm5lZWRzIHRvIGNvbnNpZGVyIHRoZSBQU0UgYW5kIFJXIGJp dHMgd2hlbiBkZWNpZGluZyB3aGV0aGVyIHRvIHVzZSB0aGUKZmFzdCBwYXRo LCBhbmQgdGhlIFBTRSBiaXQgbXVzdCBub3QgYmUgcmVtb3ZlZCBmcm9tIEwy X0RJU0FMTE9XX01BU0sKdW5jb25kaXRpb25hbGx5LgoKVGhpcyBpcyBYU0Et MTQ4LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1 c2UuY29tPgpSZXZpZXdlZC1ieTogVGltIERlZWdhbiA8dGltQHhlbi5vcmc+ CgotLS0gYS94ZW4vYXJjaC94ODYvbW0uYworKysgYi94ZW4vYXJjaC94ODYv bW0uYwpAQCAtMTYwLDcgKzE2MCwxMCBAQCBzdGF0aWMgdm9pZCBwdXRfc3Vw ZXJwYWdlKHVuc2lnbmVkIGxvbmcgCiBzdGF0aWMgdWludDMyX3QgYmFzZV9k aXNhbGxvd19tYXNrOwogLyogR2xvYmFsIGJpdCBpcyBhbGxvd2VkIHRvIGJl IHNldCBvbiBMMSBQVEVzLiBJbnRlbmRlZCBmb3IgdXNlciBtYXBwaW5ncy4g Ki8KICNkZWZpbmUgTDFfRElTQUxMT1dfTUFTSyAoKGJhc2VfZGlzYWxsb3df bWFzayB8IF9QQUdFX0dOVFRBQikgJiB+X1BBR0VfR0xPQkFMKQotI2RlZmlu ZSBMMl9ESVNBTExPV19NQVNLIChiYXNlX2Rpc2FsbG93X21hc2sgJiB+X1BB R0VfUFNFKQorCisjZGVmaW5lIEwyX0RJU0FMTE9XX01BU0sgKHVubGlrZWx5 KG9wdF9hbGxvd19zdXBlcnBhZ2UpIFwKKyAgICAgICAgICAgICAgICAgICAg ICAgICAgPyBiYXNlX2Rpc2FsbG93X21hc2sgJiB+X1BBR0VfUFNFIFwKKyAg ICAgICAgICAgICAgICAgICAgICAgICAgOiBiYXNlX2Rpc2FsbG93X21hc2sp CiAKICNkZWZpbmUgbDNfZGlzYWxsb3dfbWFzayhkKSAoIWlzX3B2XzMyYml0 X2RvbWFpbihkKSA/IFwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg YmFzZV9kaXNhbGxvd19tYXNrIDogMHhGRkZGRjE5OFUpCkBAIC0xODQxLDcg KzE4NDQsMTAgQEAgc3RhdGljIGludCBtb2RfbDJfZW50cnkobDJfcGdlbnRy eV90ICpwbAogICAgICAgICB9CiAKICAgICAgICAgLyogRmFzdCBwYXRoIGZv ciBpZGVudGljYWwgbWFwcGluZyBhbmQgcHJlc2VuY2UuICovCi0gICAgICAg IGlmICggIWwyZV9oYXNfY2hhbmdlZChvbDJlLCBubDJlLCBfUEFHRV9QUkVT RU5UKSApCisgICAgICAgIGlmICggIWwyZV9oYXNfY2hhbmdlZChvbDJlLCBu bDJlLAorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdW5saWtlbHko b3B0X2FsbG93X3N1cGVycGFnZSkKKyAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgID8gX1BBR0VfUFNFIHwgX1BBR0VfUlcgfCBfUEFHRV9QUkVTRU5U CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA6IF9QQUdFX1BSRVNF TlQpICkKICAgICAgICAgewogICAgICAgICAgICAgYWRqdXN0X2d1ZXN0X2wy ZShubDJlLCBkKTsKICAgICAgICAgICAgIGlmICggVVBEQVRFX0VOVFJZKGwy LCBwbDJlLCBvbDJlLCBubDJlLCBwZm4sIHZjcHUsIHByZXNlcnZlX2FkKSAp Cg== --=separator Content-Type: application/octet-stream; name="xsa148-4.4.patch" Content-Disposition: attachment; filename="xsa148-4.4.patch" Content-Transfer-Encoding: base64 eDg2OiBndWFyZCBhZ2FpbnN0IHVuZHVlIHN1cGVyIHBhZ2UgUFRFIGNyZWF0 aW9uCgpXaGVuIG9wdGlvbmFsIHN1cGVyIHBhZ2Ugc3VwcG9ydCBnb3QgYWRk ZWQgKGNvbW1pdCBiZDFjZDgxZDY0ICJ4ODY6IFBWCnN1cHBvcnQgZm9yIGh1 Z2VwYWdlcyIpLCB0d28gYWRqdXN0bWVudHMgd2VyZSBtaXNzZWQ6IG1vZF9s Ml9lbnRyeSgpCm5lZWRzIHRvIGNvbnNpZGVyIHRoZSBQU0UgYW5kIFJXIGJp dHMgd2hlbiBkZWNpZGluZyB3aGV0aGVyIHRvIHVzZSB0aGUKZmFzdCBwYXRo LCBhbmQgdGhlIFBTRSBiaXQgbXVzdCBub3QgYmUgcmVtb3ZlZCBmcm9tIEwy X0RJU0FMTE9XX01BU0sKdW5jb25kaXRpb25hbGx5LgoKVGhpcyBpcyBYU0Et MTQ4LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1 c2UuY29tPgpSZXZpZXdlZC1ieTogVGltIERlZWdhbiA8dGltQHhlbi5vcmc+ CgotLS0gYS94ZW4vYXJjaC94ODYvbW0uYworKysgYi94ZW4vYXJjaC94ODYv bW0uYwpAQCAtMTYzLDcgKzE2MywxMCBAQCBzdGF0aWMgdm9pZCBwdXRfc3Vw ZXJwYWdlKHVuc2lnbmVkIGxvbmcgCiAKIHN0YXRpYyB1aW50MzJfdCBiYXNl X2Rpc2FsbG93X21hc2s7CiAjZGVmaW5lIEwxX0RJU0FMTE9XX01BU0sgKGJh c2VfZGlzYWxsb3dfbWFzayB8IF9QQUdFX0dOVFRBQikKLSNkZWZpbmUgTDJf RElTQUxMT1dfTUFTSyAoYmFzZV9kaXNhbGxvd19tYXNrICYgfl9QQUdFX1BT RSkKKworI2RlZmluZSBMMl9ESVNBTExPV19NQVNLICh1bmxpa2VseShvcHRf YWxsb3dfc3VwZXJwYWdlKSBcCisgICAgICAgICAgICAgICAgICAgICAgICAg ID8gYmFzZV9kaXNhbGxvd19tYXNrICYgfl9QQUdFX1BTRSBcCisgICAgICAg ICAgICAgICAgICAgICAgICAgIDogYmFzZV9kaXNhbGxvd19tYXNrKQogCiAj ZGVmaW5lIGwzX2Rpc2FsbG93X21hc2soZCkgKCFpc19wdl8zMm9uNjRfZG9t YWluKGQpID8gIFwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYmFz ZV9kaXNhbGxvd19tYXNrIDogICAgICAgXApAQCAtMTc4Niw3ICsxNzg5LDEw IEBAIHN0YXRpYyBpbnQgbW9kX2wyX2VudHJ5KGwyX3BnZW50cnlfdCAqcGwK ICAgICAgICAgfQogCiAgICAgICAgIC8qIEZhc3QgcGF0aCBmb3IgaWRlbnRp Y2FsIG1hcHBpbmcgYW5kIHByZXNlbmNlLiAqLwotICAgICAgICBpZiAoICFs MmVfaGFzX2NoYW5nZWQob2wyZSwgbmwyZSwgX1BBR0VfUFJFU0VOVCkgKQor ICAgICAgICBpZiAoICFsMmVfaGFzX2NoYW5nZWQob2wyZSwgbmwyZSwKKyAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVubGlrZWx5KG9wdF9hbGxv d19zdXBlcnBhZ2UpCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA/ IF9QQUdFX1BTRSB8IF9QQUdFX1JXIHwgX1BBR0VfUFJFU0VOVAorICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgOiBfUEFHRV9QUkVTRU5UKSApCiAg ICAgICAgIHsKICAgICAgICAgICAgIGFkanVzdF9ndWVzdF9sMmUobmwyZSwg ZCk7CiAgICAgICAgICAgICBpZiAoIFVQREFURV9FTlRSWShsMiwgcGwyZSwg b2wyZSwgbmwyZSwgcGZuLCB2Y3B1LCBwcmVzZXJ2ZV9hZCkgKQo= --=separator Content-Type: application/octet-stream; name="xsa148-4.5.patch" Content-Disposition: attachment; filename="xsa148-4.5.patch" Content-Transfer-Encoding: base64 eDg2OiBndWFyZCBhZ2FpbnN0IHVuZHVlIHN1cGVyIHBhZ2UgUFRFIGNyZWF0 aW9uCgpXaGVuIG9wdGlvbmFsIHN1cGVyIHBhZ2Ugc3VwcG9ydCBnb3QgYWRk ZWQgKGNvbW1pdCBiZDFjZDgxZDY0ICJ4ODY6IFBWCnN1cHBvcnQgZm9yIGh1 Z2VwYWdlcyIpLCB0d28gYWRqdXN0bWVudHMgd2VyZSBtaXNzZWQ6IG1vZF9s Ml9lbnRyeSgpCm5lZWRzIHRvIGNvbnNpZGVyIHRoZSBQU0UgYW5kIFJXIGJp dHMgd2hlbiBkZWNpZGluZyB3aGV0aGVyIHRvIHVzZSB0aGUKZmFzdCBwYXRo LCBhbmQgdGhlIFBTRSBiaXQgbXVzdCBub3QgYmUgcmVtb3ZlZCBmcm9tIEwy X0RJU0FMTE9XX01BU0sKdW5jb25kaXRpb25hbGx5LgoKVGhpcyBpcyBYU0Et MTQ4LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1 c2UuY29tPgpSZXZpZXdlZC1ieTogVGltIERlZWdhbiA8dGltQHhlbi5vcmc+ CgotLS0gYS94ZW4vYXJjaC94ODYvbW0uYworKysgYi94ZW4vYXJjaC94ODYv bW0uYwpAQCAtMTYyLDcgKzE2MiwxMCBAQCBzdGF0aWMgdm9pZCBwdXRfc3Vw ZXJwYWdlKHVuc2lnbmVkIGxvbmcgCiBzdGF0aWMgdWludDMyX3QgYmFzZV9k aXNhbGxvd19tYXNrOwogLyogR2xvYmFsIGJpdCBpcyBhbGxvd2VkIHRvIGJl IHNldCBvbiBMMSBQVEVzLiBJbnRlbmRlZCBmb3IgdXNlciBtYXBwaW5ncy4g Ki8KICNkZWZpbmUgTDFfRElTQUxMT1dfTUFTSyAoKGJhc2VfZGlzYWxsb3df bWFzayB8IF9QQUdFX0dOVFRBQikgJiB+X1BBR0VfR0xPQkFMKQotI2RlZmlu ZSBMMl9ESVNBTExPV19NQVNLIChiYXNlX2Rpc2FsbG93X21hc2sgJiB+X1BB R0VfUFNFKQorCisjZGVmaW5lIEwyX0RJU0FMTE9XX01BU0sgKHVubGlrZWx5 KG9wdF9hbGxvd19zdXBlcnBhZ2UpIFwKKyAgICAgICAgICAgICAgICAgICAg ICAgICAgPyBiYXNlX2Rpc2FsbG93X21hc2sgJiB+X1BBR0VfUFNFIFwKKyAg ICAgICAgICAgICAgICAgICAgICAgICAgOiBiYXNlX2Rpc2FsbG93X21hc2sp CiAKICNkZWZpbmUgbDNfZGlzYWxsb3dfbWFzayhkKSAoIWlzX3B2XzMyb242 NF9kb21haW4oZCkgPyAgXAogICAgICAgICAgICAgICAgICAgICAgICAgICAg ICBiYXNlX2Rpc2FsbG93X21hc2sgOiAgICAgICBcCkBAIC0xNzcwLDcgKzE3 NzMsMTAgQEAgc3RhdGljIGludCBtb2RfbDJfZW50cnkobDJfcGdlbnRyeV90 ICpwbAogICAgICAgICB9CiAKICAgICAgICAgLyogRmFzdCBwYXRoIGZvciBp ZGVudGljYWwgbWFwcGluZyBhbmQgcHJlc2VuY2UuICovCi0gICAgICAgIGlm ICggIWwyZV9oYXNfY2hhbmdlZChvbDJlLCBubDJlLCBfUEFHRV9QUkVTRU5U KSApCisgICAgICAgIGlmICggIWwyZV9oYXNfY2hhbmdlZChvbDJlLCBubDJl LAorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdW5saWtlbHkob3B0 X2FsbG93X3N1cGVycGFnZSkKKyAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgID8gX1BBR0VfUFNFIHwgX1BBR0VfUlcgfCBfUEFHRV9QUkVTRU5UCisg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICA6IF9QQUdFX1BSRVNFTlQp ICkKICAgICAgICAgewogICAgICAgICAgICAgYWRqdXN0X2d1ZXN0X2wyZShu bDJlLCBkKTsKICAgICAgICAgICAgIGlmICggVVBEQVRFX0VOVFJZKGwyLCBw bDJlLCBvbDJlLCBubDJlLCBwZm4sIHZjcHUsIHByZXNlcnZlX2FkKSApCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Oct 29 12:01:24 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 29 Oct 2015 12:01:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZrlsX-0007g9-B3; Thu, 29 Oct 2015 12:00:25 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZrlsV-0007fW-V6; Thu, 29 Oct 2015 12:00:24 +0000 Received: from [85.158.137.68] by server-12.bemta-3.messagelabs.com id C5/C4-14900-65A02365; Thu, 29 Oct 2015 12:00:22 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-12.tower-31.messagelabs.com!1446120020!21062736!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 28787 invoked from network); 29 Oct 2015 12:00:21 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-12.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 29 Oct 2015 12:00:21 -0000 Received: from [50.57.170.242] (helo=xenbits.xen.org) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1ZrlsM-0005ht-Pc; Thu, 29 Oct 2015 12:00:14 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1ZrlsM-00021I-Bt; Thu, 29 Oct 2015 12:00:14 +0000 Date: Thu, 29 Oct 2015 12:00:14 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 145 (CVE-2015-7812) - arm: Host crash when preempting a multicall X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-7812 / XSA-145 version 3 arm: Host crash when preempting a multicall UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Early versions of Xen on ARM did not support "multicall" functionality (the ability to perform multiple operations via a single hypercall) and therefore stubbed out the functionality needed to support preemption of multicalls in a manner which crashed the host. When multicall support was subsequently added these stubs were not replaced with the correct functionality and therefore exposed to guests a code path which crashes the host. Any guest can issue a preemptable hypercall via the multicall interface to exploit this vulnerability. IMPACT ====== A malicious guest can crash the host. VULNERABLE SYSTEMS ================== Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward. x86 systems are not vulnerable. MITIGATION ========== On systems where the guest kernel is controlled by the host rather than guest administrator, running only kernels which do not make use of multicall functionality will prevent untrusted guest users from exploiting this issue. However untrusted guest administrators can still trigger it unless further steps are taken to prevent them from loading code into the kernel (e.g. by disabling loadable modules etc) or from using other mechanisms which allow them to run code at kernel privilege. CREDITS ======= This issue was discovered by Julien Grall of Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa145.patch xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x $ sha256sum xsa145*.patch 4d4a4724e4d367ddfc9ac1b43dfe81bce873c65fe9bb13f443266dd12c002db1 xsa145.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWMgmzAAoJEIP+FMlX6CvZUV0H/2uDN/R1KaR1x2OljM5toEUR vGrEN1LX/AzQ1f4DADZO4LIvth2BLdFEB6OsaaKThFdnZjJWQ0fbfxIzb6eGOpMR XzuToUEIBTA01JHKNUo5ovWQ36gePyvxkFWDjk8Ixj22YpbuyUDU5HiHH5UpTovg 0QLfJdKDij7Sp3/r9quQ5KSO86kw9CZqut5qRvMI8VKRa03O2jDch5iKkyDTcuCL md7r5+k6O3F4/TVPrlET+BAHOqgOtuQd6EMFfqXolsr12OpzzBz2/ntK4srmqlZc wa7PgAoELAaLnv4nBtFEtIyjg9YI4RIKnMwBbeD9suM305ohi3yDCxDj9eaYJwo= =eNQ5 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa145.patch" Content-Disposition: attachment; filename="xsa145.patch" Content-Transfer-Encoding: base64 eGVuL2FybTogU3VwcG9ydCBoeXBlcmNhbGxfY3JlYXRlX2NvbnRpbnVhdGlv biBmb3IgbXVsdGljYWxsCgpNdWx0aWNhbGwgZm9yIEFSTSBoYXMgYmVlbiBz dXBwb3J0ZWQgc2luY2UgY29tbWl0IGYwZGJkYzYgInhlbjogYXJtOiBmdWxs eQppbXBsZW1lbnQgbXVsdGljYWxsIGludGVyZmFjZS4iLiBBbHRob3VnaCwg aWYgYW4gaHlwZXJjYWxsIGluIG11bHRpY2FsbApyZXF1aXJlcyBwcmVlbXB0 aW9uLCBpdCB3aWxsIGNyYXNoIHRoZSBob3N0OgoKKFhFTikgWGVuIEJVRyBh dCBkb21haW4uYzozNDcKKFhFTikgLS0tLVsgWGVuLTQuNy11bnN0YWJsZSAg YXJtNjQgIGRlYnVnPXkgIFRhaW50ZWQ6ICAgIEMgXS0tLS0KWy4uLl0KKFhF TikgWGVuIGNhbGwgdHJhY2U6CihYRU4pICAgIFs8MDAwMDAwMDAwMDI0MjBj Yz5dIGh5cGVyY2FsbF9jcmVhdGVfY29udGludWF0aW9uKzB4NjQvMHgzODAg KFBDKQooWEVOKSAgICBbPDAwMDAwMDAwMDAyMTcyNzQ+XSBkb19tZW1vcnlf b3ArMHgxYjAwLzB4MjMzNCAoTFIpCihYRU4pICAgIFs8MDAwMDAwMDAwMDI1 MGQyYz5dIGRvX211bHRpY2FsbF9jYWxsKzB4MTE0LzB4MTI0CihYRU4pICAg IFs8MDAwMDAwMDAwMDIxN2ZmMD5dIGRvX211bHRpY2FsbCsweDE3Yy8weDIz YwooWEVOKSAgICBbPDAwMDAwMDAwMDAyNGY5N2M+XSBkb190cmFwX2h5cGVy Y2FsbCsweDkwLzB4MTJjCihYRU4pICAgIFs8MDAwMDAwMDAwMDI1MWNhOD5d IGRvX3RyYXBfaHlwZXJ2aXNvcisweGQyYy8weDFiYTQKKFhFTikgICAgWzww MDAwMDAwMDAwMjU4MmNjPl0gZ3Vlc3Rfc3luYysweDg4LzB4YjgKKFhFTikK KFhFTikKKFhFTikgKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKgooWEVOKSBQYW5pYyBvbiBDUFUgNToKKFhFTikgWGVuIEJVRyBh dCBkb21haW4uYzozNDcKKFhFTikgKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKgooWEVOKQooWEVOKSBNYW51YWwgcmVzZXQgcmVx dWlyZWQgKCdub3JlYm9vdCcgc3BlY2lmaWVkKQoKTG9va2luZyB0byB0aGUg Y29kZSwgdGhlIHN1cHBvcnQgb2YgbXVsdGljYWxsIGxvb2tzIHZhbGlkIHRv IG1lLCBhcyB3ZSBvbmx5Cm5lZWQgdG8gZmlsbCBjYWxsLmFyZ3NbLi4uXS4g U28gZHJvcCB0aGUgQlVHKCk7CgpUaGlzIGlzIFhTQS0xNDUuCgpBY2tlZC1i eTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJlbGxAY2l0cml4LmNvbT4KCmRp ZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0vZG9tYWluLmMgYi94ZW4vYXJjaC9h cm0vZG9tYWluLmMKaW5kZXggNTc1NzQ1Yy4uNWM1YWM5ZSAxMDA2NDQKLS0t IGEveGVuL2FyY2gvYXJtL2RvbWFpbi5jCisrKyBiL3hlbi9hcmNoL2FybS9k b21haW4uYwpAQCAtMzQ0LDggKzM0NCw2IEBAIHVuc2lnbmVkIGxvbmcgaHlw ZXJjYWxsX2NyZWF0ZV9jb250aW51YXRpb24oCiAKICAgICBpZiAoIHRlc3Rf Yml0KF9NQ1NGX2luX211bHRpY2FsbCwgJm1jcy0+ZmxhZ3MpICkKICAgICB7 Ci0gICAgICAgIEJVRygpOyAvKiBYWFggbXVsdGljYWxscyBub3QgaW1wbGVt ZW50ZWQgeWV0LiAqLwotCiAgICAgICAgIF9fc2V0X2JpdChfTUNTRl9jYWxs X3ByZWVtcHRlZCwgJm1jcy0+ZmxhZ3MpOwogCiAgICAgICAgIGZvciAoIGkg PSAwOyAqcCAhPSAnXDAnOyBpKysgKQo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator--