From xen-announce-bounces@lists.xen.org Wed Jan 20 12:09:56 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Jan 2016 12:09:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aLrZJ-0003IE-Sf; Wed, 20 Jan 2016 12:08:57 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aLrZI-0003HL-JV; Wed, 20 Jan 2016 12:08:56 +0000 Received: from [85.158.137.68] by server-9.bemta-3.messagelabs.com id 85/91-03066-7D87F965; Wed, 20 Jan 2016 12:08:55 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-14.tower-31.messagelabs.com!1453291733!16986655!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 7.35.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 4977 invoked from network); 20 Jan 2016 12:08:54 -0000 Received: from 50-57-168-107.static.cloud-ips.com (HELO mail.xen.org) (50.57.168.107) by server-14.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 20 Jan 2016 12:08:54 -0000 Received: from xenbits.xenproject.org ([50.57.170.242] helo=xenbits.xen.org) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aLrZk-0002yW-Np; Wed, 20 Jan 2016 12:09:24 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1aLrZ9-0003RR-Dg; Wed, 20 Jan 2016 12:08:47 +0000 Date: Wed, 20 Jan 2016 12:08:47 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 168 (CVE-2016-1571) - VMX: intercept issue with INVLPG on non-canonical address X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-1571 / XSA-168 version 3 VMX: intercept issue with INVLPG on non-canonical address UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= While INVLPG does not cause a General Protection Fault when used on a non-canonical address, INVVPID in its "individual address" variant, which is used to back the intercepted INVLPG in certain cases, fails in such cases. Failure of INVVPID results in a hypervisor bug check. IMPACT ====== A malicious guest can crash the host, leading to a Denial of Service. VULNERABLE SYSTEMS ================== Xen versions from 3.3 onwards are affected. Only systems using Intel or Cyrix CPUs are affected. ARM and AMD systems are unaffected. Only HVM guests using shadow mode paging can expose this vulnerability. PV guests, and HVM guests using Hardware Assisted Paging (also known as EPT on affected hardware), are unaffected. Note that while unsupported, guests with enabled nested virtualization are vulnerable even when using EPT. CHECKING FOR VULNERABLE CONFIGURATION ===================================== To discover whether your HVM guests are using HAP, or shadow page tables: request debug key `q' (from the Xen console, or with `xl debug-keys q'). This will print (to the console, and visible in `xl dmesg'), debug information for every domain, containing something like this: (XEN) General information for domain 2: (XEN) refcnt=1 dying=2 pause_count=2 (XEN) nr_pages=2 xenheap_pages=0 shared_pages=0 paged_pages=0 dirty_cpus={} max_pages=262400 (XEN) handle=ef58ef1a-784d-4e59-8079-42bdee87f219 vm_assist=00000000 (XEN) paging assistance: hap refcounts translate external ^^^ The presence of `hap' here indicates that the host is not vulnerable to this domain. For an HVM domain the presence of `shadow' indicates that the domain can exploit the vulnerability. Note that `General information' will also be printed for PV domains. For most PV domains there will be no `paging assistance' reported. But PV guests currently being migrated will report (XEN) paging assistance: shadow log_dirty Overall: a domain can exploit the vulnerability if this debug output contains a `paging assistance' line which reports `translate' and which does not report `hap'. MITIGATION ========== Running only PV guests will avoid this vulnerability. Running HVM guests on only AMD hardware will also avoid this vulnerability. Running HVM guests with Hardware Assisted Paging (HAP) enabled will also avoid this vulnerability. This is the default mode on hardware supporting HAP, but can be overridden by hypervisor command line option and guest configuration setting. Such overrides ("hap=0" in either case, with variants like "no-hap" being possible in the hypervisor command line case) would need to be removed to avoid this vulnerability. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the attached patch resolves this issue. xsa168.patch xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x $ sha256sum xsa168* c95198a66485d6e538d113ce2b84630d77c15f597113c38fadd6bf1e24e4c8ec xsa168.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWn3dEAAoJEIP+FMlX6CvZLaAH/A1FzwQebCOF0MCEMcM9V/zK At3L0XG5oBiVZVpbXAfYULeKaLtTGLBXqhBJjzej0FypCvEYX6BLBITLsw7kMqoW JSYHNHlg4pLH2Wnf6i3fVC7EIHx5XNuDa8Zeyt73wEFJhVpp43PcMwMzBolTUBmP +f5WDkLYflYXv+0XiHfbBLA2fl+K+A5OdDhKgjPZJouGvdfiZxX7EChR0asmmD1i AbSZYTLGhdlSU+fvw+w2XUYSeINS1FEhsZxMbWMVuz7jmPBmOn6u8NLrBdZatYoE Z2Fly81pWD7KDwusVscoLBdmBmI1Wr3u975j5EkQLbsCTsqo5ayP3BpfsieijIg= =UJX5 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa168.patch" Content-Disposition: attachment; filename="xsa168.patch" Content-Transfer-Encoding: base64 eDg2L1ZNWDogcHJldmVudCBJTlZWUElEIGZhaWx1cmUgZHVlIHRvIG5vbi1j YW5vbmljYWwgZ3Vlc3QgYWRkcmVzcwoKV2hpbGUgSU5WTFBHIChhbmQgb24g U1ZNIElOVkxQR0EpIGRvbid0IGZhdWx0IG9uIG5vbi1jYW5vbmljYWwKYWRk cmVzc2VzLCBJTlZWUElEIGZhaWxzIChpbiB0aGUgImluZGl2aWR1YWwgYWRk cmVzcyIgY2FzZSkgd2hlbiBwYXNzZWQKc3VjaCBhbiBhZGRyZXNzLgoKU2lu Y2Ugc3VjaCBpbnRlcmNlcHRlZCBJTlZMUEcgYXJlIGVmZmVjdGl2ZWx5IG5v LW9wcyBhbnl3YXksIGRvbid0IGZpeAp0aGlzIGluIHZteF9pbnZscGdfaW50 ZXJjZXB0KCksIGJ1dCBpbnN0ZWFkIGhhdmUgcGFnaW5nX2ludmxwZygpIG5l dmVyCnJldHVybiB0cnVlIGluIHN1Y2ggYSBjYXNlLgoKVGhpcyBpcyBYU0Et MTY4LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1 c2UuY29tPgpSZXZpZXdlZC1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNv b3BlcjNAY2l0cml4LmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVsbCA8aWFu LmNhbXBiZWxsQGNpdHJpeC5jb20+CgotLS0gYS94ZW4vaW5jbHVkZS9hc20t eDg2L3BhZ2luZy5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS14ODYvcGFnaW5n LmgKQEAgLTI0NSw3ICsyNDUsNyBAQCBwYWdpbmdfZmF1bHQodW5zaWduZWQg bG9uZyB2YSwgc3RydWN0IGNwCiAgKiBvciAwIGlmIGl0J3Mgc2FmZSBub3Qg dG8gZG8gc28uICovCiBzdGF0aWMgaW5saW5lIGludCBwYWdpbmdfaW52bHBn KHN0cnVjdCB2Y3B1ICp2LCB1bnNpZ25lZCBsb25nIHZhKQogewotICAgIHJl dHVybiBwYWdpbmdfZ2V0X2hvc3Rtb2RlKHYpLT5pbnZscGcodiwgdmEpOwor ICAgIHJldHVybiBpc19jYW5vbmljYWxfYWRkcmVzcyh2YSkgJiYgcGFnaW5n X2dldF9ob3N0bW9kZSh2KS0+aW52bHBnKHYsIHZhKTsKIH0KIAogLyogVHJh bnNsYXRlIGEgZ3Vlc3QgdmlydHVhbCBhZGRyZXNzIHRvIHRoZSBmcmFtZSBu dW1iZXIgdGhhdCB0aGUK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Jan 20 12:09:56 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Jan 2016 12:09:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aLrZH-0003HA-3p; Wed, 20 Jan 2016 12:08:55 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aLrZG-0003Gg-38; Wed, 20 Jan 2016 12:08:54 +0000 Received: from [85.158.137.68] by server-6.bemta-3.messagelabs.com id E8/DE-08479-5D87F965; Wed, 20 Jan 2016 12:08:53 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-12.tower-31.messagelabs.com!1453291731!16918614!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 7.35.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 31852 invoked from network); 20 Jan 2016 12:08:52 -0000 Received: from 50-57-168-107.static.cloud-ips.com (HELO mail.xen.org) (50.57.168.107) by server-12.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 20 Jan 2016 12:08:52 -0000 Received: from xenbits.xenproject.org ([50.57.170.242] helo=xenbits.xen.org) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aLrZg-0002yH-Ob; Wed, 20 Jan 2016 12:09:20 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1aLrZ4-0003QN-Ce; Wed, 20 Jan 2016 12:08:43 +0000 Date: Wed, 20 Jan 2016 12:08:42 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 167 (CVE-2016-1570) - PV superpage functionality missing sanity checks X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-1570 / XSA-167 version 4 PV superpage functionality missing sanity checks UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= The PV superpage functionality lacks certain validity checks on data being passed to the hypervisor by guests. This is the case for the page identifier (MFN) passed to MMUEXT_MARK_SUPER and MMUEXT_UNMARK_SUPER sub-ops of the HYPERVISOR_mmuext_op hypercall as well as for various forms of page table updates. IMPACT ====== Use of the feature, which is disabled by default, may have unknown effects, ranging from information leaks through Denial of Service to privilege escalation. VULNERABLE SYSTEMS ================== Only systems which enable the PV superpage feature are affected. That is, only systems with an `allowsuperpage' setting on the hypervisor command line. Note that in Xen 4.0.x and 3.4.x the option is named `allowhugepage'. Xen versions 3.4.0, 3.4.1, and from 4.1 onwards are affected. Only x86 systems are affected. Only PV guests can exploit the vulnerability. MITIGATION ========== Running only HVM guests will avoid this issue. Not enabling PV superpage support (by omitting the `allowsuperpage' or `allowhugepage' hypervisor command line options) will avoid exposing the issue. CREDITS ======= This issue was discovered by Qinghao Tang of 360 Marvel Team. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa167.patch xen-unstable xsa167-4.6.patch Xen 4.6.x, 4.5.x xsa167-4.4.patch Xen 4.4.x, 4.3.x $ sha256sum xsa167* a71f709eef59425cb2113fa48d3b44048c6bf41063200fee1c847f6e0ed45a09 xsa167.patch 194c1ce89292f4cbb9980baa703095bcbeb5849abf46d193e07a98a0d8301f78 xsa167-4.4.patch 2bd786cccfd13c6732d6db8afc9e18058465efcb1bc93f894c359e3a820d5403 xsa167-4.6.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. However deployment of the SUPERPAGE DISABLEMENT MITIGATION is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because disabling PV superpage support is visible to guests, so such deployment could lead to the rediscovery of the vulnerability. Deployment of the mitigation is permitted only AFTER the embargo ends. Also: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWn3jEAAoJEIP+FMlX6CvZTOsH/2ReFJ0Yhp5da69XKvFEJR/s 0yEFxjvqiSyBPsWjyiaAdOp/1A2sltEeDDnMy7xEoXHmon0p6IV0IR4L+fMCLjl2 1ZI4tKpkn3zUE+IOjfu/GJ53f87XWSq/u9Ri7yZQdxFpgd3AXcLegGm8i4L/58iY vdwAAuczACztEN/NbWFedlGUEd5PKqKwb4wOg1uhLIMwzvjxgtejVAyZD83HgP6i LeWMO7EfeU8ND38Otiw9lNlKD/Ia7vpRG+BXuADLx18hbR1TU9AJ0RO1zb9JnAAj snYdgB6s1wzRD4/HOc+s1uaIttPPODs0IhZunylI7UVhdWKp5Qkszw/QUcmufnk= =5acB -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa167.patch" Content-Disposition: attachment; filename="xsa167.patch" Content-Transfer-Encoding: base64 eDg2L21tOiBQViBzdXBlcnBhZ2UgaGFuZGxpbmcgbGFja3Mgc2FuaXR5IGNo ZWNrcwoKTU1VRVhUX3ssVU59TUFSS19TVVBFUiBmYWlsIHRvIGNoZWNrIHRo ZSBpbnB1dCBNRk4gZm9yIHZhbGlkaXR5IGJlZm9yZQpkZXJlZmVyZW5jaW5n IHBvaW50ZXJzIGludG8gdGhlIHN1cGVycGFnZSBmcmFtZSB0YWJsZS4KCmdl dF9zdXBlcnBhZ2UoKSBoYXMgYSBzaW1pbGFyIGlzc3VlLgoKVGhpcyBpcyBY U0EtMTY3LgoKUmVwb3J0ZWQtYnk6IFFpbmdoYW8gVGFuZyA8bHVvZGFsb25n ZGVAZ21haWwuY29tPgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+CkFja2VkLWJ5OiBJYW4gQ2FtcGJlbGwgPGlhbi5j YW1wYmVsbEBjaXRyaXguY29tPgoKLS0tIGEveGVuL2FyY2gveDg2L21tLmMK KysrIGIveGVuL2FyY2gveDg2L21tLmMKQEAgLTI2MzUsNiArMjYzNSw5IEBA IGludCBnZXRfc3VwZXJwYWdlKHVuc2lnbmVkIGxvbmcgbWZuLCBzdHIKIAog ICAgIEFTU0VSVChvcHRfYWxsb3dfc3VwZXJwYWdlKTsKIAorICAgIGlmICgg IW1mbl92YWxpZChtZm4gfCAoTDFfUEFHRVRBQkxFX0VOVFJJRVMgLSAxKSkg KQorICAgICAgICByZXR1cm4gLUVJTlZBTDsKKwogICAgIHNwYWdlID0gbWZu X3RvX3NwYWdlKG1mbik7CiAgICAgeSA9IHNwYWdlLT50eXBlX2luZm87CiAg ICAgZG8gewpAQCAtMzQzMiw0MiArMzQzNSwyNiBAQCBsb25nIGRvX21tdWV4 dF9vcCgKICAgICAgICAgfQogCiAgICAgICAgIGNhc2UgTU1VRVhUX01BUktf U1VQRVI6CisgICAgICAgIGNhc2UgTU1VRVhUX1VOTUFSS19TVVBFUjoKICAg ICAgICAgewogICAgICAgICAgICAgdW5zaWduZWQgbG9uZyBtZm4gPSBvcC5h cmcxLm1mbjsKIAotICAgICAgICAgICAgaWYgKCB1bmxpa2VseShkICE9IHBn X293bmVyKSApCi0gICAgICAgICAgICAgICAgcmMgPSAtRVBFUk07Ci0gICAg ICAgICAgICBlbHNlIGlmICggbWZuICYgKEwxX1BBR0VUQUJMRV9FTlRSSUVT LTEpICkKLSAgICAgICAgICAgIHsKLSAgICAgICAgICAgICAgICBNRU1fTE9H KCJVbmFsaWduZWQgc3VwZXJwYWdlIHJlZmVyZW5jZSBtZm4gJWx4IiwgbWZu KTsKLSAgICAgICAgICAgICAgICByYyA9IC1FSU5WQUw7Ci0gICAgICAgICAg ICB9Ci0gICAgICAgICAgICBlbHNlIGlmICggIW9wdF9hbGxvd19zdXBlcnBh Z2UgKQorICAgICAgICAgICAgaWYgKCAhb3B0X2FsbG93X3N1cGVycGFnZSAp CiAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgTUVNX0xPRygiU3Vw ZXJwYWdlcyBkaXNhbGxvd2VkIik7CiAgICAgICAgICAgICAgICAgcmMgPSAt RU5PU1lTOwogICAgICAgICAgICAgfQotICAgICAgICAgICAgZWxzZQotICAg ICAgICAgICAgICAgIHJjID0gbWFya19zdXBlcnBhZ2UobWZuX3RvX3NwYWdl KG1mbiksIGQpOwotICAgICAgICAgICAgYnJlYWs7Ci0gICAgICAgIH0KLQot ICAgICAgICBjYXNlIE1NVUVYVF9VTk1BUktfU1VQRVI6Ci0gICAgICAgIHsK LSAgICAgICAgICAgIHVuc2lnbmVkIGxvbmcgbWZuID0gb3AuYXJnMS5tZm47 Ci0KLSAgICAgICAgICAgIGlmICggdW5saWtlbHkoZCAhPSBwZ19vd25lcikg KQorICAgICAgICAgICAgZWxzZSBpZiAoIHVubGlrZWx5KGQgIT0gcGdfb3du ZXIpICkKICAgICAgICAgICAgICAgICByYyA9IC1FUEVSTTsKLSAgICAgICAg ICAgIGVsc2UgaWYgKCBtZm4gJiAoTDFfUEFHRVRBQkxFX0VOVFJJRVMtMSkg KQorICAgICAgICAgICAgZWxzZSBpZiAoIG1mbiAmIChMMV9QQUdFVEFCTEVf RU5UUklFUyAtIDEpICkKICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAg ICBNRU1fTE9HKCJVbmFsaWduZWQgc3VwZXJwYWdlIHJlZmVyZW5jZSBtZm4g JWx4IiwgbWZuKTsKICAgICAgICAgICAgICAgICByYyA9IC1FSU5WQUw7Ci0g ICAgICAgICAgICB9Ci0gICAgICAgICAgICBlbHNlIGlmICggIW9wdF9hbGxv d19zdXBlcnBhZ2UgKQotICAgICAgICAgICAgewotICAgICAgICAgICAgICAg IE1FTV9MT0coIlN1cGVycGFnZXMgZGlzYWxsb3dlZCIpOwotICAgICAgICAg ICAgICAgIHJjID0gLUVOT1NZUzsKICAgICAgICAgICAgIH0KKyAgICAgICAg ICAgIGVsc2UgaWYgKCAhbWZuX3ZhbGlkKG1mbiB8IChMMV9QQUdFVEFCTEVf RU5UUklFUyAtIDEpKSApCisgICAgICAgICAgICAgICAgcmMgPSAtRUlOVkFM OworICAgICAgICAgICAgZWxzZSBpZiAoIG9wLmNtZCA9PSBNTVVFWFRfTUFS S19TVVBFUiApCisgICAgICAgICAgICAgICAgcmMgPSBtYXJrX3N1cGVycGFn ZShtZm5fdG9fc3BhZ2UobWZuKSwgZCk7CiAgICAgICAgICAgICBlbHNlCiAg ICAgICAgICAgICAgICAgcmMgPSB1bm1hcmtfc3VwZXJwYWdlKG1mbl90b19z cGFnZShtZm4pKTsKICAgICAgICAgICAgIGJyZWFrOwo= --=separator Content-Type: application/octet-stream; name="xsa167-4.4.patch" Content-Disposition: attachment; filename="xsa167-4.4.patch" Content-Transfer-Encoding: base64 eDg2L21tOiBQViBzdXBlcnBhZ2UgaGFuZGxpbmcgbGFja3Mgc2FuaXR5IGNo ZWNrcwoKTU1VRVhUX3ssVU59TUFSS19TVVBFUiBmYWlsIHRvIGNoZWNrIHRo ZSBpbnB1dCBNRk4gZm9yIHZhbGlkaXR5IGJlZm9yZQpkZXJlZmVyZW5jaW5n IHBvaW50ZXJzIGludG8gdGhlIHN1cGVycGFnZSBmcmFtZSB0YWJsZS4KCmdl dF9zdXBlcnBhZ2UoKSBoYXMgYSBzaW1pbGFyIGlzc3VlLgoKVGhpcyBpcyBY U0EtMTY3LgoKUmVwb3J0ZWQtYnk6IFFpbmdoYW8gVGFuZyA8bHVvZGFsb25n ZGVAZ21haWwuY29tPgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+CkFja2VkLWJ5OiBJYW4gQ2FtcGJlbGwgPGlhbi5j YW1wYmVsbEBjaXRyaXguY29tPgoKLS0tIGEveGVuL2FyY2gveDg2L21tLmMK KysrIGIveGVuL2FyY2gveDg2L21tLmMKQEAgLTI1NjYsNiArMjU2Niw5IEBA IGludCBnZXRfc3VwZXJwYWdlKHVuc2lnbmVkIGxvbmcgbWZuLCBzdHIKIAog ICAgIEFTU0VSVChvcHRfYWxsb3dfc3VwZXJwYWdlKTsKIAorICAgIGlmICgg IW1mbl92YWxpZChtZm4gfCAoTDFfUEFHRVRBQkxFX0VOVFJJRVMgLSAxKSkg KQorICAgICAgICByZXR1cm4gLUVJTlZBTDsKKwogICAgIHNwYWdlID0gbWZu X3RvX3NwYWdlKG1mbik7CiAgICAgeSA9IHNwYWdlLT50eXBlX2luZm87CiAg ICAgZG8gewpAQCAtMzMyMCwxNCArMzMyMyw2IEBAIGxvbmcgZG9fbW11ZXh0 X29wKAogICAgICAgICAgICAgdW5zaWduZWQgbG9uZyBtZm47CiAgICAgICAg ICAgICBzdHJ1Y3Qgc3BhZ2VfaW5mbyAqc3BhZ2U7CiAKLSAgICAgICAgICAg IG1mbiA9IG9wLmFyZzEubWZuOwotICAgICAgICAgICAgaWYgKCBtZm4gJiAo TDFfUEFHRVRBQkxFX0VOVFJJRVMtMSkgKQotICAgICAgICAgICAgewotICAg ICAgICAgICAgICAgIE1FTV9MT0coIlVuYWxpZ25lZCBzdXBlcnBhZ2UgcmVm ZXJlbmNlIG1mbiAlbHgiLCBtZm4pOwotICAgICAgICAgICAgICAgIG9rYXkg PSAwOwotICAgICAgICAgICAgICAgIGJyZWFrOwotICAgICAgICAgICAgfQot CiAgICAgICAgICAgICBpZiAoICFvcHRfYWxsb3dfc3VwZXJwYWdlICkKICAg ICAgICAgICAgIHsKICAgICAgICAgICAgICAgICBNRU1fTE9HKCJTdXBlcnBh Z2VzIGRpc2FsbG93ZWQiKTsKQEAgLTMzMzYsMTYgKzMzMzEsNiBAQCBsb25n IGRvX21tdWV4dF9vcCgKICAgICAgICAgICAgICAgICBicmVhazsKICAgICAg ICAgICAgIH0KIAotICAgICAgICAgICAgc3BhZ2UgPSBtZm5fdG9fc3BhZ2Uo bWZuKTsKLSAgICAgICAgICAgIG9rYXkgPSAobWFya19zdXBlcnBhZ2Uoc3Bh Z2UsIGQpID49IDApOwotICAgICAgICAgICAgYnJlYWs7Ci0gICAgICAgIH0K LQotICAgICAgICBjYXNlIE1NVUVYVF9VTk1BUktfU1VQRVI6Ci0gICAgICAg IHsKLSAgICAgICAgICAgIHVuc2lnbmVkIGxvbmcgbWZuOwotICAgICAgICAg ICAgc3RydWN0IHNwYWdlX2luZm8gKnNwYWdlOwotCiAgICAgICAgICAgICBt Zm4gPSBvcC5hcmcxLm1mbjsKICAgICAgICAgICAgIGlmICggbWZuICYgKEwx X1BBR0VUQUJMRV9FTlRSSUVTLTEpICkKICAgICAgICAgICAgIHsKQEAgLTMz NTQsMTYgKzMzMzksMTYgQEAgbG9uZyBkb19tbXVleHRfb3AoCiAgICAgICAg ICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICB9CiAKLSAgICAgICAgICAg IGlmICggIW9wdF9hbGxvd19zdXBlcnBhZ2UgKQorICAgICAgICAgICAgaWYg KCAhbWZuX3ZhbGlkKG1mbiB8IChMMV9QQUdFVEFCTEVfRU5UUklFUyAtIDEp KSApCiAgICAgICAgICAgICB7Ci0gICAgICAgICAgICAgICAgTUVNX0xPRygi U3VwZXJwYWdlcyBkaXNhbGxvd2VkIik7CiAgICAgICAgICAgICAgICAgb2th eSA9IDA7Ci0gICAgICAgICAgICAgICAgcmMgPSAtRU5PU1lTOwogICAgICAg ICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAgfQogCiAgICAgICAgICAg ICBzcGFnZSA9IG1mbl90b19zcGFnZShtZm4pOwotICAgICAgICAgICAgb2th eSA9ICh1bm1hcmtfc3VwZXJwYWdlKHNwYWdlKSA+PSAwKTsKKyAgICAgICAg ICAgIG9rYXkgPSAoKG9wLmNtZCA9PSBNTVVFWFRfTUFSS19TVVBFUgorICAg ICAgICAgICAgICAgICAgICA/IG1hcmtfc3VwZXJwYWdlKHNwYWdlLCBkKQor ICAgICAgICAgICAgICAgICAgICA6IHVubWFya19zdXBlcnBhZ2Uoc3BhZ2Up KSA+PSAwKTsKICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICB9CiAK --=separator Content-Type: application/octet-stream; name="xsa167-4.6.patch" Content-Disposition: attachment; filename="xsa167-4.6.patch" Content-Transfer-Encoding: base64 eDg2L21tOiBQViBzdXBlcnBhZ2UgaGFuZGxpbmcgbGFja3Mgc2FuaXR5IGNo ZWNrcwoKTU1VRVhUX3ssVU59TUFSS19TVVBFUiBmYWlsIHRvIGNoZWNrIHRo ZSBpbnB1dCBNRk4gZm9yIHZhbGlkaXR5IGJlZm9yZQpkZXJlZmVyZW5jaW5n IHBvaW50ZXJzIGludG8gdGhlIHN1cGVycGFnZSBmcmFtZSB0YWJsZS4KCmdl dF9zdXBlcnBhZ2UoKSBoYXMgYSBzaW1pbGFyIGlzc3VlLgoKVGhpcyBpcyBY U0EtMTY3LgoKUmVwb3J0ZWQtYnk6IFFpbmdoYW8gVGFuZyA8bHVvZGFsb25n ZGVAZ21haWwuY29tPgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+CkFja2VkLWJ5OiBJYW4gQ2FtcGJlbGwgPGlhbi5j YW1wYmVsbEBjaXRyaXguY29tPgoKLS0tIGEveGVuL2FyY2gveDg2L21tLmMK KysrIGIveGVuL2FyY2gveDg2L21tLmMKQEAgLTI2MjQsNiArMjYyNCw5IEBA IGludCBnZXRfc3VwZXJwYWdlKHVuc2lnbmVkIGxvbmcgbWZuLCBzdHIKIAog ICAgIEFTU0VSVChvcHRfYWxsb3dfc3VwZXJwYWdlKTsKIAorICAgIGlmICgg IW1mbl92YWxpZChtZm4gfCAoTDFfUEFHRVRBQkxFX0VOVFJJRVMgLSAxKSkg KQorICAgICAgICByZXR1cm4gLUVJTlZBTDsKKwogICAgIHNwYWdlID0gbWZu X3RvX3NwYWdlKG1mbik7CiAgICAgeSA9IHNwYWdlLT50eXBlX2luZm87CiAg ICAgZG8gewpAQCAtMzQwMSw0MiArMzQwNCwyNiBAQCBsb25nIGRvX21tdWV4 dF9vcCgKICAgICAgICAgfQogCiAgICAgICAgIGNhc2UgTU1VRVhUX01BUktf U1VQRVI6CisgICAgICAgIGNhc2UgTU1VRVhUX1VOTUFSS19TVVBFUjoKICAg ICAgICAgewogICAgICAgICAgICAgdW5zaWduZWQgbG9uZyBtZm4gPSBvcC5h cmcxLm1mbjsKIAotICAgICAgICAgICAgaWYgKCB1bmxpa2VseShkICE9IHBn X293bmVyKSApCi0gICAgICAgICAgICAgICAgcmMgPSAtRVBFUk07Ci0gICAg ICAgICAgICBlbHNlIGlmICggbWZuICYgKEwxX1BBR0VUQUJMRV9FTlRSSUVT LTEpICkKLSAgICAgICAgICAgIHsKLSAgICAgICAgICAgICAgICBNRU1fTE9H KCJVbmFsaWduZWQgc3VwZXJwYWdlIHJlZmVyZW5jZSBtZm4gJWx4IiwgbWZu KTsKLSAgICAgICAgICAgICAgICBva2F5ID0gMDsKLSAgICAgICAgICAgIH0K LSAgICAgICAgICAgIGVsc2UgaWYgKCAhb3B0X2FsbG93X3N1cGVycGFnZSAp CisgICAgICAgICAgICBpZiAoICFvcHRfYWxsb3dfc3VwZXJwYWdlICkKICAg ICAgICAgICAgIHsKICAgICAgICAgICAgICAgICBNRU1fTE9HKCJTdXBlcnBh Z2VzIGRpc2FsbG93ZWQiKTsKICAgICAgICAgICAgICAgICByYyA9IC1FTk9T WVM7CiAgICAgICAgICAgICB9Ci0gICAgICAgICAgICBlbHNlCi0gICAgICAg ICAgICAgICAgcmMgPSBtYXJrX3N1cGVycGFnZShtZm5fdG9fc3BhZ2UobWZu KSwgZCk7Ci0gICAgICAgICAgICBicmVhazsKLSAgICAgICAgfQotCi0gICAg ICAgIGNhc2UgTU1VRVhUX1VOTUFSS19TVVBFUjoKLSAgICAgICAgewotICAg ICAgICAgICAgdW5zaWduZWQgbG9uZyBtZm4gPSBvcC5hcmcxLm1mbjsKLQot ICAgICAgICAgICAgaWYgKCB1bmxpa2VseShkICE9IHBnX293bmVyKSApCisg ICAgICAgICAgICBlbHNlIGlmICggdW5saWtlbHkoZCAhPSBwZ19vd25lcikg KQogICAgICAgICAgICAgICAgIHJjID0gLUVQRVJNOwotICAgICAgICAgICAg ZWxzZSBpZiAoIG1mbiAmIChMMV9QQUdFVEFCTEVfRU5UUklFUy0xKSApCisg ICAgICAgICAgICBlbHNlIGlmICggbWZuICYgKEwxX1BBR0VUQUJMRV9FTlRS SUVTIC0gMSkgKQogICAgICAgICAgICAgewogICAgICAgICAgICAgICAgIE1F TV9MT0coIlVuYWxpZ25lZCBzdXBlcnBhZ2UgcmVmZXJlbmNlIG1mbiAlbHgi LCBtZm4pOwotICAgICAgICAgICAgICAgIG9rYXkgPSAwOwotICAgICAgICAg ICAgfQotICAgICAgICAgICAgZWxzZSBpZiAoICFvcHRfYWxsb3dfc3VwZXJw YWdlICkKLSAgICAgICAgICAgIHsKLSAgICAgICAgICAgICAgICBNRU1fTE9H KCJTdXBlcnBhZ2VzIGRpc2FsbG93ZWQiKTsKLSAgICAgICAgICAgICAgICBy YyA9IC1FTk9TWVM7CisgICAgICAgICAgICAgICAgcmMgPSAtRUlOVkFMOwog ICAgICAgICAgICAgfQorICAgICAgICAgICAgZWxzZSBpZiAoICFtZm5fdmFs aWQobWZuIHwgKEwxX1BBR0VUQUJMRV9FTlRSSUVTIC0gMSkpICkKKyAgICAg ICAgICAgICAgICByYyA9IC1FSU5WQUw7CisgICAgICAgICAgICBlbHNlIGlm ICggb3AuY21kID09IE1NVUVYVF9NQVJLX1NVUEVSICkKKyAgICAgICAgICAg ICAgICByYyA9IG1hcmtfc3VwZXJwYWdlKG1mbl90b19zcGFnZShtZm4pLCBk KTsKICAgICAgICAgICAgIGVsc2UKICAgICAgICAgICAgICAgICByYyA9IHVu bWFya19zdXBlcnBhZ2UobWZuX3RvX3NwYWdlKG1mbikpOwogICAgICAgICAg ICAgYnJlYWs7Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Jan 20 12:09:56 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Jan 2016 12:09:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aLrZH-0003HA-3p; Wed, 20 Jan 2016 12:08:55 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aLrZG-0003Gg-38; Wed, 20 Jan 2016 12:08:54 +0000 Received: from [85.158.137.68] by server-6.bemta-3.messagelabs.com id E8/DE-08479-5D87F965; Wed, 20 Jan 2016 12:08:53 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-12.tower-31.messagelabs.com!1453291731!16918614!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 7.35.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 31852 invoked from network); 20 Jan 2016 12:08:52 -0000 Received: from 50-57-168-107.static.cloud-ips.com (HELO mail.xen.org) (50.57.168.107) by server-12.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 20 Jan 2016 12:08:52 -0000 Received: from xenbits.xenproject.org ([50.57.170.242] helo=xenbits.xen.org) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aLrZg-0002yH-Ob; Wed, 20 Jan 2016 12:09:20 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1aLrZ4-0003QN-Ce; Wed, 20 Jan 2016 12:08:43 +0000 Date: Wed, 20 Jan 2016 12:08:42 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 167 (CVE-2016-1570) - PV superpage functionality missing sanity checks X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-1570 / XSA-167 version 4 PV superpage functionality missing sanity checks UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= The PV superpage functionality lacks certain validity checks on data being passed to the hypervisor by guests. This is the case for the page identifier (MFN) passed to MMUEXT_MARK_SUPER and MMUEXT_UNMARK_SUPER sub-ops of the HYPERVISOR_mmuext_op hypercall as well as for various forms of page table updates. IMPACT ====== Use of the feature, which is disabled by default, may have unknown effects, ranging from information leaks through Denial of Service to privilege escalation. VULNERABLE SYSTEMS ================== Only systems which enable the PV superpage feature are affected. That is, only systems with an `allowsuperpage' setting on the hypervisor command line. Note that in Xen 4.0.x and 3.4.x the option is named `allowhugepage'. Xen versions 3.4.0, 3.4.1, and from 4.1 onwards are affected. Only x86 systems are affected. Only PV guests can exploit the vulnerability. MITIGATION ========== Running only HVM guests will avoid this issue. Not enabling PV superpage support (by omitting the `allowsuperpage' or `allowhugepage' hypervisor command line options) will avoid exposing the issue. CREDITS ======= This issue was discovered by Qinghao Tang of 360 Marvel Team. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa167.patch xen-unstable xsa167-4.6.patch Xen 4.6.x, 4.5.x xsa167-4.4.patch Xen 4.4.x, 4.3.x $ sha256sum xsa167* a71f709eef59425cb2113fa48d3b44048c6bf41063200fee1c847f6e0ed45a09 xsa167.patch 194c1ce89292f4cbb9980baa703095bcbeb5849abf46d193e07a98a0d8301f78 xsa167-4.4.patch 2bd786cccfd13c6732d6db8afc9e18058465efcb1bc93f894c359e3a820d5403 xsa167-4.6.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. However deployment of the SUPERPAGE DISABLEMENT MITIGATION is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because disabling PV superpage support is visible to guests, so such deployment could lead to the rediscovery of the vulnerability. Deployment of the mitigation is permitted only AFTER the embargo ends. Also: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWn3jEAAoJEIP+FMlX6CvZTOsH/2ReFJ0Yhp5da69XKvFEJR/s 0yEFxjvqiSyBPsWjyiaAdOp/1A2sltEeDDnMy7xEoXHmon0p6IV0IR4L+fMCLjl2 1ZI4tKpkn3zUE+IOjfu/GJ53f87XWSq/u9Ri7yZQdxFpgd3AXcLegGm8i4L/58iY vdwAAuczACztEN/NbWFedlGUEd5PKqKwb4wOg1uhLIMwzvjxgtejVAyZD83HgP6i LeWMO7EfeU8ND38Otiw9lNlKD/Ia7vpRG+BXuADLx18hbR1TU9AJ0RO1zb9JnAAj snYdgB6s1wzRD4/HOc+s1uaIttPPODs0IhZunylI7UVhdWKp5Qkszw/QUcmufnk= =5acB -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa167.patch" Content-Disposition: attachment; filename="xsa167.patch" Content-Transfer-Encoding: base64 eDg2L21tOiBQViBzdXBlcnBhZ2UgaGFuZGxpbmcgbGFja3Mgc2FuaXR5IGNo ZWNrcwoKTU1VRVhUX3ssVU59TUFSS19TVVBFUiBmYWlsIHRvIGNoZWNrIHRo ZSBpbnB1dCBNRk4gZm9yIHZhbGlkaXR5IGJlZm9yZQpkZXJlZmVyZW5jaW5n IHBvaW50ZXJzIGludG8gdGhlIHN1cGVycGFnZSBmcmFtZSB0YWJsZS4KCmdl dF9zdXBlcnBhZ2UoKSBoYXMgYSBzaW1pbGFyIGlzc3VlLgoKVGhpcyBpcyBY U0EtMTY3LgoKUmVwb3J0ZWQtYnk6IFFpbmdoYW8gVGFuZyA8bHVvZGFsb25n ZGVAZ21haWwuY29tPgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+CkFja2VkLWJ5OiBJYW4gQ2FtcGJlbGwgPGlhbi5j YW1wYmVsbEBjaXRyaXguY29tPgoKLS0tIGEveGVuL2FyY2gveDg2L21tLmMK KysrIGIveGVuL2FyY2gveDg2L21tLmMKQEAgLTI2MzUsNiArMjYzNSw5IEBA IGludCBnZXRfc3VwZXJwYWdlKHVuc2lnbmVkIGxvbmcgbWZuLCBzdHIKIAog ICAgIEFTU0VSVChvcHRfYWxsb3dfc3VwZXJwYWdlKTsKIAorICAgIGlmICgg IW1mbl92YWxpZChtZm4gfCAoTDFfUEFHRVRBQkxFX0VOVFJJRVMgLSAxKSkg KQorICAgICAgICByZXR1cm4gLUVJTlZBTDsKKwogICAgIHNwYWdlID0gbWZu X3RvX3NwYWdlKG1mbik7CiAgICAgeSA9IHNwYWdlLT50eXBlX2luZm87CiAg ICAgZG8gewpAQCAtMzQzMiw0MiArMzQzNSwyNiBAQCBsb25nIGRvX21tdWV4 dF9vcCgKICAgICAgICAgfQogCiAgICAgICAgIGNhc2UgTU1VRVhUX01BUktf U1VQRVI6CisgICAgICAgIGNhc2UgTU1VRVhUX1VOTUFSS19TVVBFUjoKICAg ICAgICAgewogICAgICAgICAgICAgdW5zaWduZWQgbG9uZyBtZm4gPSBvcC5h cmcxLm1mbjsKIAotICAgICAgICAgICAgaWYgKCB1bmxpa2VseShkICE9IHBn X293bmVyKSApCi0gICAgICAgICAgICAgICAgcmMgPSAtRVBFUk07Ci0gICAg ICAgICAgICBlbHNlIGlmICggbWZuICYgKEwxX1BBR0VUQUJMRV9FTlRSSUVT LTEpICkKLSAgICAgICAgICAgIHsKLSAgICAgICAgICAgICAgICBNRU1fTE9H KCJVbmFsaWduZWQgc3VwZXJwYWdlIHJlZmVyZW5jZSBtZm4gJWx4IiwgbWZu KTsKLSAgICAgICAgICAgICAgICByYyA9IC1FSU5WQUw7Ci0gICAgICAgICAg ICB9Ci0gICAgICAgICAgICBlbHNlIGlmICggIW9wdF9hbGxvd19zdXBlcnBh Z2UgKQorICAgICAgICAgICAgaWYgKCAhb3B0X2FsbG93X3N1cGVycGFnZSAp CiAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgTUVNX0xPRygiU3Vw ZXJwYWdlcyBkaXNhbGxvd2VkIik7CiAgICAgICAgICAgICAgICAgcmMgPSAt RU5PU1lTOwogICAgICAgICAgICAgfQotICAgICAgICAgICAgZWxzZQotICAg ICAgICAgICAgICAgIHJjID0gbWFya19zdXBlcnBhZ2UobWZuX3RvX3NwYWdl KG1mbiksIGQpOwotICAgICAgICAgICAgYnJlYWs7Ci0gICAgICAgIH0KLQot ICAgICAgICBjYXNlIE1NVUVYVF9VTk1BUktfU1VQRVI6Ci0gICAgICAgIHsK LSAgICAgICAgICAgIHVuc2lnbmVkIGxvbmcgbWZuID0gb3AuYXJnMS5tZm47 Ci0KLSAgICAgICAgICAgIGlmICggdW5saWtlbHkoZCAhPSBwZ19vd25lcikg KQorICAgICAgICAgICAgZWxzZSBpZiAoIHVubGlrZWx5KGQgIT0gcGdfb3du ZXIpICkKICAgICAgICAgICAgICAgICByYyA9IC1FUEVSTTsKLSAgICAgICAg ICAgIGVsc2UgaWYgKCBtZm4gJiAoTDFfUEFHRVRBQkxFX0VOVFJJRVMtMSkg KQorICAgICAgICAgICAgZWxzZSBpZiAoIG1mbiAmIChMMV9QQUdFVEFCTEVf RU5UUklFUyAtIDEpICkKICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAg ICBNRU1fTE9HKCJVbmFsaWduZWQgc3VwZXJwYWdlIHJlZmVyZW5jZSBtZm4g JWx4IiwgbWZuKTsKICAgICAgICAgICAgICAgICByYyA9IC1FSU5WQUw7Ci0g ICAgICAgICAgICB9Ci0gICAgICAgICAgICBlbHNlIGlmICggIW9wdF9hbGxv d19zdXBlcnBhZ2UgKQotICAgICAgICAgICAgewotICAgICAgICAgICAgICAg IE1FTV9MT0coIlN1cGVycGFnZXMgZGlzYWxsb3dlZCIpOwotICAgICAgICAg ICAgICAgIHJjID0gLUVOT1NZUzsKICAgICAgICAgICAgIH0KKyAgICAgICAg ICAgIGVsc2UgaWYgKCAhbWZuX3ZhbGlkKG1mbiB8IChMMV9QQUdFVEFCTEVf RU5UUklFUyAtIDEpKSApCisgICAgICAgICAgICAgICAgcmMgPSAtRUlOVkFM OworICAgICAgICAgICAgZWxzZSBpZiAoIG9wLmNtZCA9PSBNTVVFWFRfTUFS S19TVVBFUiApCisgICAgICAgICAgICAgICAgcmMgPSBtYXJrX3N1cGVycGFn ZShtZm5fdG9fc3BhZ2UobWZuKSwgZCk7CiAgICAgICAgICAgICBlbHNlCiAg ICAgICAgICAgICAgICAgcmMgPSB1bm1hcmtfc3VwZXJwYWdlKG1mbl90b19z cGFnZShtZm4pKTsKICAgICAgICAgICAgIGJyZWFrOwo= --=separator Content-Type: application/octet-stream; name="xsa167-4.4.patch" Content-Disposition: attachment; filename="xsa167-4.4.patch" Content-Transfer-Encoding: base64 eDg2L21tOiBQViBzdXBlcnBhZ2UgaGFuZGxpbmcgbGFja3Mgc2FuaXR5IGNo ZWNrcwoKTU1VRVhUX3ssVU59TUFSS19TVVBFUiBmYWlsIHRvIGNoZWNrIHRo ZSBpbnB1dCBNRk4gZm9yIHZhbGlkaXR5IGJlZm9yZQpkZXJlZmVyZW5jaW5n IHBvaW50ZXJzIGludG8gdGhlIHN1cGVycGFnZSBmcmFtZSB0YWJsZS4KCmdl dF9zdXBlcnBhZ2UoKSBoYXMgYSBzaW1pbGFyIGlzc3VlLgoKVGhpcyBpcyBY U0EtMTY3LgoKUmVwb3J0ZWQtYnk6IFFpbmdoYW8gVGFuZyA8bHVvZGFsb25n ZGVAZ21haWwuY29tPgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+CkFja2VkLWJ5OiBJYW4gQ2FtcGJlbGwgPGlhbi5j YW1wYmVsbEBjaXRyaXguY29tPgoKLS0tIGEveGVuL2FyY2gveDg2L21tLmMK KysrIGIveGVuL2FyY2gveDg2L21tLmMKQEAgLTI1NjYsNiArMjU2Niw5IEBA IGludCBnZXRfc3VwZXJwYWdlKHVuc2lnbmVkIGxvbmcgbWZuLCBzdHIKIAog ICAgIEFTU0VSVChvcHRfYWxsb3dfc3VwZXJwYWdlKTsKIAorICAgIGlmICgg IW1mbl92YWxpZChtZm4gfCAoTDFfUEFHRVRBQkxFX0VOVFJJRVMgLSAxKSkg KQorICAgICAgICByZXR1cm4gLUVJTlZBTDsKKwogICAgIHNwYWdlID0gbWZu X3RvX3NwYWdlKG1mbik7CiAgICAgeSA9IHNwYWdlLT50eXBlX2luZm87CiAg ICAgZG8gewpAQCAtMzMyMCwxNCArMzMyMyw2IEBAIGxvbmcgZG9fbW11ZXh0 X29wKAogICAgICAgICAgICAgdW5zaWduZWQgbG9uZyBtZm47CiAgICAgICAg ICAgICBzdHJ1Y3Qgc3BhZ2VfaW5mbyAqc3BhZ2U7CiAKLSAgICAgICAgICAg IG1mbiA9IG9wLmFyZzEubWZuOwotICAgICAgICAgICAgaWYgKCBtZm4gJiAo TDFfUEFHRVRBQkxFX0VOVFJJRVMtMSkgKQotICAgICAgICAgICAgewotICAg ICAgICAgICAgICAgIE1FTV9MT0coIlVuYWxpZ25lZCBzdXBlcnBhZ2UgcmVm ZXJlbmNlIG1mbiAlbHgiLCBtZm4pOwotICAgICAgICAgICAgICAgIG9rYXkg PSAwOwotICAgICAgICAgICAgICAgIGJyZWFrOwotICAgICAgICAgICAgfQot CiAgICAgICAgICAgICBpZiAoICFvcHRfYWxsb3dfc3VwZXJwYWdlICkKICAg ICAgICAgICAgIHsKICAgICAgICAgICAgICAgICBNRU1fTE9HKCJTdXBlcnBh Z2VzIGRpc2FsbG93ZWQiKTsKQEAgLTMzMzYsMTYgKzMzMzEsNiBAQCBsb25n IGRvX21tdWV4dF9vcCgKICAgICAgICAgICAgICAgICBicmVhazsKICAgICAg ICAgICAgIH0KIAotICAgICAgICAgICAgc3BhZ2UgPSBtZm5fdG9fc3BhZ2Uo bWZuKTsKLSAgICAgICAgICAgIG9rYXkgPSAobWFya19zdXBlcnBhZ2Uoc3Bh Z2UsIGQpID49IDApOwotICAgICAgICAgICAgYnJlYWs7Ci0gICAgICAgIH0K LQotICAgICAgICBjYXNlIE1NVUVYVF9VTk1BUktfU1VQRVI6Ci0gICAgICAg IHsKLSAgICAgICAgICAgIHVuc2lnbmVkIGxvbmcgbWZuOwotICAgICAgICAg ICAgc3RydWN0IHNwYWdlX2luZm8gKnNwYWdlOwotCiAgICAgICAgICAgICBt Zm4gPSBvcC5hcmcxLm1mbjsKICAgICAgICAgICAgIGlmICggbWZuICYgKEwx X1BBR0VUQUJMRV9FTlRSSUVTLTEpICkKICAgICAgICAgICAgIHsKQEAgLTMz NTQsMTYgKzMzMzksMTYgQEAgbG9uZyBkb19tbXVleHRfb3AoCiAgICAgICAg ICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICB9CiAKLSAgICAgICAgICAg IGlmICggIW9wdF9hbGxvd19zdXBlcnBhZ2UgKQorICAgICAgICAgICAgaWYg KCAhbWZuX3ZhbGlkKG1mbiB8IChMMV9QQUdFVEFCTEVfRU5UUklFUyAtIDEp KSApCiAgICAgICAgICAgICB7Ci0gICAgICAgICAgICAgICAgTUVNX0xPRygi U3VwZXJwYWdlcyBkaXNhbGxvd2VkIik7CiAgICAgICAgICAgICAgICAgb2th eSA9IDA7Ci0gICAgICAgICAgICAgICAgcmMgPSAtRU5PU1lTOwogICAgICAg ICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAgfQogCiAgICAgICAgICAg ICBzcGFnZSA9IG1mbl90b19zcGFnZShtZm4pOwotICAgICAgICAgICAgb2th eSA9ICh1bm1hcmtfc3VwZXJwYWdlKHNwYWdlKSA+PSAwKTsKKyAgICAgICAg ICAgIG9rYXkgPSAoKG9wLmNtZCA9PSBNTVVFWFRfTUFSS19TVVBFUgorICAg ICAgICAgICAgICAgICAgICA/IG1hcmtfc3VwZXJwYWdlKHNwYWdlLCBkKQor ICAgICAgICAgICAgICAgICAgICA6IHVubWFya19zdXBlcnBhZ2Uoc3BhZ2Up KSA+PSAwKTsKICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICB9CiAK --=separator Content-Type: application/octet-stream; name="xsa167-4.6.patch" Content-Disposition: attachment; filename="xsa167-4.6.patch" Content-Transfer-Encoding: base64 eDg2L21tOiBQViBzdXBlcnBhZ2UgaGFuZGxpbmcgbGFja3Mgc2FuaXR5IGNo ZWNrcwoKTU1VRVhUX3ssVU59TUFSS19TVVBFUiBmYWlsIHRvIGNoZWNrIHRo ZSBpbnB1dCBNRk4gZm9yIHZhbGlkaXR5IGJlZm9yZQpkZXJlZmVyZW5jaW5n IHBvaW50ZXJzIGludG8gdGhlIHN1cGVycGFnZSBmcmFtZSB0YWJsZS4KCmdl dF9zdXBlcnBhZ2UoKSBoYXMgYSBzaW1pbGFyIGlzc3VlLgoKVGhpcyBpcyBY U0EtMTY3LgoKUmVwb3J0ZWQtYnk6IFFpbmdoYW8gVGFuZyA8bHVvZGFsb25n ZGVAZ21haWwuY29tPgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+CkFja2VkLWJ5OiBJYW4gQ2FtcGJlbGwgPGlhbi5j YW1wYmVsbEBjaXRyaXguY29tPgoKLS0tIGEveGVuL2FyY2gveDg2L21tLmMK KysrIGIveGVuL2FyY2gveDg2L21tLmMKQEAgLTI2MjQsNiArMjYyNCw5IEBA IGludCBnZXRfc3VwZXJwYWdlKHVuc2lnbmVkIGxvbmcgbWZuLCBzdHIKIAog ICAgIEFTU0VSVChvcHRfYWxsb3dfc3VwZXJwYWdlKTsKIAorICAgIGlmICgg IW1mbl92YWxpZChtZm4gfCAoTDFfUEFHRVRBQkxFX0VOVFJJRVMgLSAxKSkg KQorICAgICAgICByZXR1cm4gLUVJTlZBTDsKKwogICAgIHNwYWdlID0gbWZu X3RvX3NwYWdlKG1mbik7CiAgICAgeSA9IHNwYWdlLT50eXBlX2luZm87CiAg ICAgZG8gewpAQCAtMzQwMSw0MiArMzQwNCwyNiBAQCBsb25nIGRvX21tdWV4 dF9vcCgKICAgICAgICAgfQogCiAgICAgICAgIGNhc2UgTU1VRVhUX01BUktf U1VQRVI6CisgICAgICAgIGNhc2UgTU1VRVhUX1VOTUFSS19TVVBFUjoKICAg ICAgICAgewogICAgICAgICAgICAgdW5zaWduZWQgbG9uZyBtZm4gPSBvcC5h cmcxLm1mbjsKIAotICAgICAgICAgICAgaWYgKCB1bmxpa2VseShkICE9IHBn X293bmVyKSApCi0gICAgICAgICAgICAgICAgcmMgPSAtRVBFUk07Ci0gICAg ICAgICAgICBlbHNlIGlmICggbWZuICYgKEwxX1BBR0VUQUJMRV9FTlRSSUVT LTEpICkKLSAgICAgICAgICAgIHsKLSAgICAgICAgICAgICAgICBNRU1fTE9H KCJVbmFsaWduZWQgc3VwZXJwYWdlIHJlZmVyZW5jZSBtZm4gJWx4IiwgbWZu KTsKLSAgICAgICAgICAgICAgICBva2F5ID0gMDsKLSAgICAgICAgICAgIH0K LSAgICAgICAgICAgIGVsc2UgaWYgKCAhb3B0X2FsbG93X3N1cGVycGFnZSAp CisgICAgICAgICAgICBpZiAoICFvcHRfYWxsb3dfc3VwZXJwYWdlICkKICAg ICAgICAgICAgIHsKICAgICAgICAgICAgICAgICBNRU1fTE9HKCJTdXBlcnBh Z2VzIGRpc2FsbG93ZWQiKTsKICAgICAgICAgICAgICAgICByYyA9IC1FTk9T WVM7CiAgICAgICAgICAgICB9Ci0gICAgICAgICAgICBlbHNlCi0gICAgICAg ICAgICAgICAgcmMgPSBtYXJrX3N1cGVycGFnZShtZm5fdG9fc3BhZ2UobWZu KSwgZCk7Ci0gICAgICAgICAgICBicmVhazsKLSAgICAgICAgfQotCi0gICAg ICAgIGNhc2UgTU1VRVhUX1VOTUFSS19TVVBFUjoKLSAgICAgICAgewotICAg ICAgICAgICAgdW5zaWduZWQgbG9uZyBtZm4gPSBvcC5hcmcxLm1mbjsKLQot ICAgICAgICAgICAgaWYgKCB1bmxpa2VseShkICE9IHBnX293bmVyKSApCisg ICAgICAgICAgICBlbHNlIGlmICggdW5saWtlbHkoZCAhPSBwZ19vd25lcikg KQogICAgICAgICAgICAgICAgIHJjID0gLUVQRVJNOwotICAgICAgICAgICAg ZWxzZSBpZiAoIG1mbiAmIChMMV9QQUdFVEFCTEVfRU5UUklFUy0xKSApCisg ICAgICAgICAgICBlbHNlIGlmICggbWZuICYgKEwxX1BBR0VUQUJMRV9FTlRS SUVTIC0gMSkgKQogICAgICAgICAgICAgewogICAgICAgICAgICAgICAgIE1F TV9MT0coIlVuYWxpZ25lZCBzdXBlcnBhZ2UgcmVmZXJlbmNlIG1mbiAlbHgi LCBtZm4pOwotICAgICAgICAgICAgICAgIG9rYXkgPSAwOwotICAgICAgICAg ICAgfQotICAgICAgICAgICAgZWxzZSBpZiAoICFvcHRfYWxsb3dfc3VwZXJw YWdlICkKLSAgICAgICAgICAgIHsKLSAgICAgICAgICAgICAgICBNRU1fTE9H KCJTdXBlcnBhZ2VzIGRpc2FsbG93ZWQiKTsKLSAgICAgICAgICAgICAgICBy YyA9IC1FTk9TWVM7CisgICAgICAgICAgICAgICAgcmMgPSAtRUlOVkFMOwog ICAgICAgICAgICAgfQorICAgICAgICAgICAgZWxzZSBpZiAoICFtZm5fdmFs aWQobWZuIHwgKEwxX1BBR0VUQUJMRV9FTlRSSUVTIC0gMSkpICkKKyAgICAg ICAgICAgICAgICByYyA9IC1FSU5WQUw7CisgICAgICAgICAgICBlbHNlIGlm ICggb3AuY21kID09IE1NVUVYVF9NQVJLX1NVUEVSICkKKyAgICAgICAgICAg ICAgICByYyA9IG1hcmtfc3VwZXJwYWdlKG1mbl90b19zcGFnZShtZm4pLCBk KTsKICAgICAgICAgICAgIGVsc2UKICAgICAgICAgICAgICAgICByYyA9IHVu bWFya19zdXBlcnBhZ2UobWZuX3RvX3NwYWdlKG1mbikpOwogICAgICAgICAg ICAgYnJlYWs7Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Jan 20 12:09:56 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Jan 2016 12:09:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aLrZJ-0003IE-Sf; Wed, 20 Jan 2016 12:08:57 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aLrZI-0003HL-JV; Wed, 20 Jan 2016 12:08:56 +0000 Received: from [85.158.137.68] by server-9.bemta-3.messagelabs.com id 85/91-03066-7D87F965; Wed, 20 Jan 2016 12:08:55 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-14.tower-31.messagelabs.com!1453291733!16986655!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 7.35.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 4977 invoked from network); 20 Jan 2016 12:08:54 -0000 Received: from 50-57-168-107.static.cloud-ips.com (HELO mail.xen.org) (50.57.168.107) by server-14.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 20 Jan 2016 12:08:54 -0000 Received: from xenbits.xenproject.org ([50.57.170.242] helo=xenbits.xen.org) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aLrZk-0002yW-Np; Wed, 20 Jan 2016 12:09:24 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1aLrZ9-0003RR-Dg; Wed, 20 Jan 2016 12:08:47 +0000 Date: Wed, 20 Jan 2016 12:08:47 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 168 (CVE-2016-1571) - VMX: intercept issue with INVLPG on non-canonical address X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-1571 / XSA-168 version 3 VMX: intercept issue with INVLPG on non-canonical address UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= While INVLPG does not cause a General Protection Fault when used on a non-canonical address, INVVPID in its "individual address" variant, which is used to back the intercepted INVLPG in certain cases, fails in such cases. Failure of INVVPID results in a hypervisor bug check. IMPACT ====== A malicious guest can crash the host, leading to a Denial of Service. VULNERABLE SYSTEMS ================== Xen versions from 3.3 onwards are affected. Only systems using Intel or Cyrix CPUs are affected. ARM and AMD systems are unaffected. Only HVM guests using shadow mode paging can expose this vulnerability. PV guests, and HVM guests using Hardware Assisted Paging (also known as EPT on affected hardware), are unaffected. Note that while unsupported, guests with enabled nested virtualization are vulnerable even when using EPT. CHECKING FOR VULNERABLE CONFIGURATION ===================================== To discover whether your HVM guests are using HAP, or shadow page tables: request debug key `q' (from the Xen console, or with `xl debug-keys q'). This will print (to the console, and visible in `xl dmesg'), debug information for every domain, containing something like this: (XEN) General information for domain 2: (XEN) refcnt=1 dying=2 pause_count=2 (XEN) nr_pages=2 xenheap_pages=0 shared_pages=0 paged_pages=0 dirty_cpus={} max_pages=262400 (XEN) handle=ef58ef1a-784d-4e59-8079-42bdee87f219 vm_assist=00000000 (XEN) paging assistance: hap refcounts translate external ^^^ The presence of `hap' here indicates that the host is not vulnerable to this domain. For an HVM domain the presence of `shadow' indicates that the domain can exploit the vulnerability. Note that `General information' will also be printed for PV domains. For most PV domains there will be no `paging assistance' reported. But PV guests currently being migrated will report (XEN) paging assistance: shadow log_dirty Overall: a domain can exploit the vulnerability if this debug output contains a `paging assistance' line which reports `translate' and which does not report `hap'. MITIGATION ========== Running only PV guests will avoid this vulnerability. Running HVM guests on only AMD hardware will also avoid this vulnerability. Running HVM guests with Hardware Assisted Paging (HAP) enabled will also avoid this vulnerability. This is the default mode on hardware supporting HAP, but can be overridden by hypervisor command line option and guest configuration setting. Such overrides ("hap=0" in either case, with variants like "no-hap" being possible in the hypervisor command line case) would need to be removed to avoid this vulnerability. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the attached patch resolves this issue. xsa168.patch xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x $ sha256sum xsa168* c95198a66485d6e538d113ce2b84630d77c15f597113c38fadd6bf1e24e4c8ec xsa168.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWn3dEAAoJEIP+FMlX6CvZLaAH/A1FzwQebCOF0MCEMcM9V/zK At3L0XG5oBiVZVpbXAfYULeKaLtTGLBXqhBJjzej0FypCvEYX6BLBITLsw7kMqoW JSYHNHlg4pLH2Wnf6i3fVC7EIHx5XNuDa8Zeyt73wEFJhVpp43PcMwMzBolTUBmP +f5WDkLYflYXv+0XiHfbBLA2fl+K+A5OdDhKgjPZJouGvdfiZxX7EChR0asmmD1i AbSZYTLGhdlSU+fvw+w2XUYSeINS1FEhsZxMbWMVuz7jmPBmOn6u8NLrBdZatYoE Z2Fly81pWD7KDwusVscoLBdmBmI1Wr3u975j5EkQLbsCTsqo5ayP3BpfsieijIg= =UJX5 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa168.patch" Content-Disposition: attachment; filename="xsa168.patch" Content-Transfer-Encoding: base64 eDg2L1ZNWDogcHJldmVudCBJTlZWUElEIGZhaWx1cmUgZHVlIHRvIG5vbi1j YW5vbmljYWwgZ3Vlc3QgYWRkcmVzcwoKV2hpbGUgSU5WTFBHIChhbmQgb24g U1ZNIElOVkxQR0EpIGRvbid0IGZhdWx0IG9uIG5vbi1jYW5vbmljYWwKYWRk cmVzc2VzLCBJTlZWUElEIGZhaWxzIChpbiB0aGUgImluZGl2aWR1YWwgYWRk cmVzcyIgY2FzZSkgd2hlbiBwYXNzZWQKc3VjaCBhbiBhZGRyZXNzLgoKU2lu Y2Ugc3VjaCBpbnRlcmNlcHRlZCBJTlZMUEcgYXJlIGVmZmVjdGl2ZWx5IG5v LW9wcyBhbnl3YXksIGRvbid0IGZpeAp0aGlzIGluIHZteF9pbnZscGdfaW50 ZXJjZXB0KCksIGJ1dCBpbnN0ZWFkIGhhdmUgcGFnaW5nX2ludmxwZygpIG5l dmVyCnJldHVybiB0cnVlIGluIHN1Y2ggYSBjYXNlLgoKVGhpcyBpcyBYU0Et MTY4LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1 c2UuY29tPgpSZXZpZXdlZC1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNv b3BlcjNAY2l0cml4LmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVsbCA8aWFu LmNhbXBiZWxsQGNpdHJpeC5jb20+CgotLS0gYS94ZW4vaW5jbHVkZS9hc20t eDg2L3BhZ2luZy5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS14ODYvcGFnaW5n LmgKQEAgLTI0NSw3ICsyNDUsNyBAQCBwYWdpbmdfZmF1bHQodW5zaWduZWQg bG9uZyB2YSwgc3RydWN0IGNwCiAgKiBvciAwIGlmIGl0J3Mgc2FmZSBub3Qg dG8gZG8gc28uICovCiBzdGF0aWMgaW5saW5lIGludCBwYWdpbmdfaW52bHBn KHN0cnVjdCB2Y3B1ICp2LCB1bnNpZ25lZCBsb25nIHZhKQogewotICAgIHJl dHVybiBwYWdpbmdfZ2V0X2hvc3Rtb2RlKHYpLT5pbnZscGcodiwgdmEpOwor ICAgIHJldHVybiBpc19jYW5vbmljYWxfYWRkcmVzcyh2YSkgJiYgcGFnaW5n X2dldF9ob3N0bW9kZSh2KS0+aW52bHBnKHYsIHZhKTsKIH0KIAogLyogVHJh bnNsYXRlIGEgZ3Vlc3QgdmlydHVhbCBhZGRyZXNzIHRvIHRoZSBmcmFtZSBu dW1iZXIgdGhhdCB0aGUK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Jan 28 12:33:50 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 28 Jan 2016 12:33:50 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aOlkX-0007jv-4C; Thu, 28 Jan 2016 12:32:33 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aOljv-0007Xz-MU for xen-announce@lists.xenproject.org; Thu, 28 Jan 2016 12:31:55 +0000 Received: from [193.109.254.147] by server-4.bemta-14.messagelabs.com id EE/9B-10715-A3A0AA65; Thu, 28 Jan 2016 12:31:54 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-12.tower-27.messagelabs.com!1453984313!19693797!1 X-Originating-IP: [74.125.82.48] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 7.35.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 48094 invoked from network); 28 Jan 2016 12:31:53 -0000 Received: from mail-wm0-f48.google.com (HELO mail-wm0-f48.google.com) (74.125.82.48) by server-12.tower-27.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 28 Jan 2016 12:31:53 -0000 Received: by mail-wm0-f48.google.com with SMTP id 128so8480169wmz.1 for ; Thu, 28 Jan 2016 04:31:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:content-transfer-encoding:subject:date:references :to:message-id:mime-version; bh=xUYoNjw+2LIjjVTWEQ8YN96941O15V6fGr5A8c7B1wY=; b=nLUUCbLoBabD7DnEiSycVqxbRxhU8a6Xx9XnWxra0F/qxDJcJGNYul4cL+x5IoZfj8 rG0ZKfqsfS8kjzZR4z8hAQE0PjzWn/Fu2dSmJuUI9qtYKfPLZ6wbizqbxb8cmsB0RlKt m8qwoleMFA8dA860VPvsqq72IBC0kaZ4EL54owXZvfPZbt07yQkLgQNBIVJl+HZ1l4IZ 7xpvQo5F24eWR0skzoGQQdxRUr02U0ldW1JOTUPpWXDvJGZWQynewZKgOL2ixKzG1+SE AsI9j+P1rfj4KffOV7NNIGSb5B3k1FeEA+gpejuu4j/2YudRRxaF5kbxBOxKQrR5H6c+ IhOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-type:content-transfer-encoding :subject:date:references:to:message-id:mime-version; bh=xUYoNjw+2LIjjVTWEQ8YN96941O15V6fGr5A8c7B1wY=; b=CCAT+wFgW3UnC55AGT1MIfU0/bW3i7WxiI0FIHV7HnY7Ip+QwQEdOOE/j9CSz8TrtM UluryeBki4z/wUmgaF05yfYeDkhEao8SdPCt/f9yTVpdkgfXXiir/QrfLqPCzL91oAuo xP3vS/iMRbyv3EwN5W8NLMmy26FAZZGM7jYBf3aV4DvG/UFpt2EhomGjmcT405UjktWB Ah9Ra3Q6ZHrsmGtjU+Cdq2JvLAqvVO1vfRHet47Vk4LFOz6U/AC0fk5twPvnA5W2BaAV vpmceLTMOlzPiaU0VpVQugu2CH2cs3rSqc4HW8pqGnfTn6EHHOVmuaMeio0X627QzMz1 QBeQ== X-Gm-Message-State: AG10YOQ4ofmlAaoAoCJ2+KnyfYCqcPk7F6ZIxTkCeVvjDuvKoZetGjo19iCRCkQ2nICryA== X-Received: by 10.28.141.10 with SMTP id p10mr2772576wmd.83.1453984313378; Thu, 28 Jan 2016 04:31:53 -0800 (PST) Received: from [192.168.0.12] (5ec0a1a0.skybroadband.com. [94.192.161.160]) by smtp.gmail.com with ESMTPSA id uo9sm10833027wjc.49.2016.01.28.04.31.51 for (version=TLSv1/SSLv3 cipher=OTHER); Thu, 28 Jan 2016 04:31:51 -0800 (PST) From: Lars Kurth Date: Thu, 28 Jan 2016 12:31:50 +0000 References: <56AA0C8602000078000CBFA3@prv-mh.provo.novell.com> To: xen-announce@lists.xenproject.org Message-Id: Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) X-Mailer: Apple Mail (2.2104) X-Mailman-Approved-At: Thu, 28 Jan 2016 12:32:31 +0000 Subject: [Xen-announce] [Xen-devel] Xen 4.4.4 released X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org > Begin forwarded message: > > From: "Jan Beulich" > Subject: [Xen-devel] Xen 4.4.4 released > Date: 28 January 2016 11:41:42 GMT > To: > Cc: xen-devel > > All, > > I am pleased to announce the release of Xen 4.4.4. This is > available immediately from its git repository > http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.4 > (tag RELEASE-4.4.4) or from the XenProject download page > http://www.xenproject.org/downloads/xen-archives/xen-44-series/xen-444.html > (where a list of changes can also be found). > > Note that this is the last XenProject coordinated release of the 4.4 > stable series. The tree will be switched to security only maintenance > mode after this release. > > We recommend all users of the 4.4 stable series to update to this > last point release. > > Regards, > Jan > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xen.org > http://lists.xen.org/xen-devel _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce From xen-announce-bounces@lists.xen.org Thu Jan 28 12:33:50 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 28 Jan 2016 12:33:50 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aOlkX-0007jv-4C; Thu, 28 Jan 2016 12:32:33 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aOljv-0007Xz-MU for xen-announce@lists.xenproject.org; Thu, 28 Jan 2016 12:31:55 +0000 Received: from [193.109.254.147] by server-4.bemta-14.messagelabs.com id EE/9B-10715-A3A0AA65; Thu, 28 Jan 2016 12:31:54 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-12.tower-27.messagelabs.com!1453984313!19693797!1 X-Originating-IP: [74.125.82.48] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 7.35.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 48094 invoked from network); 28 Jan 2016 12:31:53 -0000 Received: from mail-wm0-f48.google.com (HELO mail-wm0-f48.google.com) (74.125.82.48) by server-12.tower-27.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 28 Jan 2016 12:31:53 -0000 Received: by mail-wm0-f48.google.com with SMTP id 128so8480169wmz.1 for ; Thu, 28 Jan 2016 04:31:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:content-transfer-encoding:subject:date:references :to:message-id:mime-version; bh=xUYoNjw+2LIjjVTWEQ8YN96941O15V6fGr5A8c7B1wY=; b=nLUUCbLoBabD7DnEiSycVqxbRxhU8a6Xx9XnWxra0F/qxDJcJGNYul4cL+x5IoZfj8 rG0ZKfqsfS8kjzZR4z8hAQE0PjzWn/Fu2dSmJuUI9qtYKfPLZ6wbizqbxb8cmsB0RlKt m8qwoleMFA8dA860VPvsqq72IBC0kaZ4EL54owXZvfPZbt07yQkLgQNBIVJl+HZ1l4IZ 7xpvQo5F24eWR0skzoGQQdxRUr02U0ldW1JOTUPpWXDvJGZWQynewZKgOL2ixKzG1+SE AsI9j+P1rfj4KffOV7NNIGSb5B3k1FeEA+gpejuu4j/2YudRRxaF5kbxBOxKQrR5H6c+ IhOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-type:content-transfer-encoding :subject:date:references:to:message-id:mime-version; bh=xUYoNjw+2LIjjVTWEQ8YN96941O15V6fGr5A8c7B1wY=; b=CCAT+wFgW3UnC55AGT1MIfU0/bW3i7WxiI0FIHV7HnY7Ip+QwQEdOOE/j9CSz8TrtM UluryeBki4z/wUmgaF05yfYeDkhEao8SdPCt/f9yTVpdkgfXXiir/QrfLqPCzL91oAuo xP3vS/iMRbyv3EwN5W8NLMmy26FAZZGM7jYBf3aV4DvG/UFpt2EhomGjmcT405UjktWB Ah9Ra3Q6ZHrsmGtjU+Cdq2JvLAqvVO1vfRHet47Vk4LFOz6U/AC0fk5twPvnA5W2BaAV vpmceLTMOlzPiaU0VpVQugu2CH2cs3rSqc4HW8pqGnfTn6EHHOVmuaMeio0X627QzMz1 QBeQ== X-Gm-Message-State: AG10YOQ4ofmlAaoAoCJ2+KnyfYCqcPk7F6ZIxTkCeVvjDuvKoZetGjo19iCRCkQ2nICryA== X-Received: by 10.28.141.10 with SMTP id p10mr2772576wmd.83.1453984313378; Thu, 28 Jan 2016 04:31:53 -0800 (PST) Received: from [192.168.0.12] (5ec0a1a0.skybroadband.com. [94.192.161.160]) by smtp.gmail.com with ESMTPSA id uo9sm10833027wjc.49.2016.01.28.04.31.51 for (version=TLSv1/SSLv3 cipher=OTHER); Thu, 28 Jan 2016 04:31:51 -0800 (PST) From: Lars Kurth Date: Thu, 28 Jan 2016 12:31:50 +0000 References: <56AA0C8602000078000CBFA3@prv-mh.provo.novell.com> To: xen-announce@lists.xenproject.org Message-Id: Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) X-Mailer: Apple Mail (2.2104) X-Mailman-Approved-At: Thu, 28 Jan 2016 12:32:31 +0000 Subject: [Xen-announce] [Xen-devel] Xen 4.4.4 released X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org > Begin forwarded message: > > From: "Jan Beulich" > Subject: [Xen-devel] Xen 4.4.4 released > Date: 28 January 2016 11:41:42 GMT > To: > Cc: xen-devel > > All, > > I am pleased to announce the release of Xen 4.4.4. This is > available immediately from its git repository > http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.4 > (tag RELEASE-4.4.4) or from the XenProject download page > http://www.xenproject.org/downloads/xen-archives/xen-44-series/xen-444.html > (where a list of changes can also be found). > > Note that this is the last XenProject coordinated release of the 4.4 > stable series. The tree will be switched to security only maintenance > mode after this release. > > We recommend all users of the 4.4 stable series to update to this > last point release. > > Regards, > Jan > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xen.org > http://lists.xen.org/xen-devel _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce