From xen-announce-bounces@lists.xen.org Tue Jul 26 12:05:19 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 26 Jul 2016 12:05:19 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bS15p-0006ga-AJ; Tue, 26 Jul 2016 12:04:13 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bS15o-0006gN-FB; Tue, 26 Jul 2016 12:04:12 +0000 Received: from [193.109.254.147] by server-3.bemta-14.messagelabs.com id A4/C4-29440-BB157975; Tue, 26 Jul 2016 12:04:11 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrAKsWRWlGSWpSXmKPExsWS0XRdVXdX4PR wg9l7FCxu3WxltljycTGLxaqrB1gdmD2O7v7NFMAYxZqZl5RfkcCasXKuU8HdJYwVD1dnNDC+ ncfYxcjFISRwmlHi05RNTBDOKkaJ+RNnAGU4OZgFXCVu7NvMBmErSly418ACYvMKCEqcnPkEz JYQ0JS482YVO4gtIlAksfPcSzCbTUBPYu7ZSUwQvToSL/evBrOFBWKA6qczQcwxkzg4ay9zFy MHB4uAqsSWk2wTGHlmIdk8C8nmWUg2zwLqYAbavH6XPoQpLbH8HwdEtbzE9rdzmCFsF4mLT/c xQdiOEl/nvWKHmTil+yGUbS/xZm8PVI2NxMkdS9mwqZn25DU7TM2ezbNZkNUsYORfxahRnFpU llqka2Shl1SUmZ5RkpuYmaNraGiil5taXJyYnpqTmFSsl5yfu4kRGG/1DAyMOxjXHfc7xCjJw aQkyss0YVq4EF9SfkplRmJxRnxRaU5q8SFGGQ4OJQleoYDp4UKCRanpqRVpmTnAyIdJS3DwKI nwyoOkeYsLEnOLM9MhUqcYjTmWTL+2lolj0c3H+5mEWPLy81KlxHl5QEoFQEozSvPgBsES0iV GWSlhXkYGBgYhnoLUotzMElT5V4ziHIxKwrwtIFN4MvNK4Pa9AjqFCeiUBTyTQU4pSURISTUw mhqySSr/iebke2Hy6FMat+Ie32K3Pbb9pTKrls0+08otv+PXcc+csC+NQVb7ORvdAidtTE9L3 ps+z+3spC73Yq2kyAnmK0S7I2IWbNu5Zu+XFbd8vB1KuILO1l9V8i86qfO8VjHP70nGq2tnbt wx4VI+uYjdpuXvy8jG2e+WnnA2vfBV5H+3EktxRqKhFnNRcSIA7nX4akMDAAA= X-Env-Sender: gdunlap@xenbits.xen.org X-Msg-Ref: server-5.tower-27.messagelabs.com!1469534649!56015068!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 8.77; banners=-,-,- X-VirusChecked: Checked Received: (qmail 49880 invoked from network); 26 Jul 2016 12:04:10 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-5.tower-27.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 26 Jul 2016 12:04:10 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bS15c-0000W5-Nz; Tue, 26 Jul 2016 12:04:00 +0000 Received: from gdunlap by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1bS15c-0004H5-KP; Tue, 26 Jul 2016 12:04:00 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 26 Jul 2016 12:04:00 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 182 (CVE-2016-6258) - x86: Privilege escalation in PV guests X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-6258 / XSA-182 version 3 x86: Privilege escalation in PV guests UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The PV pagetable code has fast-paths for making updates to pre-existing pagetable entries, to skip expensive re-validation in safe cases (e.g. clearing only Access/Dirty bits). The bits considered safe were too broad, and not actually safe. IMPACT ====== A malicous PV guest administrator can escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== All versions of Xen are vulnerable. The vulnerability is only exposed to PV guests on x86 hardware. The vulnerability is not exposed to x86 HVM guests, or ARM guests. MITIGATION ========== Running only HVM guests will avoid this vulnerability. CREDITS ======= This issue was discovered by Jérémie Boutoille of Quarkslab. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa182.patch xen-unstable, Xen 4.7.x xsa182-4.6.patch Xen 4.6.x xsa182-4.5.patch Xen 4.5.x, 4.4.x, 4.3.x $ sha256sum xsa182* 303400b9a832a3c1d423cc2cc97c2f00482793722f9ef7dd246783a049ac2792 xsa182-unstable.patch 2383695b1dc114e4e31e42dd05d4c86239ce9606478b5e1a71db1111d95b63a2 xsa182-4.5.patch f10665acaf17dedd15c40bfeb832b188db1ab3e789d95cc3787575529a280813 xsa182-4.6.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJXl0M8AAoJEIP+FMlX6CvZvsUIAKeTcuCNrXAkCMsa1jcTOJEB zo1sZB6DeUZjAjYm+vVTv3bcr8E9e+B02Cyg6Y97TByrpwsarvOyYZzds/wf3TO+ 3hm6cKPRBhUdQBgXLi6DqgsBIb+BvMEqT6jXpmNmLWqlJtuJPrCn74e2K0hXFgt2 RDELGjg6qsTW7hJtwNfkEI6/nj2/lBsNVHkp1F7olxT17euC4nJoLEzeDRc8UN/+ pf9UT1yoEVOddPA+iIjC7PeSYyWhJFyNR0m4BN7MshKEoy+tiIQJDZzyLJLh46uf c28vUByyu6fCersz63ZkpF9MHWR0+8cChOvmY3Tuyy/yitUMbcJoygu/35QV2tc= =u+6O -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa182-unstable.patch" Content-Disposition: attachment; filename="xsa182-unstable.patch" Content-Transfer-Encoding: base64 RnJvbSAwMDU5MzY1NWUyMzFlZDVlYTIwNzA0MTIwMDM3MDI2ZTMzYjgzZmJi IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBNb24sIDExIEp1 bCAyMDE2IDE0OjMyOjAzICswMTAwClN1YmplY3Q6IFtQQVRDSF0geDg2L3B2 OiBSZW1vdmUgdW5zYWZlIGJpdHMgZnJvbSB0aGUgbW9kX2w/X2VudHJ5KCkg ZmFzdHBhdGgKCkFsbCBjaGFuZ2VzIGluIHdyaXRlYWJpbGl0eSBhbmQgY2Fj aGVhYmlsaXR5IG11c3QgZ28gdGhyb3VnaCBmdWxsCnJlLXZhbGlkYXRpb24u CgpSZXdvcmsgdGhlIGxvZ2ljIGFzIGEgd2hpdGVsaXN0LCB0byBtYWtlIGl0 IGNsZWFyZXIgdG8gZm9sbG93LgoKVGhpcyBpcyBYU0EtMTgyCgpSZXBvcnRl ZC1ieTogSsOpcsOpbWllIEJvdXRvaWxsZSA8amJvdXRvaWxsZUBleHQucXVh cmtzbGFiLmNvbT4KU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5k cmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IFRpbSBEZWVn YW4gPHRpbUB4ZW4ub3JnPgotLS0KIHhlbi9hcmNoL3g4Ni9tbS5jICAgICAg ICAgIHwgMjggKysrKysrKysrKysrKysrKy0tLS0tLS0tLS0tLQogeGVuL2lu Y2x1ZGUvYXNtLXg4Ni9wYWdlLmggfCAgMSArCiAyIGZpbGVzIGNoYW5nZWQs IDE3IGluc2VydGlvbnMoKyksIDEyIGRlbGV0aW9ucygtKQoKZGlmZiAtLWdp dCBhL3hlbi9hcmNoL3g4Ni9tbS5jIGIveGVuL2FyY2gveDg2L21tLmMKaW5k ZXggZGJjZjZjYi4uNTZjYTE5ZiAxMDA2NDQKLS0tIGEveGVuL2FyY2gveDg2 L21tLmMKKysrIGIveGVuL2FyY2gveDg2L21tLmMKQEAgLTE4NTIsNiArMTg1 MiwxNCBAQCBzdGF0aWMgaW5saW5lIGludCB1cGRhdGVfaW50cHRlKGludHB0 ZV90ICpwLAogICAgICAgICAgICAgICAgICAgX3QgIyMgZV9nZXRfaW50cHRl KF9vKSwgX3QgIyMgZV9nZXRfaW50cHRlKF9uKSwgICBcCiAgICAgICAgICAg ICAgICAgICAoX20pLCAoX3YpLCAoX2FkKSkKIAorLyoKKyAqIFBURSBmbGFn cyB0aGF0IGEgZ3Vlc3QgbWF5IGNoYW5nZSB3aXRob3V0IHJlLXZhbGlkYXRp bmcgdGhlIFBURS4KKyAqIEFsbCBvdGhlciBiaXRzIGFmZmVjdCB0cmFuc2xh dGlvbiwgY2FjaGluZywgb3IgWGVuJ3Mgc2FmZXR5LgorICovCisjZGVmaW5l IEZBU1RQQVRIX0ZMQUdfV0hJVEVMSVNUICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIFwKKyAgICAoX1BBR0VfTlhfQklUIHwgX1BBR0Vf QVZBSUxfSElHSCB8IF9QQUdFX0FWQUlMIHwgX1BBR0VfR0xPQkFMIHwgXAor ICAgICBfUEFHRV9ESVJUWSB8IF9QQUdFX0FDQ0VTU0VEIHwgX1BBR0VfVVNF UikKKwogLyogVXBkYXRlIHRoZSBMMSBlbnRyeSBhdCBwbDFlIHRvIG5ldyB2 YWx1ZSBubDFlLiAqLwogc3RhdGljIGludCBtb2RfbDFfZW50cnkobDFfcGdl bnRyeV90ICpwbDFlLCBsMV9wZ2VudHJ5X3QgbmwxZSwKICAgICAgICAgICAg ICAgICAgICAgICAgIHVuc2lnbmVkIGxvbmcgZ2wxbWZuLCBpbnQgcHJlc2Vy dmVfYWQsCkBAIC0xODkxLDkgKzE4OTksOCBAQCBzdGF0aWMgaW50IG1vZF9s MV9lbnRyeShsMV9wZ2VudHJ5X3QgKnBsMWUsIGwxX3BnZW50cnlfdCBubDFl LAogICAgICAgICAgICAgbmwxZSA9IGwxZV9mcm9tX3BmbihwYWdlX3RvX21m bihwYWdlKSwgbDFlX2dldF9mbGFncyhubDFlKSk7CiAgICAgICAgIH0KIAot ICAgICAgICAvKiBGYXN0IHBhdGggZm9yIGlkZW50aWNhbCBtYXBwaW5nLCBy L3csIHByZXNlbmNlLCBhbmQgY2FjaGFiaWxpdHkuICovCi0gICAgICAgIGlm ICggIWwxZV9oYXNfY2hhbmdlZChvbDFlLCBubDFlLAotICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgUEFHRV9DQUNIRV9BVFRSUyB8IF9QQUdFX1JX IHwgX1BBR0VfUFJFU0VOVCkgKQorICAgICAgICAvKiBGYXN0IHBhdGggZm9y IHN1ZmZpY2llbnRseS1zaW1pbGFyIG1hcHBpbmdzLiAqLworICAgICAgICBp ZiAoICFsMWVfaGFzX2NoYW5nZWQob2wxZSwgbmwxZSwgfkZBU1RQQVRIX0ZM QUdfV0hJVEVMSVNUKSApCiAgICAgICAgIHsKICAgICAgICAgICAgIGFkanVz dF9ndWVzdF9sMWUobmwxZSwgcHRfZG9tKTsKICAgICAgICAgICAgIHJjID0g VVBEQVRFX0VOVFJZKGwxLCBwbDFlLCBvbDFlLCBubDFlLCBnbDFtZm4sIHB0 X3ZjcHUsCkBAIC0xOTcwLDExICsxOTc3LDggQEAgc3RhdGljIGludCBtb2Rf bDJfZW50cnkobDJfcGdlbnRyeV90ICpwbDJlLAogICAgICAgICAgICAgcmV0 dXJuIC1FSU5WQUw7CiAgICAgICAgIH0KIAotICAgICAgICAvKiBGYXN0IHBh dGggZm9yIGlkZW50aWNhbCBtYXBwaW5nIGFuZCBwcmVzZW5jZS4gKi8KLSAg ICAgICAgaWYgKCAhbDJlX2hhc19jaGFuZ2VkKG9sMmUsIG5sMmUsCi0gICAg ICAgICAgICAgICAgICAgICAgICAgICAgICB1bmxpa2VseShvcHRfYWxsb3df c3VwZXJwYWdlKQotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPyBf UEFHRV9QU0UgfCBfUEFHRV9SVyB8IF9QQUdFX1BSRVNFTlQKLSAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIDogX1BBR0VfUFJFU0VOVCkgKQorICAg ICAgICAvKiBGYXN0IHBhdGggZm9yIHN1ZmZpY2llbnRseS1zaW1pbGFyIG1h cHBpbmdzLiAqLworICAgICAgICBpZiAoICFsMmVfaGFzX2NoYW5nZWQob2wy ZSwgbmwyZSwgfkZBU1RQQVRIX0ZMQUdfV0hJVEVMSVNUKSApCiAgICAgICAg IHsKICAgICAgICAgICAgIGFkanVzdF9ndWVzdF9sMmUobmwyZSwgZCk7CiAg ICAgICAgICAgICBpZiAoIFVQREFURV9FTlRSWShsMiwgcGwyZSwgb2wyZSwg bmwyZSwgcGZuLCB2Y3B1LCBwcmVzZXJ2ZV9hZCkgKQpAQCAtMjAzOSw4ICsy MDQzLDggQEAgc3RhdGljIGludCBtb2RfbDNfZW50cnkobDNfcGdlbnRyeV90 ICpwbDNlLAogICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgICAg IH0KIAotICAgICAgICAvKiBGYXN0IHBhdGggZm9yIGlkZW50aWNhbCBtYXBw aW5nIGFuZCBwcmVzZW5jZS4gKi8KLSAgICAgICAgaWYgKCAhbDNlX2hhc19j aGFuZ2VkKG9sM2UsIG5sM2UsIF9QQUdFX1BSRVNFTlQpICkKKyAgICAgICAg LyogRmFzdCBwYXRoIGZvciBzdWZmaWNpZW50bHktc2ltaWxhciBtYXBwaW5n cy4gKi8KKyAgICAgICAgaWYgKCAhbDNlX2hhc19jaGFuZ2VkKG9sM2UsIG5s M2UsIH5GQVNUUEFUSF9GTEFHX1dISVRFTElTVCkgKQogICAgICAgICB7CiAg ICAgICAgICAgICBhZGp1c3RfZ3Vlc3RfbDNlKG5sM2UsIGQpOwogICAgICAg ICAgICAgcmMgPSBVUERBVEVfRU5UUlkobDMsIHBsM2UsIG9sM2UsIG5sM2Us IHBmbiwgdmNwdSwgcHJlc2VydmVfYWQpOwpAQCAtMjEwMyw4ICsyMTA3LDgg QEAgc3RhdGljIGludCBtb2RfbDRfZW50cnkobDRfcGdlbnRyeV90ICpwbDRl LAogICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgICAgIH0KIAot ICAgICAgICAvKiBGYXN0IHBhdGggZm9yIGlkZW50aWNhbCBtYXBwaW5nIGFu ZCBwcmVzZW5jZS4gKi8KLSAgICAgICAgaWYgKCAhbDRlX2hhc19jaGFuZ2Vk KG9sNGUsIG5sNGUsIF9QQUdFX1BSRVNFTlQpICkKKyAgICAgICAgLyogRmFz dCBwYXRoIGZvciBzdWZmaWNpZW50bHktc2ltaWxhciBtYXBwaW5ncy4gKi8K KyAgICAgICAgaWYgKCAhbDRlX2hhc19jaGFuZ2VkKG9sNGUsIG5sNGUsIH5G QVNUUEFUSF9GTEFHX1dISVRFTElTVCkgKQogICAgICAgICB7CiAgICAgICAg ICAgICBhZGp1c3RfZ3Vlc3RfbDRlKG5sNGUsIGQpOwogICAgICAgICAgICAg cmMgPSBVUERBVEVfRU5UUlkobDQsIHBsNGUsIG9sNGUsIG5sNGUsIHBmbiwg dmNwdSwgcHJlc2VydmVfYWQpOwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUv YXNtLXg4Ni9wYWdlLmggYi94ZW4vaW5jbHVkZS9hc20teDg2L3BhZ2UuaApp bmRleCAyMjQ4NTJhLi40YWUzODdmIDEwMDY0NAotLS0gYS94ZW4vaW5jbHVk ZS9hc20teDg2L3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20teDg2L3Bh Z2UuaApAQCAtMzEzLDYgKzMxMyw3IEBAIHZvaWQgZWZpX3VwZGF0ZV9sNF9w Z3RhYmxlKHVuc2lnbmVkIGludCBsNGlkeCwgbDRfcGdlbnRyeV90KTsKICNk ZWZpbmUgX1BBR0VfQVZBSUwyICAgX0FDKDB4ODAwLFUpCiAjZGVmaW5lIF9Q QUdFX0FWQUlMICAgIF9BQygweEUwMCxVKQogI2RlZmluZSBfUEFHRV9QU0Vf UEFUICBfQUMoMHgxMDAwLFUpCisjZGVmaW5lIF9QQUdFX0FWQUlMX0hJR0gg KF9BQygweDdmZiwgVSkgPDwgMTIpCiAjZGVmaW5lIF9QQUdFX05YICAgICAg IChjcHVfaGFzX254ID8gX1BBR0VfTlhfQklUIDogMCkKIC8qIG5vbi1hcmNo aXRlY3R1cmFsIGZsYWdzICovCiAjZGVmaW5lIF9QQUdFX1BBR0VEICAgMHgy MDAwVQotLSAKMi4xLjQKCg== --=separator Content-Type: application/octet-stream; name="xsa182-4.5.patch" Content-Disposition: attachment; filename="xsa182-4.5.patch" Content-Transfer-Encoding: base64 RnJvbSA3OThjMTQ5OGY3NjRiZmFhN2IwYjk1NWJhYjQwYjAxYjA2MTBkMzcy IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBNb24sIDExIEp1 bCAyMDE2IDE0OjMyOjAzICswMTAwClN1YmplY3Q6IFtQQVRDSF0geDg2L3B2 OiBSZW1vdmUgdW5zYWZlIGJpdHMgZnJvbSB0aGUgbW9kX2w/X2VudHJ5KCkg ZmFzdHBhdGgKCkFsbCBjaGFuZ2VzIGluIHdyaXRlYWJpbGl0eSBhbmQgY2Fj aGVhYmlsaXR5IG11c3QgZ28gdGhyb3VnaCBmdWxsCnJlLXZhbGlkYXRpb24u CgpSZXdvcmsgdGhlIGxvZ2ljIGFzIGEgd2hpdGVsaXN0LCB0byBtYWtlIGl0 IGNsZWFyZXIgdG8gZm9sbG93LgoKVGhpcyBpcyBYU0EtMTgyCgpSZXBvcnRl ZC1ieTogSsOpcsOpbWllIEJvdXRvaWxsZSA8amJvdXRvaWxsZUBleHQucXVh cmtzbGFiLmNvbT4KU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5k cmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IFRpbSBEZWVn YW4gPHRpbUB4ZW4ub3JnPgotLS0KIHhlbi9hcmNoL3g4Ni9tbS5jICAgICAg ICAgIHwgMjggKysrKysrKysrKysrKysrKy0tLS0tLS0tLS0tLQogeGVuL2lu Y2x1ZGUvYXNtLXg4Ni9wYWdlLmggfCAgMSArCiAyIGZpbGVzIGNoYW5nZWQs IDE3IGluc2VydGlvbnMoKyksIDEyIGRlbGV0aW9ucygtKQoKZGlmZiAtLWdp dCBhL3hlbi9hcmNoL3g4Ni9tbS5jIGIveGVuL2FyY2gveDg2L21tLmMKaW5k ZXggYjRjNGZhNC4uYTY4YTFhYiAxMDA2NDQKLS0tIGEveGVuL2FyY2gveDg2 L21tLmMKKysrIGIveGVuL2FyY2gveDg2L21tLmMKQEAgLTE2OTUsNiArMTY5 NSwxNCBAQCBzdGF0aWMgaW5saW5lIGludCB1cGRhdGVfaW50cHRlKGludHB0 ZV90ICpwLAogICAgICAgICAgICAgICAgICAgX3QgIyMgZV9nZXRfaW50cHRl KF9vKSwgX3QgIyMgZV9nZXRfaW50cHRlKF9uKSwgICBcCiAgICAgICAgICAg ICAgICAgICAoX20pLCAoX3YpLCAoX2FkKSkKIAorLyoKKyAqIFBURSBmbGFn cyB0aGF0IGEgZ3Vlc3QgbWF5IGNoYW5nZSB3aXRob3V0IHJlLXZhbGlkYXRp bmcgdGhlIFBURS4KKyAqIEFsbCBvdGhlciBiaXRzIGFmZmVjdCB0cmFuc2xh dGlvbiwgY2FjaGluZywgb3IgWGVuJ3Mgc2FmZXR5LgorICovCisjZGVmaW5l IEZBU1RQQVRIX0ZMQUdfV0hJVEVMSVNUICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIFwKKyAgICAoX1BBR0VfTlhfQklUIHwgX1BBR0Vf QVZBSUxfSElHSCB8IF9QQUdFX0FWQUlMIHwgX1BBR0VfR0xPQkFMIHwgXAor ICAgICBfUEFHRV9ESVJUWSB8IF9QQUdFX0FDQ0VTU0VEIHwgX1BBR0VfVVNF UikKKwogLyogVXBkYXRlIHRoZSBMMSBlbnRyeSBhdCBwbDFlIHRvIG5ldyB2 YWx1ZSBubDFlLiAqLwogc3RhdGljIGludCBtb2RfbDFfZW50cnkobDFfcGdl bnRyeV90ICpwbDFlLCBsMV9wZ2VudHJ5X3QgbmwxZSwKICAgICAgICAgICAg ICAgICAgICAgICAgIHVuc2lnbmVkIGxvbmcgZ2wxbWZuLCBpbnQgcHJlc2Vy dmVfYWQsCkBAIC0xNzM1LDkgKzE3NDMsOCBAQCBzdGF0aWMgaW50IG1vZF9s MV9lbnRyeShsMV9wZ2VudHJ5X3QgKnBsMWUsIGwxX3BnZW50cnlfdCBubDFl LAogICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgICAgIH0KIAot ICAgICAgICAvKiBGYXN0IHBhdGggZm9yIGlkZW50aWNhbCBtYXBwaW5nLCBy L3csIHByZXNlbmNlLCBhbmQgY2FjaGFiaWxpdHkuICovCi0gICAgICAgIGlm ICggIWwxZV9oYXNfY2hhbmdlZChvbDFlLCBubDFlLAotICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgUEFHRV9DQUNIRV9BVFRSUyB8IF9QQUdFX1JX IHwgX1BBR0VfUFJFU0VOVCkgKQorICAgICAgICAvKiBGYXN0IHBhdGggZm9y IHN1ZmZpY2llbnRseS1zaW1pbGFyIG1hcHBpbmdzLiAqLworICAgICAgICBp ZiAoICFsMWVfaGFzX2NoYW5nZWQob2wxZSwgbmwxZSwgfkZBU1RQQVRIX0ZM QUdfV0hJVEVMSVNUKSApCiAgICAgICAgIHsKICAgICAgICAgICAgIGFkanVz dF9ndWVzdF9sMWUobmwxZSwgcHRfZG9tKTsKICAgICAgICAgICAgIGlmICgg VVBEQVRFX0VOVFJZKGwxLCBwbDFlLCBvbDFlLCBubDFlLCBnbDFtZm4sIHB0 X3ZjcHUsCkBAIC0xODE5LDExICsxODI2LDggQEAgc3RhdGljIGludCBtb2Rf bDJfZW50cnkobDJfcGdlbnRyeV90ICpwbDJlLAogICAgICAgICAgICAgcmV0 dXJuIC1FSU5WQUw7CiAgICAgICAgIH0KIAotICAgICAgICAvKiBGYXN0IHBh dGggZm9yIGlkZW50aWNhbCBtYXBwaW5nIGFuZCBwcmVzZW5jZS4gKi8KLSAg ICAgICAgaWYgKCAhbDJlX2hhc19jaGFuZ2VkKG9sMmUsIG5sMmUsCi0gICAg ICAgICAgICAgICAgICAgICAgICAgICAgICB1bmxpa2VseShvcHRfYWxsb3df c3VwZXJwYWdlKQotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPyBf UEFHRV9QU0UgfCBfUEFHRV9SVyB8IF9QQUdFX1BSRVNFTlQKLSAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIDogX1BBR0VfUFJFU0VOVCkgKQorICAg ICAgICAvKiBGYXN0IHBhdGggZm9yIHN1ZmZpY2llbnRseS1zaW1pbGFyIG1h cHBpbmdzLiAqLworICAgICAgICBpZiAoICFsMmVfaGFzX2NoYW5nZWQob2wy ZSwgbmwyZSwgfkZBU1RQQVRIX0ZMQUdfV0hJVEVMSVNUKSApCiAgICAgICAg IHsKICAgICAgICAgICAgIGFkanVzdF9ndWVzdF9sMmUobmwyZSwgZCk7CiAg ICAgICAgICAgICBpZiAoIFVQREFURV9FTlRSWShsMiwgcGwyZSwgb2wyZSwg bmwyZSwgcGZuLCB2Y3B1LCBwcmVzZXJ2ZV9hZCkgKQpAQCAtMTg4OCw4ICsx ODkyLDggQEAgc3RhdGljIGludCBtb2RfbDNfZW50cnkobDNfcGdlbnRyeV90 ICpwbDNlLAogICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgICAg IH0KIAotICAgICAgICAvKiBGYXN0IHBhdGggZm9yIGlkZW50aWNhbCBtYXBw aW5nIGFuZCBwcmVzZW5jZS4gKi8KLSAgICAgICAgaWYgKCAhbDNlX2hhc19j aGFuZ2VkKG9sM2UsIG5sM2UsIF9QQUdFX1BSRVNFTlQpICkKKyAgICAgICAg LyogRmFzdCBwYXRoIGZvciBzdWZmaWNpZW50bHktc2ltaWxhciBtYXBwaW5n cy4gKi8KKyAgICAgICAgaWYgKCAhbDNlX2hhc19jaGFuZ2VkKG9sM2UsIG5s M2UsIH5GQVNUUEFUSF9GTEFHX1dISVRFTElTVCkgKQogICAgICAgICB7CiAg ICAgICAgICAgICBhZGp1c3RfZ3Vlc3RfbDNlKG5sM2UsIGQpOwogICAgICAg ICAgICAgcmMgPSBVUERBVEVfRU5UUlkobDMsIHBsM2UsIG9sM2UsIG5sM2Us IHBmbiwgdmNwdSwgcHJlc2VydmVfYWQpOwpAQCAtMTk1Miw4ICsxOTU2LDgg QEAgc3RhdGljIGludCBtb2RfbDRfZW50cnkobDRfcGdlbnRyeV90ICpwbDRl LAogICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgICAgIH0KIAot ICAgICAgICAvKiBGYXN0IHBhdGggZm9yIGlkZW50aWNhbCBtYXBwaW5nIGFu ZCBwcmVzZW5jZS4gKi8KLSAgICAgICAgaWYgKCAhbDRlX2hhc19jaGFuZ2Vk KG9sNGUsIG5sNGUsIF9QQUdFX1BSRVNFTlQpICkKKyAgICAgICAgLyogRmFz dCBwYXRoIGZvciBzdWZmaWNpZW50bHktc2ltaWxhciBtYXBwaW5ncy4gKi8K KyAgICAgICAgaWYgKCAhbDRlX2hhc19jaGFuZ2VkKG9sNGUsIG5sNGUsIH5G QVNUUEFUSF9GTEFHX1dISVRFTElTVCkgKQogICAgICAgICB7CiAgICAgICAg ICAgICBhZGp1c3RfZ3Vlc3RfbDRlKG5sNGUsIGQpOwogICAgICAgICAgICAg cmMgPSBVUERBVEVfRU5UUlkobDQsIHBsNGUsIG9sNGUsIG5sNGUsIHBmbiwg dmNwdSwgcHJlc2VydmVfYWQpOwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUv YXNtLXg4Ni9wYWdlLmggYi94ZW4vaW5jbHVkZS9hc20teDg2L3BhZ2UuaApp bmRleCA2ZGM5NjQ2Li4wM2MwMjRjIDEwMDY0NAotLS0gYS94ZW4vaW5jbHVk ZS9hc20teDg2L3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20teDg2L3Bh Z2UuaApAQCAtMzA4LDYgKzMwOCw3IEBAIHZvaWQgZWZpX3VwZGF0ZV9sNF9w Z3RhYmxlKHVuc2lnbmVkIGludCBsNGlkeCwgbDRfcGdlbnRyeV90KTsKICNk ZWZpbmUgX1BBR0VfQVZBSUwyICAgX0FDKDB4ODAwLFUpCiAjZGVmaW5lIF9Q QUdFX0FWQUlMICAgIF9BQygweEUwMCxVKQogI2RlZmluZSBfUEFHRV9QU0Vf UEFUIF9BQygweDEwMDAsVSkKKyNkZWZpbmUgX1BBR0VfQVZBSUxfSElHSCAo X0FDKDB4N2ZmLCBVKSA8PCAxMikKIC8qIG5vbi1hcmNoaXRlY3R1cmFsIGZs YWdzICovCiAjZGVmaW5lIF9QQUdFX1BBR0VEICAgMHgyMDAwVQogI2RlZmlu ZSBfUEFHRV9TSEFSRUQgIDB4NDAwMFUKLS0gCjIuMS40Cgo= --=separator Content-Type: application/octet-stream; name="xsa182-4.6.patch" Content-Disposition: attachment; filename="xsa182-4.6.patch" Content-Transfer-Encoding: base64 RnJvbSBmNDhhNzViMGMxMGFjNzliMjg3Y2EyYjU4MGVjYjllYTJmNjk2NjA3 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBNb24sIDExIEp1 bCAyMDE2IDE0OjMyOjAzICswMTAwClN1YmplY3Q6IFtQQVRDSF0geDg2L3B2 OiBSZW1vdmUgdW5zYWZlIGJpdHMgZnJvbSB0aGUgbW9kX2w/X2VudHJ5KCkg ZmFzdHBhdGgKCkFsbCBjaGFuZ2VzIGluIHdyaXRlYWJpbGl0eSBhbmQgY2Fj aGVhYmlsaXR5IG11c3QgZ28gdGhyb3VnaCBmdWxsCnJlLXZhbGlkYXRpb24u CgpSZXdvcmsgdGhlIGxvZ2ljIGFzIGEgd2hpdGVsaXN0LCB0byBtYWtlIGl0 IGNsZWFyZXIgdG8gZm9sbG93LgoKVGhpcyBpcyBYU0EtMTgyCgpSZXBvcnRl ZC1ieTogSsOpcsOpbWllIEJvdXRvaWxsZSA8amJvdXRvaWxsZUBleHQucXVh cmtzbGFiLmNvbT4KU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5k cmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IFRpbSBEZWVn YW4gPHRpbUB4ZW4ub3JnPgotLS0KIHhlbi9hcmNoL3g4Ni9tbS5jICAgICAg ICAgIHwgMjggKysrKysrKysrKysrKysrKy0tLS0tLS0tLS0tLQogeGVuL2lu Y2x1ZGUvYXNtLXg4Ni9wYWdlLmggfCAgMSArCiAyIGZpbGVzIGNoYW5nZWQs IDE3IGluc2VydGlvbnMoKyksIDEyIGRlbGV0aW9ucygtKQoKZGlmZiAtLWdp dCBhL3hlbi9hcmNoL3g4Ni9tbS5jIGIveGVuL2FyY2gveDg2L21tLmMKaW5k ZXggZGFmMDJhYi4uOGRkMjJiOCAxMDA2NDQKLS0tIGEveGVuL2FyY2gveDg2 L21tLmMKKysrIGIveGVuL2FyY2gveDg2L21tLmMKQEAgLTE3ODAsNiArMTc4 MCwxNCBAQCBzdGF0aWMgaW5saW5lIGludCB1cGRhdGVfaW50cHRlKGludHB0 ZV90ICpwLAogICAgICAgICAgICAgICAgICAgX3QgIyMgZV9nZXRfaW50cHRl KF9vKSwgX3QgIyMgZV9nZXRfaW50cHRlKF9uKSwgICBcCiAgICAgICAgICAg ICAgICAgICAoX20pLCAoX3YpLCAoX2FkKSkKIAorLyoKKyAqIFBURSBmbGFn cyB0aGF0IGEgZ3Vlc3QgbWF5IGNoYW5nZSB3aXRob3V0IHJlLXZhbGlkYXRp bmcgdGhlIFBURS4KKyAqIEFsbCBvdGhlciBiaXRzIGFmZmVjdCB0cmFuc2xh dGlvbiwgY2FjaGluZywgb3IgWGVuJ3Mgc2FmZXR5LgorICovCisjZGVmaW5l IEZBU1RQQVRIX0ZMQUdfV0hJVEVMSVNUICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIFwKKyAgICAoX1BBR0VfTlhfQklUIHwgX1BBR0Vf QVZBSUxfSElHSCB8IF9QQUdFX0FWQUlMIHwgX1BBR0VfR0xPQkFMIHwgXAor ICAgICBfUEFHRV9ESVJUWSB8IF9QQUdFX0FDQ0VTU0VEIHwgX1BBR0VfVVNF UikKKwogLyogVXBkYXRlIHRoZSBMMSBlbnRyeSBhdCBwbDFlIHRvIG5ldyB2 YWx1ZSBubDFlLiAqLwogc3RhdGljIGludCBtb2RfbDFfZW50cnkobDFfcGdl bnRyeV90ICpwbDFlLCBsMV9wZ2VudHJ5X3QgbmwxZSwKICAgICAgICAgICAg ICAgICAgICAgICAgIHVuc2lnbmVkIGxvbmcgZ2wxbWZuLCBpbnQgcHJlc2Vy dmVfYWQsCkBAIC0xODIwLDkgKzE4MjgsOCBAQCBzdGF0aWMgaW50IG1vZF9s MV9lbnRyeShsMV9wZ2VudHJ5X3QgKnBsMWUsIGwxX3BnZW50cnlfdCBubDFl LAogICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgICAgIH0KIAot ICAgICAgICAvKiBGYXN0IHBhdGggZm9yIGlkZW50aWNhbCBtYXBwaW5nLCBy L3csIHByZXNlbmNlLCBhbmQgY2FjaGFiaWxpdHkuICovCi0gICAgICAgIGlm ICggIWwxZV9oYXNfY2hhbmdlZChvbDFlLCBubDFlLAotICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgUEFHRV9DQUNIRV9BVFRSUyB8IF9QQUdFX1JX IHwgX1BBR0VfUFJFU0VOVCkgKQorICAgICAgICAvKiBGYXN0IHBhdGggZm9y IHN1ZmZpY2llbnRseS1zaW1pbGFyIG1hcHBpbmdzLiAqLworICAgICAgICBp ZiAoICFsMWVfaGFzX2NoYW5nZWQob2wxZSwgbmwxZSwgfkZBU1RQQVRIX0ZM QUdfV0hJVEVMSVNUKSApCiAgICAgICAgIHsKICAgICAgICAgICAgIGFkanVz dF9ndWVzdF9sMWUobmwxZSwgcHRfZG9tKTsKICAgICAgICAgICAgIGlmICgg VVBEQVRFX0VOVFJZKGwxLCBwbDFlLCBvbDFlLCBubDFlLCBnbDFtZm4sIHB0 X3ZjcHUsCkBAIC0xOTA0LDExICsxOTExLDggQEAgc3RhdGljIGludCBtb2Rf bDJfZW50cnkobDJfcGdlbnRyeV90ICpwbDJlLAogICAgICAgICAgICAgcmV0 dXJuIC1FSU5WQUw7CiAgICAgICAgIH0KIAotICAgICAgICAvKiBGYXN0IHBh dGggZm9yIGlkZW50aWNhbCBtYXBwaW5nIGFuZCBwcmVzZW5jZS4gKi8KLSAg ICAgICAgaWYgKCAhbDJlX2hhc19jaGFuZ2VkKG9sMmUsIG5sMmUsCi0gICAg ICAgICAgICAgICAgICAgICAgICAgICAgICB1bmxpa2VseShvcHRfYWxsb3df c3VwZXJwYWdlKQotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPyBf UEFHRV9QU0UgfCBfUEFHRV9SVyB8IF9QQUdFX1BSRVNFTlQKLSAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIDogX1BBR0VfUFJFU0VOVCkgKQorICAg ICAgICAvKiBGYXN0IHBhdGggZm9yIHN1ZmZpY2llbnRseS1zaW1pbGFyIG1h cHBpbmdzLiAqLworICAgICAgICBpZiAoICFsMmVfaGFzX2NoYW5nZWQob2wy ZSwgbmwyZSwgfkZBU1RQQVRIX0ZMQUdfV0hJVEVMSVNUKSApCiAgICAgICAg IHsKICAgICAgICAgICAgIGFkanVzdF9ndWVzdF9sMmUobmwyZSwgZCk7CiAg ICAgICAgICAgICBpZiAoIFVQREFURV9FTlRSWShsMiwgcGwyZSwgb2wyZSwg bmwyZSwgcGZuLCB2Y3B1LCBwcmVzZXJ2ZV9hZCkgKQpAQCAtMTk3Myw4ICsx OTc3LDggQEAgc3RhdGljIGludCBtb2RfbDNfZW50cnkobDNfcGdlbnRyeV90 ICpwbDNlLAogICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgICAg IH0KIAotICAgICAgICAvKiBGYXN0IHBhdGggZm9yIGlkZW50aWNhbCBtYXBw aW5nIGFuZCBwcmVzZW5jZS4gKi8KLSAgICAgICAgaWYgKCAhbDNlX2hhc19j aGFuZ2VkKG9sM2UsIG5sM2UsIF9QQUdFX1BSRVNFTlQpICkKKyAgICAgICAg LyogRmFzdCBwYXRoIGZvciBzdWZmaWNpZW50bHktc2ltaWxhciBtYXBwaW5n cy4gKi8KKyAgICAgICAgaWYgKCAhbDNlX2hhc19jaGFuZ2VkKG9sM2UsIG5s M2UsIH5GQVNUUEFUSF9GTEFHX1dISVRFTElTVCkgKQogICAgICAgICB7CiAg ICAgICAgICAgICBhZGp1c3RfZ3Vlc3RfbDNlKG5sM2UsIGQpOwogICAgICAg ICAgICAgcmMgPSBVUERBVEVfRU5UUlkobDMsIHBsM2UsIG9sM2UsIG5sM2Us IHBmbiwgdmNwdSwgcHJlc2VydmVfYWQpOwpAQCAtMjAzNyw4ICsyMDQxLDgg QEAgc3RhdGljIGludCBtb2RfbDRfZW50cnkobDRfcGdlbnRyeV90ICpwbDRl LAogICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgICAgIH0KIAot ICAgICAgICAvKiBGYXN0IHBhdGggZm9yIGlkZW50aWNhbCBtYXBwaW5nIGFu ZCBwcmVzZW5jZS4gKi8KLSAgICAgICAgaWYgKCAhbDRlX2hhc19jaGFuZ2Vk KG9sNGUsIG5sNGUsIF9QQUdFX1BSRVNFTlQpICkKKyAgICAgICAgLyogRmFz dCBwYXRoIGZvciBzdWZmaWNpZW50bHktc2ltaWxhciBtYXBwaW5ncy4gKi8K KyAgICAgICAgaWYgKCAhbDRlX2hhc19jaGFuZ2VkKG9sNGUsIG5sNGUsIH5G QVNUUEFUSF9GTEFHX1dISVRFTElTVCkgKQogICAgICAgICB7CiAgICAgICAg ICAgICBhZGp1c3RfZ3Vlc3RfbDRlKG5sNGUsIGQpOwogICAgICAgICAgICAg cmMgPSBVUERBVEVfRU5UUlkobDQsIHBsNGUsIG9sNGUsIG5sNGUsIHBmbiwg dmNwdSwgcHJlc2VydmVfYWQpOwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUv YXNtLXg4Ni9wYWdlLmggYi94ZW4vaW5jbHVkZS9hc20teDg2L3BhZ2UuaApp bmRleCA2NmI2MTFjLi4xYTU5ZWQ4IDEwMDY0NAotLS0gYS94ZW4vaW5jbHVk ZS9hc20teDg2L3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20teDg2L3Bh Z2UuaApAQCAtMzExLDYgKzMxMSw3IEBAIHZvaWQgZWZpX3VwZGF0ZV9sNF9w Z3RhYmxlKHVuc2lnbmVkIGludCBsNGlkeCwgbDRfcGdlbnRyeV90KTsKICNk ZWZpbmUgX1BBR0VfQVZBSUwyICAgX0FDKDB4ODAwLFUpCiAjZGVmaW5lIF9Q QUdFX0FWQUlMICAgIF9BQygweEUwMCxVKQogI2RlZmluZSBfUEFHRV9QU0Vf UEFUICBfQUMoMHgxMDAwLFUpCisjZGVmaW5lIF9QQUdFX0FWQUlMX0hJR0gg KF9BQygweDdmZiwgVSkgPDwgMTIpCiAjZGVmaW5lIF9QQUdFX05YICAgICAg IChjcHVfaGFzX254ID8gX1BBR0VfTlhfQklUIDogMCkKIC8qIG5vbi1hcmNo aXRlY3R1cmFsIGZsYWdzICovCiAjZGVmaW5lIF9QQUdFX1BBR0VEICAgMHgy MDAwVQotLSAKMi4xLjQKCg== --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Tue Jul 26 12:05:19 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 26 Jul 2016 12:05:19 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bS15p-0006ga-AJ; Tue, 26 Jul 2016 12:04:13 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bS15o-0006gN-FB; Tue, 26 Jul 2016 12:04:12 +0000 Received: from [193.109.254.147] by server-3.bemta-14.messagelabs.com id A4/C4-29440-BB157975; Tue, 26 Jul 2016 12:04:11 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrAKsWRWlGSWpSXmKPExsWS0XRdVXdX4PR wg9l7FCxu3WxltljycTGLxaqrB1gdmD2O7v7NFMAYxZqZl5RfkcCasXKuU8HdJYwVD1dnNDC+ ncfYxcjFISRwmlHi05RNTBDOKkaJ+RNnAGU4OZgFXCVu7NvMBmErSly418ACYvMKCEqcnPkEz JYQ0JS482YVO4gtIlAksfPcSzCbTUBPYu7ZSUwQvToSL/evBrOFBWKA6qczQcwxkzg4ay9zFy MHB4uAqsSWk2wTGHlmIdk8C8nmWUg2zwLqYAbavH6XPoQpLbH8HwdEtbzE9rdzmCFsF4mLT/c xQdiOEl/nvWKHmTil+yGUbS/xZm8PVI2NxMkdS9mwqZn25DU7TM2ezbNZkNUsYORfxahRnFpU llqka2Shl1SUmZ5RkpuYmaNraGiil5taXJyYnpqTmFSsl5yfu4kRGG/1DAyMOxjXHfc7xCjJw aQkyss0YVq4EF9SfkplRmJxRnxRaU5q8SFGGQ4OJQleoYDp4UKCRanpqRVpmTnAyIdJS3DwKI nwyoOkeYsLEnOLM9MhUqcYjTmWTL+2lolj0c3H+5mEWPLy81KlxHl5QEoFQEozSvPgBsES0iV GWSlhXkYGBgYhnoLUotzMElT5V4ziHIxKwrwtIFN4MvNK4Pa9AjqFCeiUBTyTQU4pSURISTUw mhqySSr/iebke2Hy6FMat+Ie32K3Pbb9pTKrls0+08otv+PXcc+csC+NQVb7ORvdAidtTE9L3 ps+z+3spC73Yq2kyAnmK0S7I2IWbNu5Zu+XFbd8vB1KuILO1l9V8i86qfO8VjHP70nGq2tnbt wx4VI+uYjdpuXvy8jG2e+WnnA2vfBV5H+3EktxRqKhFnNRcSIA7nX4akMDAAA= X-Env-Sender: gdunlap@xenbits.xen.org X-Msg-Ref: server-5.tower-27.messagelabs.com!1469534649!56015068!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 8.77; banners=-,-,- X-VirusChecked: Checked Received: (qmail 49880 invoked from network); 26 Jul 2016 12:04:10 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-5.tower-27.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 26 Jul 2016 12:04:10 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bS15c-0000W5-Nz; Tue, 26 Jul 2016 12:04:00 +0000 Received: from gdunlap by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1bS15c-0004H5-KP; Tue, 26 Jul 2016 12:04:00 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 26 Jul 2016 12:04:00 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 182 (CVE-2016-6258) - x86: Privilege escalation in PV guests X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-6258 / XSA-182 version 3 x86: Privilege escalation in PV guests UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The PV pagetable code has fast-paths for making updates to pre-existing pagetable entries, to skip expensive re-validation in safe cases (e.g. clearing only Access/Dirty bits). The bits considered safe were too broad, and not actually safe. IMPACT ====== A malicous PV guest administrator can escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== All versions of Xen are vulnerable. The vulnerability is only exposed to PV guests on x86 hardware. The vulnerability is not exposed to x86 HVM guests, or ARM guests. MITIGATION ========== Running only HVM guests will avoid this vulnerability. CREDITS ======= This issue was discovered by Jérémie Boutoille of Quarkslab. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa182.patch xen-unstable, Xen 4.7.x xsa182-4.6.patch Xen 4.6.x xsa182-4.5.patch Xen 4.5.x, 4.4.x, 4.3.x $ sha256sum xsa182* 303400b9a832a3c1d423cc2cc97c2f00482793722f9ef7dd246783a049ac2792 xsa182-unstable.patch 2383695b1dc114e4e31e42dd05d4c86239ce9606478b5e1a71db1111d95b63a2 xsa182-4.5.patch f10665acaf17dedd15c40bfeb832b188db1ab3e789d95cc3787575529a280813 xsa182-4.6.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJXl0M8AAoJEIP+FMlX6CvZvsUIAKeTcuCNrXAkCMsa1jcTOJEB zo1sZB6DeUZjAjYm+vVTv3bcr8E9e+B02Cyg6Y97TByrpwsarvOyYZzds/wf3TO+ 3hm6cKPRBhUdQBgXLi6DqgsBIb+BvMEqT6jXpmNmLWqlJtuJPrCn74e2K0hXFgt2 RDELGjg6qsTW7hJtwNfkEI6/nj2/lBsNVHkp1F7olxT17euC4nJoLEzeDRc8UN/+ pf9UT1yoEVOddPA+iIjC7PeSYyWhJFyNR0m4BN7MshKEoy+tiIQJDZzyLJLh46uf c28vUByyu6fCersz63ZkpF9MHWR0+8cChOvmY3Tuyy/yitUMbcJoygu/35QV2tc= =u+6O -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa182-unstable.patch" Content-Disposition: attachment; filename="xsa182-unstable.patch" Content-Transfer-Encoding: base64 RnJvbSAwMDU5MzY1NWUyMzFlZDVlYTIwNzA0MTIwMDM3MDI2ZTMzYjgzZmJi IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBNb24sIDExIEp1 bCAyMDE2IDE0OjMyOjAzICswMTAwClN1YmplY3Q6IFtQQVRDSF0geDg2L3B2 OiBSZW1vdmUgdW5zYWZlIGJpdHMgZnJvbSB0aGUgbW9kX2w/X2VudHJ5KCkg ZmFzdHBhdGgKCkFsbCBjaGFuZ2VzIGluIHdyaXRlYWJpbGl0eSBhbmQgY2Fj aGVhYmlsaXR5IG11c3QgZ28gdGhyb3VnaCBmdWxsCnJlLXZhbGlkYXRpb24u CgpSZXdvcmsgdGhlIGxvZ2ljIGFzIGEgd2hpdGVsaXN0LCB0byBtYWtlIGl0 IGNsZWFyZXIgdG8gZm9sbG93LgoKVGhpcyBpcyBYU0EtMTgyCgpSZXBvcnRl ZC1ieTogSsOpcsOpbWllIEJvdXRvaWxsZSA8amJvdXRvaWxsZUBleHQucXVh cmtzbGFiLmNvbT4KU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5k cmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IFRpbSBEZWVn YW4gPHRpbUB4ZW4ub3JnPgotLS0KIHhlbi9hcmNoL3g4Ni9tbS5jICAgICAg ICAgIHwgMjggKysrKysrKysrKysrKysrKy0tLS0tLS0tLS0tLQogeGVuL2lu Y2x1ZGUvYXNtLXg4Ni9wYWdlLmggfCAgMSArCiAyIGZpbGVzIGNoYW5nZWQs IDE3IGluc2VydGlvbnMoKyksIDEyIGRlbGV0aW9ucygtKQoKZGlmZiAtLWdp dCBhL3hlbi9hcmNoL3g4Ni9tbS5jIGIveGVuL2FyY2gveDg2L21tLmMKaW5k ZXggZGJjZjZjYi4uNTZjYTE5ZiAxMDA2NDQKLS0tIGEveGVuL2FyY2gveDg2 L21tLmMKKysrIGIveGVuL2FyY2gveDg2L21tLmMKQEAgLTE4NTIsNiArMTg1 MiwxNCBAQCBzdGF0aWMgaW5saW5lIGludCB1cGRhdGVfaW50cHRlKGludHB0 ZV90ICpwLAogICAgICAgICAgICAgICAgICAgX3QgIyMgZV9nZXRfaW50cHRl KF9vKSwgX3QgIyMgZV9nZXRfaW50cHRlKF9uKSwgICBcCiAgICAgICAgICAg ICAgICAgICAoX20pLCAoX3YpLCAoX2FkKSkKIAorLyoKKyAqIFBURSBmbGFn cyB0aGF0IGEgZ3Vlc3QgbWF5IGNoYW5nZSB3aXRob3V0IHJlLXZhbGlkYXRp bmcgdGhlIFBURS4KKyAqIEFsbCBvdGhlciBiaXRzIGFmZmVjdCB0cmFuc2xh dGlvbiwgY2FjaGluZywgb3IgWGVuJ3Mgc2FmZXR5LgorICovCisjZGVmaW5l IEZBU1RQQVRIX0ZMQUdfV0hJVEVMSVNUICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIFwKKyAgICAoX1BBR0VfTlhfQklUIHwgX1BBR0Vf QVZBSUxfSElHSCB8IF9QQUdFX0FWQUlMIHwgX1BBR0VfR0xPQkFMIHwgXAor ICAgICBfUEFHRV9ESVJUWSB8IF9QQUdFX0FDQ0VTU0VEIHwgX1BBR0VfVVNF UikKKwogLyogVXBkYXRlIHRoZSBMMSBlbnRyeSBhdCBwbDFlIHRvIG5ldyB2 YWx1ZSBubDFlLiAqLwogc3RhdGljIGludCBtb2RfbDFfZW50cnkobDFfcGdl bnRyeV90ICpwbDFlLCBsMV9wZ2VudHJ5X3QgbmwxZSwKICAgICAgICAgICAg ICAgICAgICAgICAgIHVuc2lnbmVkIGxvbmcgZ2wxbWZuLCBpbnQgcHJlc2Vy dmVfYWQsCkBAIC0xODkxLDkgKzE4OTksOCBAQCBzdGF0aWMgaW50IG1vZF9s MV9lbnRyeShsMV9wZ2VudHJ5X3QgKnBsMWUsIGwxX3BnZW50cnlfdCBubDFl LAogICAgICAgICAgICAgbmwxZSA9IGwxZV9mcm9tX3BmbihwYWdlX3RvX21m bihwYWdlKSwgbDFlX2dldF9mbGFncyhubDFlKSk7CiAgICAgICAgIH0KIAot ICAgICAgICAvKiBGYXN0IHBhdGggZm9yIGlkZW50aWNhbCBtYXBwaW5nLCBy L3csIHByZXNlbmNlLCBhbmQgY2FjaGFiaWxpdHkuICovCi0gICAgICAgIGlm ICggIWwxZV9oYXNfY2hhbmdlZChvbDFlLCBubDFlLAotICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgUEFHRV9DQUNIRV9BVFRSUyB8IF9QQUdFX1JX IHwgX1BBR0VfUFJFU0VOVCkgKQorICAgICAgICAvKiBGYXN0IHBhdGggZm9y IHN1ZmZpY2llbnRseS1zaW1pbGFyIG1hcHBpbmdzLiAqLworICAgICAgICBp ZiAoICFsMWVfaGFzX2NoYW5nZWQob2wxZSwgbmwxZSwgfkZBU1RQQVRIX0ZM QUdfV0hJVEVMSVNUKSApCiAgICAgICAgIHsKICAgICAgICAgICAgIGFkanVz dF9ndWVzdF9sMWUobmwxZSwgcHRfZG9tKTsKICAgICAgICAgICAgIHJjID0g VVBEQVRFX0VOVFJZKGwxLCBwbDFlLCBvbDFlLCBubDFlLCBnbDFtZm4sIHB0 X3ZjcHUsCkBAIC0xOTcwLDExICsxOTc3LDggQEAgc3RhdGljIGludCBtb2Rf bDJfZW50cnkobDJfcGdlbnRyeV90ICpwbDJlLAogICAgICAgICAgICAgcmV0 dXJuIC1FSU5WQUw7CiAgICAgICAgIH0KIAotICAgICAgICAvKiBGYXN0IHBh dGggZm9yIGlkZW50aWNhbCBtYXBwaW5nIGFuZCBwcmVzZW5jZS4gKi8KLSAg ICAgICAgaWYgKCAhbDJlX2hhc19jaGFuZ2VkKG9sMmUsIG5sMmUsCi0gICAg ICAgICAgICAgICAgICAgICAgICAgICAgICB1bmxpa2VseShvcHRfYWxsb3df c3VwZXJwYWdlKQotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPyBf UEFHRV9QU0UgfCBfUEFHRV9SVyB8IF9QQUdFX1BSRVNFTlQKLSAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIDogX1BBR0VfUFJFU0VOVCkgKQorICAg ICAgICAvKiBGYXN0IHBhdGggZm9yIHN1ZmZpY2llbnRseS1zaW1pbGFyIG1h cHBpbmdzLiAqLworICAgICAgICBpZiAoICFsMmVfaGFzX2NoYW5nZWQob2wy ZSwgbmwyZSwgfkZBU1RQQVRIX0ZMQUdfV0hJVEVMSVNUKSApCiAgICAgICAg IHsKICAgICAgICAgICAgIGFkanVzdF9ndWVzdF9sMmUobmwyZSwgZCk7CiAg ICAgICAgICAgICBpZiAoIFVQREFURV9FTlRSWShsMiwgcGwyZSwgb2wyZSwg bmwyZSwgcGZuLCB2Y3B1LCBwcmVzZXJ2ZV9hZCkgKQpAQCAtMjAzOSw4ICsy MDQzLDggQEAgc3RhdGljIGludCBtb2RfbDNfZW50cnkobDNfcGdlbnRyeV90 ICpwbDNlLAogICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgICAg IH0KIAotICAgICAgICAvKiBGYXN0IHBhdGggZm9yIGlkZW50aWNhbCBtYXBw aW5nIGFuZCBwcmVzZW5jZS4gKi8KLSAgICAgICAgaWYgKCAhbDNlX2hhc19j aGFuZ2VkKG9sM2UsIG5sM2UsIF9QQUdFX1BSRVNFTlQpICkKKyAgICAgICAg LyogRmFzdCBwYXRoIGZvciBzdWZmaWNpZW50bHktc2ltaWxhciBtYXBwaW5n cy4gKi8KKyAgICAgICAgaWYgKCAhbDNlX2hhc19jaGFuZ2VkKG9sM2UsIG5s M2UsIH5GQVNUUEFUSF9GTEFHX1dISVRFTElTVCkgKQogICAgICAgICB7CiAg ICAgICAgICAgICBhZGp1c3RfZ3Vlc3RfbDNlKG5sM2UsIGQpOwogICAgICAg ICAgICAgcmMgPSBVUERBVEVfRU5UUlkobDMsIHBsM2UsIG9sM2UsIG5sM2Us IHBmbiwgdmNwdSwgcHJlc2VydmVfYWQpOwpAQCAtMjEwMyw4ICsyMTA3LDgg QEAgc3RhdGljIGludCBtb2RfbDRfZW50cnkobDRfcGdlbnRyeV90ICpwbDRl LAogICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgICAgIH0KIAot ICAgICAgICAvKiBGYXN0IHBhdGggZm9yIGlkZW50aWNhbCBtYXBwaW5nIGFu ZCBwcmVzZW5jZS4gKi8KLSAgICAgICAgaWYgKCAhbDRlX2hhc19jaGFuZ2Vk KG9sNGUsIG5sNGUsIF9QQUdFX1BSRVNFTlQpICkKKyAgICAgICAgLyogRmFz dCBwYXRoIGZvciBzdWZmaWNpZW50bHktc2ltaWxhciBtYXBwaW5ncy4gKi8K KyAgICAgICAgaWYgKCAhbDRlX2hhc19jaGFuZ2VkKG9sNGUsIG5sNGUsIH5G QVNUUEFUSF9GTEFHX1dISVRFTElTVCkgKQogICAgICAgICB7CiAgICAgICAg ICAgICBhZGp1c3RfZ3Vlc3RfbDRlKG5sNGUsIGQpOwogICAgICAgICAgICAg cmMgPSBVUERBVEVfRU5UUlkobDQsIHBsNGUsIG9sNGUsIG5sNGUsIHBmbiwg dmNwdSwgcHJlc2VydmVfYWQpOwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUv YXNtLXg4Ni9wYWdlLmggYi94ZW4vaW5jbHVkZS9hc20teDg2L3BhZ2UuaApp bmRleCAyMjQ4NTJhLi40YWUzODdmIDEwMDY0NAotLS0gYS94ZW4vaW5jbHVk ZS9hc20teDg2L3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20teDg2L3Bh Z2UuaApAQCAtMzEzLDYgKzMxMyw3IEBAIHZvaWQgZWZpX3VwZGF0ZV9sNF9w Z3RhYmxlKHVuc2lnbmVkIGludCBsNGlkeCwgbDRfcGdlbnRyeV90KTsKICNk ZWZpbmUgX1BBR0VfQVZBSUwyICAgX0FDKDB4ODAwLFUpCiAjZGVmaW5lIF9Q QUdFX0FWQUlMICAgIF9BQygweEUwMCxVKQogI2RlZmluZSBfUEFHRV9QU0Vf UEFUICBfQUMoMHgxMDAwLFUpCisjZGVmaW5lIF9QQUdFX0FWQUlMX0hJR0gg KF9BQygweDdmZiwgVSkgPDwgMTIpCiAjZGVmaW5lIF9QQUdFX05YICAgICAg IChjcHVfaGFzX254ID8gX1BBR0VfTlhfQklUIDogMCkKIC8qIG5vbi1hcmNo aXRlY3R1cmFsIGZsYWdzICovCiAjZGVmaW5lIF9QQUdFX1BBR0VEICAgMHgy MDAwVQotLSAKMi4xLjQKCg== --=separator Content-Type: application/octet-stream; name="xsa182-4.5.patch" Content-Disposition: attachment; filename="xsa182-4.5.patch" Content-Transfer-Encoding: base64 RnJvbSA3OThjMTQ5OGY3NjRiZmFhN2IwYjk1NWJhYjQwYjAxYjA2MTBkMzcy IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBNb24sIDExIEp1 bCAyMDE2IDE0OjMyOjAzICswMTAwClN1YmplY3Q6IFtQQVRDSF0geDg2L3B2 OiBSZW1vdmUgdW5zYWZlIGJpdHMgZnJvbSB0aGUgbW9kX2w/X2VudHJ5KCkg ZmFzdHBhdGgKCkFsbCBjaGFuZ2VzIGluIHdyaXRlYWJpbGl0eSBhbmQgY2Fj aGVhYmlsaXR5IG11c3QgZ28gdGhyb3VnaCBmdWxsCnJlLXZhbGlkYXRpb24u CgpSZXdvcmsgdGhlIGxvZ2ljIGFzIGEgd2hpdGVsaXN0LCB0byBtYWtlIGl0 IGNsZWFyZXIgdG8gZm9sbG93LgoKVGhpcyBpcyBYU0EtMTgyCgpSZXBvcnRl ZC1ieTogSsOpcsOpbWllIEJvdXRvaWxsZSA8amJvdXRvaWxsZUBleHQucXVh cmtzbGFiLmNvbT4KU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5k cmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IFRpbSBEZWVn YW4gPHRpbUB4ZW4ub3JnPgotLS0KIHhlbi9hcmNoL3g4Ni9tbS5jICAgICAg ICAgIHwgMjggKysrKysrKysrKysrKysrKy0tLS0tLS0tLS0tLQogeGVuL2lu Y2x1ZGUvYXNtLXg4Ni9wYWdlLmggfCAgMSArCiAyIGZpbGVzIGNoYW5nZWQs IDE3IGluc2VydGlvbnMoKyksIDEyIGRlbGV0aW9ucygtKQoKZGlmZiAtLWdp dCBhL3hlbi9hcmNoL3g4Ni9tbS5jIGIveGVuL2FyY2gveDg2L21tLmMKaW5k ZXggYjRjNGZhNC4uYTY4YTFhYiAxMDA2NDQKLS0tIGEveGVuL2FyY2gveDg2 L21tLmMKKysrIGIveGVuL2FyY2gveDg2L21tLmMKQEAgLTE2OTUsNiArMTY5 NSwxNCBAQCBzdGF0aWMgaW5saW5lIGludCB1cGRhdGVfaW50cHRlKGludHB0 ZV90ICpwLAogICAgICAgICAgICAgICAgICAgX3QgIyMgZV9nZXRfaW50cHRl KF9vKSwgX3QgIyMgZV9nZXRfaW50cHRlKF9uKSwgICBcCiAgICAgICAgICAg ICAgICAgICAoX20pLCAoX3YpLCAoX2FkKSkKIAorLyoKKyAqIFBURSBmbGFn cyB0aGF0IGEgZ3Vlc3QgbWF5IGNoYW5nZSB3aXRob3V0IHJlLXZhbGlkYXRp bmcgdGhlIFBURS4KKyAqIEFsbCBvdGhlciBiaXRzIGFmZmVjdCB0cmFuc2xh dGlvbiwgY2FjaGluZywgb3IgWGVuJ3Mgc2FmZXR5LgorICovCisjZGVmaW5l IEZBU1RQQVRIX0ZMQUdfV0hJVEVMSVNUICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIFwKKyAgICAoX1BBR0VfTlhfQklUIHwgX1BBR0Vf QVZBSUxfSElHSCB8IF9QQUdFX0FWQUlMIHwgX1BBR0VfR0xPQkFMIHwgXAor ICAgICBfUEFHRV9ESVJUWSB8IF9QQUdFX0FDQ0VTU0VEIHwgX1BBR0VfVVNF UikKKwogLyogVXBkYXRlIHRoZSBMMSBlbnRyeSBhdCBwbDFlIHRvIG5ldyB2 YWx1ZSBubDFlLiAqLwogc3RhdGljIGludCBtb2RfbDFfZW50cnkobDFfcGdl bnRyeV90ICpwbDFlLCBsMV9wZ2VudHJ5X3QgbmwxZSwKICAgICAgICAgICAg ICAgICAgICAgICAgIHVuc2lnbmVkIGxvbmcgZ2wxbWZuLCBpbnQgcHJlc2Vy dmVfYWQsCkBAIC0xNzM1LDkgKzE3NDMsOCBAQCBzdGF0aWMgaW50IG1vZF9s MV9lbnRyeShsMV9wZ2VudHJ5X3QgKnBsMWUsIGwxX3BnZW50cnlfdCBubDFl LAogICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgICAgIH0KIAot ICAgICAgICAvKiBGYXN0IHBhdGggZm9yIGlkZW50aWNhbCBtYXBwaW5nLCBy L3csIHByZXNlbmNlLCBhbmQgY2FjaGFiaWxpdHkuICovCi0gICAgICAgIGlm ICggIWwxZV9oYXNfY2hhbmdlZChvbDFlLCBubDFlLAotICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgUEFHRV9DQUNIRV9BVFRSUyB8IF9QQUdFX1JX IHwgX1BBR0VfUFJFU0VOVCkgKQorICAgICAgICAvKiBGYXN0IHBhdGggZm9y IHN1ZmZpY2llbnRseS1zaW1pbGFyIG1hcHBpbmdzLiAqLworICAgICAgICBp ZiAoICFsMWVfaGFzX2NoYW5nZWQob2wxZSwgbmwxZSwgfkZBU1RQQVRIX0ZM QUdfV0hJVEVMSVNUKSApCiAgICAgICAgIHsKICAgICAgICAgICAgIGFkanVz dF9ndWVzdF9sMWUobmwxZSwgcHRfZG9tKTsKICAgICAgICAgICAgIGlmICgg VVBEQVRFX0VOVFJZKGwxLCBwbDFlLCBvbDFlLCBubDFlLCBnbDFtZm4sIHB0 X3ZjcHUsCkBAIC0xODE5LDExICsxODI2LDggQEAgc3RhdGljIGludCBtb2Rf bDJfZW50cnkobDJfcGdlbnRyeV90ICpwbDJlLAogICAgICAgICAgICAgcmV0 dXJuIC1FSU5WQUw7CiAgICAgICAgIH0KIAotICAgICAgICAvKiBGYXN0IHBh dGggZm9yIGlkZW50aWNhbCBtYXBwaW5nIGFuZCBwcmVzZW5jZS4gKi8KLSAg ICAgICAgaWYgKCAhbDJlX2hhc19jaGFuZ2VkKG9sMmUsIG5sMmUsCi0gICAg ICAgICAgICAgICAgICAgICAgICAgICAgICB1bmxpa2VseShvcHRfYWxsb3df c3VwZXJwYWdlKQotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPyBf UEFHRV9QU0UgfCBfUEFHRV9SVyB8IF9QQUdFX1BSRVNFTlQKLSAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIDogX1BBR0VfUFJFU0VOVCkgKQorICAg ICAgICAvKiBGYXN0IHBhdGggZm9yIHN1ZmZpY2llbnRseS1zaW1pbGFyIG1h cHBpbmdzLiAqLworICAgICAgICBpZiAoICFsMmVfaGFzX2NoYW5nZWQob2wy ZSwgbmwyZSwgfkZBU1RQQVRIX0ZMQUdfV0hJVEVMSVNUKSApCiAgICAgICAg IHsKICAgICAgICAgICAgIGFkanVzdF9ndWVzdF9sMmUobmwyZSwgZCk7CiAg ICAgICAgICAgICBpZiAoIFVQREFURV9FTlRSWShsMiwgcGwyZSwgb2wyZSwg bmwyZSwgcGZuLCB2Y3B1LCBwcmVzZXJ2ZV9hZCkgKQpAQCAtMTg4OCw4ICsx ODkyLDggQEAgc3RhdGljIGludCBtb2RfbDNfZW50cnkobDNfcGdlbnRyeV90 ICpwbDNlLAogICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgICAg IH0KIAotICAgICAgICAvKiBGYXN0IHBhdGggZm9yIGlkZW50aWNhbCBtYXBw aW5nIGFuZCBwcmVzZW5jZS4gKi8KLSAgICAgICAgaWYgKCAhbDNlX2hhc19j aGFuZ2VkKG9sM2UsIG5sM2UsIF9QQUdFX1BSRVNFTlQpICkKKyAgICAgICAg LyogRmFzdCBwYXRoIGZvciBzdWZmaWNpZW50bHktc2ltaWxhciBtYXBwaW5n cy4gKi8KKyAgICAgICAgaWYgKCAhbDNlX2hhc19jaGFuZ2VkKG9sM2UsIG5s M2UsIH5GQVNUUEFUSF9GTEFHX1dISVRFTElTVCkgKQogICAgICAgICB7CiAg ICAgICAgICAgICBhZGp1c3RfZ3Vlc3RfbDNlKG5sM2UsIGQpOwogICAgICAg ICAgICAgcmMgPSBVUERBVEVfRU5UUlkobDMsIHBsM2UsIG9sM2UsIG5sM2Us IHBmbiwgdmNwdSwgcHJlc2VydmVfYWQpOwpAQCAtMTk1Miw4ICsxOTU2LDgg QEAgc3RhdGljIGludCBtb2RfbDRfZW50cnkobDRfcGdlbnRyeV90ICpwbDRl LAogICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgICAgIH0KIAot ICAgICAgICAvKiBGYXN0IHBhdGggZm9yIGlkZW50aWNhbCBtYXBwaW5nIGFu ZCBwcmVzZW5jZS4gKi8KLSAgICAgICAgaWYgKCAhbDRlX2hhc19jaGFuZ2Vk KG9sNGUsIG5sNGUsIF9QQUdFX1BSRVNFTlQpICkKKyAgICAgICAgLyogRmFz dCBwYXRoIGZvciBzdWZmaWNpZW50bHktc2ltaWxhciBtYXBwaW5ncy4gKi8K KyAgICAgICAgaWYgKCAhbDRlX2hhc19jaGFuZ2VkKG9sNGUsIG5sNGUsIH5G QVNUUEFUSF9GTEFHX1dISVRFTElTVCkgKQogICAgICAgICB7CiAgICAgICAg ICAgICBhZGp1c3RfZ3Vlc3RfbDRlKG5sNGUsIGQpOwogICAgICAgICAgICAg cmMgPSBVUERBVEVfRU5UUlkobDQsIHBsNGUsIG9sNGUsIG5sNGUsIHBmbiwg dmNwdSwgcHJlc2VydmVfYWQpOwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUv YXNtLXg4Ni9wYWdlLmggYi94ZW4vaW5jbHVkZS9hc20teDg2L3BhZ2UuaApp bmRleCA2ZGM5NjQ2Li4wM2MwMjRjIDEwMDY0NAotLS0gYS94ZW4vaW5jbHVk ZS9hc20teDg2L3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20teDg2L3Bh Z2UuaApAQCAtMzA4LDYgKzMwOCw3IEBAIHZvaWQgZWZpX3VwZGF0ZV9sNF9w Z3RhYmxlKHVuc2lnbmVkIGludCBsNGlkeCwgbDRfcGdlbnRyeV90KTsKICNk ZWZpbmUgX1BBR0VfQVZBSUwyICAgX0FDKDB4ODAwLFUpCiAjZGVmaW5lIF9Q QUdFX0FWQUlMICAgIF9BQygweEUwMCxVKQogI2RlZmluZSBfUEFHRV9QU0Vf UEFUIF9BQygweDEwMDAsVSkKKyNkZWZpbmUgX1BBR0VfQVZBSUxfSElHSCAo X0FDKDB4N2ZmLCBVKSA8PCAxMikKIC8qIG5vbi1hcmNoaXRlY3R1cmFsIGZs YWdzICovCiAjZGVmaW5lIF9QQUdFX1BBR0VEICAgMHgyMDAwVQogI2RlZmlu ZSBfUEFHRV9TSEFSRUQgIDB4NDAwMFUKLS0gCjIuMS40Cgo= --=separator Content-Type: application/octet-stream; name="xsa182-4.6.patch" Content-Disposition: attachment; filename="xsa182-4.6.patch" Content-Transfer-Encoding: base64 RnJvbSBmNDhhNzViMGMxMGFjNzliMjg3Y2EyYjU4MGVjYjllYTJmNjk2NjA3 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBNb24sIDExIEp1 bCAyMDE2IDE0OjMyOjAzICswMTAwClN1YmplY3Q6IFtQQVRDSF0geDg2L3B2 OiBSZW1vdmUgdW5zYWZlIGJpdHMgZnJvbSB0aGUgbW9kX2w/X2VudHJ5KCkg ZmFzdHBhdGgKCkFsbCBjaGFuZ2VzIGluIHdyaXRlYWJpbGl0eSBhbmQgY2Fj aGVhYmlsaXR5IG11c3QgZ28gdGhyb3VnaCBmdWxsCnJlLXZhbGlkYXRpb24u CgpSZXdvcmsgdGhlIGxvZ2ljIGFzIGEgd2hpdGVsaXN0LCB0byBtYWtlIGl0 IGNsZWFyZXIgdG8gZm9sbG93LgoKVGhpcyBpcyBYU0EtMTgyCgpSZXBvcnRl ZC1ieTogSsOpcsOpbWllIEJvdXRvaWxsZSA8amJvdXRvaWxsZUBleHQucXVh cmtzbGFiLmNvbT4KU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5k cmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IFRpbSBEZWVn YW4gPHRpbUB4ZW4ub3JnPgotLS0KIHhlbi9hcmNoL3g4Ni9tbS5jICAgICAg ICAgIHwgMjggKysrKysrKysrKysrKysrKy0tLS0tLS0tLS0tLQogeGVuL2lu Y2x1ZGUvYXNtLXg4Ni9wYWdlLmggfCAgMSArCiAyIGZpbGVzIGNoYW5nZWQs IDE3IGluc2VydGlvbnMoKyksIDEyIGRlbGV0aW9ucygtKQoKZGlmZiAtLWdp dCBhL3hlbi9hcmNoL3g4Ni9tbS5jIGIveGVuL2FyY2gveDg2L21tLmMKaW5k ZXggZGFmMDJhYi4uOGRkMjJiOCAxMDA2NDQKLS0tIGEveGVuL2FyY2gveDg2 L21tLmMKKysrIGIveGVuL2FyY2gveDg2L21tLmMKQEAgLTE3ODAsNiArMTc4 MCwxNCBAQCBzdGF0aWMgaW5saW5lIGludCB1cGRhdGVfaW50cHRlKGludHB0 ZV90ICpwLAogICAgICAgICAgICAgICAgICAgX3QgIyMgZV9nZXRfaW50cHRl KF9vKSwgX3QgIyMgZV9nZXRfaW50cHRlKF9uKSwgICBcCiAgICAgICAgICAg ICAgICAgICAoX20pLCAoX3YpLCAoX2FkKSkKIAorLyoKKyAqIFBURSBmbGFn cyB0aGF0IGEgZ3Vlc3QgbWF5IGNoYW5nZSB3aXRob3V0IHJlLXZhbGlkYXRp bmcgdGhlIFBURS4KKyAqIEFsbCBvdGhlciBiaXRzIGFmZmVjdCB0cmFuc2xh dGlvbiwgY2FjaGluZywgb3IgWGVuJ3Mgc2FmZXR5LgorICovCisjZGVmaW5l IEZBU1RQQVRIX0ZMQUdfV0hJVEVMSVNUICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIFwKKyAgICAoX1BBR0VfTlhfQklUIHwgX1BBR0Vf QVZBSUxfSElHSCB8IF9QQUdFX0FWQUlMIHwgX1BBR0VfR0xPQkFMIHwgXAor ICAgICBfUEFHRV9ESVJUWSB8IF9QQUdFX0FDQ0VTU0VEIHwgX1BBR0VfVVNF UikKKwogLyogVXBkYXRlIHRoZSBMMSBlbnRyeSBhdCBwbDFlIHRvIG5ldyB2 YWx1ZSBubDFlLiAqLwogc3RhdGljIGludCBtb2RfbDFfZW50cnkobDFfcGdl bnRyeV90ICpwbDFlLCBsMV9wZ2VudHJ5X3QgbmwxZSwKICAgICAgICAgICAg ICAgICAgICAgICAgIHVuc2lnbmVkIGxvbmcgZ2wxbWZuLCBpbnQgcHJlc2Vy dmVfYWQsCkBAIC0xODIwLDkgKzE4MjgsOCBAQCBzdGF0aWMgaW50IG1vZF9s MV9lbnRyeShsMV9wZ2VudHJ5X3QgKnBsMWUsIGwxX3BnZW50cnlfdCBubDFl LAogICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgICAgIH0KIAot ICAgICAgICAvKiBGYXN0IHBhdGggZm9yIGlkZW50aWNhbCBtYXBwaW5nLCBy L3csIHByZXNlbmNlLCBhbmQgY2FjaGFiaWxpdHkuICovCi0gICAgICAgIGlm ICggIWwxZV9oYXNfY2hhbmdlZChvbDFlLCBubDFlLAotICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgUEFHRV9DQUNIRV9BVFRSUyB8IF9QQUdFX1JX IHwgX1BBR0VfUFJFU0VOVCkgKQorICAgICAgICAvKiBGYXN0IHBhdGggZm9y IHN1ZmZpY2llbnRseS1zaW1pbGFyIG1hcHBpbmdzLiAqLworICAgICAgICBp ZiAoICFsMWVfaGFzX2NoYW5nZWQob2wxZSwgbmwxZSwgfkZBU1RQQVRIX0ZM QUdfV0hJVEVMSVNUKSApCiAgICAgICAgIHsKICAgICAgICAgICAgIGFkanVz dF9ndWVzdF9sMWUobmwxZSwgcHRfZG9tKTsKICAgICAgICAgICAgIGlmICgg VVBEQVRFX0VOVFJZKGwxLCBwbDFlLCBvbDFlLCBubDFlLCBnbDFtZm4sIHB0 X3ZjcHUsCkBAIC0xOTA0LDExICsxOTExLDggQEAgc3RhdGljIGludCBtb2Rf bDJfZW50cnkobDJfcGdlbnRyeV90ICpwbDJlLAogICAgICAgICAgICAgcmV0 dXJuIC1FSU5WQUw7CiAgICAgICAgIH0KIAotICAgICAgICAvKiBGYXN0IHBh dGggZm9yIGlkZW50aWNhbCBtYXBwaW5nIGFuZCBwcmVzZW5jZS4gKi8KLSAg ICAgICAgaWYgKCAhbDJlX2hhc19jaGFuZ2VkKG9sMmUsIG5sMmUsCi0gICAg ICAgICAgICAgICAgICAgICAgICAgICAgICB1bmxpa2VseShvcHRfYWxsb3df c3VwZXJwYWdlKQotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPyBf UEFHRV9QU0UgfCBfUEFHRV9SVyB8IF9QQUdFX1BSRVNFTlQKLSAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIDogX1BBR0VfUFJFU0VOVCkgKQorICAg ICAgICAvKiBGYXN0IHBhdGggZm9yIHN1ZmZpY2llbnRseS1zaW1pbGFyIG1h cHBpbmdzLiAqLworICAgICAgICBpZiAoICFsMmVfaGFzX2NoYW5nZWQob2wy ZSwgbmwyZSwgfkZBU1RQQVRIX0ZMQUdfV0hJVEVMSVNUKSApCiAgICAgICAg IHsKICAgICAgICAgICAgIGFkanVzdF9ndWVzdF9sMmUobmwyZSwgZCk7CiAg ICAgICAgICAgICBpZiAoIFVQREFURV9FTlRSWShsMiwgcGwyZSwgb2wyZSwg bmwyZSwgcGZuLCB2Y3B1LCBwcmVzZXJ2ZV9hZCkgKQpAQCAtMTk3Myw4ICsx OTc3LDggQEAgc3RhdGljIGludCBtb2RfbDNfZW50cnkobDNfcGdlbnRyeV90 ICpwbDNlLAogICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgICAg IH0KIAotICAgICAgICAvKiBGYXN0IHBhdGggZm9yIGlkZW50aWNhbCBtYXBw aW5nIGFuZCBwcmVzZW5jZS4gKi8KLSAgICAgICAgaWYgKCAhbDNlX2hhc19j aGFuZ2VkKG9sM2UsIG5sM2UsIF9QQUdFX1BSRVNFTlQpICkKKyAgICAgICAg LyogRmFzdCBwYXRoIGZvciBzdWZmaWNpZW50bHktc2ltaWxhciBtYXBwaW5n cy4gKi8KKyAgICAgICAgaWYgKCAhbDNlX2hhc19jaGFuZ2VkKG9sM2UsIG5s M2UsIH5GQVNUUEFUSF9GTEFHX1dISVRFTElTVCkgKQogICAgICAgICB7CiAg ICAgICAgICAgICBhZGp1c3RfZ3Vlc3RfbDNlKG5sM2UsIGQpOwogICAgICAg ICAgICAgcmMgPSBVUERBVEVfRU5UUlkobDMsIHBsM2UsIG9sM2UsIG5sM2Us IHBmbiwgdmNwdSwgcHJlc2VydmVfYWQpOwpAQCAtMjAzNyw4ICsyMDQxLDgg QEAgc3RhdGljIGludCBtb2RfbDRfZW50cnkobDRfcGdlbnRyeV90ICpwbDRl LAogICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgICAgIH0KIAot ICAgICAgICAvKiBGYXN0IHBhdGggZm9yIGlkZW50aWNhbCBtYXBwaW5nIGFu ZCBwcmVzZW5jZS4gKi8KLSAgICAgICAgaWYgKCAhbDRlX2hhc19jaGFuZ2Vk KG9sNGUsIG5sNGUsIF9QQUdFX1BSRVNFTlQpICkKKyAgICAgICAgLyogRmFz dCBwYXRoIGZvciBzdWZmaWNpZW50bHktc2ltaWxhciBtYXBwaW5ncy4gKi8K KyAgICAgICAgaWYgKCAhbDRlX2hhc19jaGFuZ2VkKG9sNGUsIG5sNGUsIH5G QVNUUEFUSF9GTEFHX1dISVRFTElTVCkgKQogICAgICAgICB7CiAgICAgICAg ICAgICBhZGp1c3RfZ3Vlc3RfbDRlKG5sNGUsIGQpOwogICAgICAgICAgICAg cmMgPSBVUERBVEVfRU5UUlkobDQsIHBsNGUsIG9sNGUsIG5sNGUsIHBmbiwg dmNwdSwgcHJlc2VydmVfYWQpOwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUv YXNtLXg4Ni9wYWdlLmggYi94ZW4vaW5jbHVkZS9hc20teDg2L3BhZ2UuaApp bmRleCA2NmI2MTFjLi4xYTU5ZWQ4IDEwMDY0NAotLS0gYS94ZW4vaW5jbHVk ZS9hc20teDg2L3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20teDg2L3Bh Z2UuaApAQCAtMzExLDYgKzMxMSw3IEBAIHZvaWQgZWZpX3VwZGF0ZV9sNF9w Z3RhYmxlKHVuc2lnbmVkIGludCBsNGlkeCwgbDRfcGdlbnRyeV90KTsKICNk ZWZpbmUgX1BBR0VfQVZBSUwyICAgX0FDKDB4ODAwLFUpCiAjZGVmaW5lIF9Q QUdFX0FWQUlMICAgIF9BQygweEUwMCxVKQogI2RlZmluZSBfUEFHRV9QU0Vf UEFUICBfQUMoMHgxMDAwLFUpCisjZGVmaW5lIF9QQUdFX0FWQUlMX0hJR0gg KF9BQygweDdmZiwgVSkgPDwgMTIpCiAjZGVmaW5lIF9QQUdFX05YICAgICAg IChjcHVfaGFzX254ID8gX1BBR0VfTlhfQklUIDogMCkKIC8qIG5vbi1hcmNo aXRlY3R1cmFsIGZsYWdzICovCiAjZGVmaW5lIF9QQUdFX1BBR0VEICAgMHgy MDAwVQotLSAKMi4xLjQKCg== --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Tue Jul 26 12:06:59 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 26 Jul 2016 12:06:59 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bS17Z-0006xi-Cv; Tue, 26 Jul 2016 12:06:01 +0000 Received: from mail6.bemta6.messagelabs.com ([85.158.143.247]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bS17Y-0006xI-H2; Tue, 26 Jul 2016 12:06:00 +0000 Received: from [85.158.143.35] by server-1.bemta-6.messagelabs.com id FB/8B-21406-72257975; Tue, 26 Jul 2016 12:05:59 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupmleJIrShJLcpLzFFi42LJaLquqqsWND3 cYMl1ZYtbN1uZLZZ8XMxiserqAVYHZo+ju38zBTBGsWbmJeVXJLBmnDr4iKVgV3TF1iPdjA2M j0K7GDk5hAROM0r09It1MXIB2asYJS58OMMGkmAWcJW4sW8zlK0oceFeAwuIzSsgKHFy5hMwW 0JAU+LOm1XsILaIQJHEznMvwWw2AT2JuWcnMUH06ki83L8azBYWqJTY+Xs1O8QcM4m2LwvB4i wCqhL3Fy9hm8DIMwvJ6llIVs9CsnoWIwdQXFNi/S59CFNaYvk/DohqeYntb+cwQ9guEu+f97N A2I4SVy8eY4SZOKX7ITuEbS/xpqGTCcK2kVi1/hSKmgWMPKsY1YtTi8pSi3Qt9JKKMtMzSnIT M3N0DQ3M9HJTi4sT01NzEpOK9ZLzczcxAqOEAQh2MM6+7H+IUZKDSUmUl2nCtHAhvqT8lMqMx OKM+KLSnNTiQ4wyHBxKErydAdPDhQSLUtNTK9Iyc4DxCpOW4OBREuGVB0nzFhck5hZnpkOkTj EacyyZfm0tE8eim4/3Mwmx5OXnpUqJ8/aBlAqAlGaU5sENgqWRS4yyUsK8jECnCfEUpBblZpa gyr9iFOdgVBLmbQGZwpOZVwK37xXQKUxApyzgmQxySkkiQkqqgZE7ILDqwN6r9z+2689L5Pn8 /qnfndz3B/wdNxyWVQ+a+kulk2eVTL5/5L4orry1p7ssnRTfnmf6tPVeivaES/IlEs3l7XdvW fBzvdp+WkpG+4Pp5801J7cpHzDXPnTry5Xd0VbTfHnPnXweKl2kF+J75lLDsp1LF+h0XZh8rr aCrbgr+3je67NKLMUZiYZazEXFiQCcQ8+mHgMAAA== X-Env-Sender: gdunlap@xenbits.xen.org X-Msg-Ref: server-7.tower-21.messagelabs.com!1469534757!25755524!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 8.77; banners=-,-,- X-VirusChecked: Checked Received: (qmail 12038 invoked from network); 26 Jul 2016 12:05:58 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-7.tower-21.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 26 Jul 2016 12:05:58 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bS16r-0000Yk-BP; Tue, 26 Jul 2016 12:05:17 +0000 Received: from gdunlap by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1bS16r-00051A-AE; Tue, 26 Jul 2016 12:05:17 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 26 Jul 2016 12:05:17 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 183 (CVE-2016-6259) - x86: Missing SMAP whitelisting in 32-bit exception / event delivery X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-6259 / XSA-183 version 5 x86: Missing SMAP whitelisting in 32-bit exception / event delivery UPDATES IN VERSION 5 ==================== Public release. ISSUE DESCRIPTION ================= Supervisor Mode Access Prevention is a hardware feature designed to make an Operating System more robust, by raising a pagefault rather than accidentally following a pointer into userspace. However, legitimate accesses into userspace require whitelisting, and the exception delivery mechanism for 32bit PV guests wasn't whitelisted. IMPACT ====== A malicious 32-bit PV guest kernel can trigger a safety check, crashing the hypervisor and causing a denial of service to other VMs on the host. VULNERABLE SYSTEMS ================== Xen version 4.5 and newer are vulnerable. Versions 4.4 and older are not, due to not having software support for SMAP. The vulnerability is only exposed on x86 hardware supporting the SMAP feature (Intel Broadwell and later CPUs). The vulnerability is not exposed on ARM hardware, or x86 hardware which do not support SMAP. The vulnerability is only exposed to x86 32bit PV guests. The vulnerability is not exposed to 64bit PV guests or HVM guests. MITIGATION ========== Running only HVM guests or 64-bit PV guests, avoids the vulnerability. Disabling SMAP in the hypervisor by booting Xen with "smap=0" on the command line will avoid this vulnerability. (Depending on the circumstances this workaround may pose a small risk of increasing the impact of other, possibly unknown, vulnerabilities.) CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa183.patch xen-unstable, 4.7.x xsa183-4.6.patch Xen 4.6.x, 4.5.x $ sha256sum xsa183* ea0ea4b294332814330f222e6d78eea3b19c394eac8ae22feb4a5bd21e90331f xsa183-unstable.patch 0fee41f21a3eb4af1487590098047f4625688bcef7419572a8f418f9fb728468 xsa183-4.6.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Deployment of the "smap=0" mitigation is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because this produces a guest-visible change which could lead to rediscovery of the vulnerability. And: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJXl0M9AAoJEIP+FMlX6CvZYB4IAIkCjnrkDBqYcPJrnAAjNDGL v/qJiE6NAKlvqyi/pRkDodAk+5CLvvjDHmTBtqvT+7SU3ixt4C80MLiVMCuJVsUw kMcp95KsJne1TSoivAqSXED+J3gkIWXG8PYvpUOwwOqr0aJViuN9Uv52g0+MVUsW OnkHzYzyyMkIRi0bIzXmhvGeHTUxVhcz8RjMWsjD9FPb+i6lu/kfNUvpiecVa0mx 0J7ByS5l4iEefCH+beT35NFg1BfQINU3cMmDM/i8pklRuJI+HKCYFzPGJyl2+Ccr 0Zd7Lgub2jGsJjgXjBBPCHw/CCdlmX7RiiAvnIQU5adBtCIk6p0T0ugcGXwTIAw= =ydwH -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa183-unstable.patch" Content-Disposition: attachment; filename="xsa183-unstable.patch" Content-Transfer-Encoding: base64 RnJvbSAyZmQ0ZjM0MDU4ZmI1Zjg3ZmJkODA5NzhkYmQyY2I0NThhZmY1NjVk IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBXZWQsIDE1IEp1 biAyMDE2IDE4OjMyOjE0ICswMTAwClN1YmplY3Q6IFtQQVRDSF0geDg2L2Vu dHJ5OiBBdm9pZCBTTUFQIHZpb2xhdGlvbiBpbgogY29tcGF0X2NyZWF0ZV9i b3VuY2VfZnJhbWUoKQoKQSAzMmJpdCBndWVzdCBrZXJuZWwgbWlnaHQgYmUg cnVubmluZyBvbiB1c2VyIG1hcHBpbmdzLgpjb21wYXRfY3JlYXRlX2JvdW5j ZV9mcmFtZSgpIG11c3Qgd2hpdGVsaXN0IGl0cyBndWVzdCBhY2Nlc3NlcyB0 byBhdm9pZApyaXNraW5nIGEgU01BUCB2aW9sYXRpb24uCgpGb3IgYm90aCB2 YXJpYW50cyBvZiBjcmVhdGVfYm91bmNlX2ZyYW1lKCksIHJlLWJsYWNrbGlz dCB1c2VyIGFjY2Vzc2VzIGlmCmV4ZWN1dGlvbiBleGl0cyB2aWEgYW4gZXhj ZXB0aW9uIHRhYmxlIHJlZGlyZWN0aW9uLgoKVGhpcyBpcyBYU0EtMTgzIC8g Q1ZFLTIwMTYtNjI1OQoKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8 YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEdlb3Jn ZSBEdW5sYXAgPGdlb3JnZS5kdW5sYXBAY2l0cml4LmNvbT4KUmV2aWV3ZWQt Ynk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KLS0tCnYyOgog KiBJbmNsdWRlIENMQUMgb24gdGhlIGV4aXQgcGF0aHMgZnJvbSBjb21wYXRf Y3JlYXRlX2JvdW5jZV9mcmFtZSB3aGljaCBvY2N1cgogICBmcm9tIGZhdWx0 cyBhdHRlbXB0aW5nIHRvIGxvYWQgJWZzCiAqIFJlcG9zaXRpb24gQVNNX1NU QUMgdG8gYXZvaWQgYnJlYWtpbmcgdGhlIG1hY3JvLW9wIGZ1c2lvbiBvZiB0 ZXN0L2p6Ci0tLQogeGVuL2FyY2gveDg2L3g4Nl82NC9jb21wYXQvZW50cnku UyB8IDMgKysrCiB4ZW4vYXJjaC94ODYveDg2XzY0L2VudHJ5LlMgICAgICAg IHwgMiArKwogMiBmaWxlcyBjaGFuZ2VkLCA1IGluc2VydGlvbnMoKykKCmRp ZmYgLS1naXQgYS94ZW4vYXJjaC94ODYveDg2XzY0L2NvbXBhdC9lbnRyeS5T IGIveGVuL2FyY2gveDg2L3g4Nl82NC9jb21wYXQvZW50cnkuUwppbmRleCA3 ZjAyYWZkLi5lODBjNTNjIDEwMDY0NAotLS0gYS94ZW4vYXJjaC94ODYveDg2 XzY0L2NvbXBhdC9lbnRyeS5TCisrKyBiL3hlbi9hcmNoL3g4Ni94ODZfNjQv Y29tcGF0L2VudHJ5LlMKQEAgLTMxOCw2ICszMTgsNyBAQCBFTlRSWShjb21w YXRfaW50ODBfZGlyZWN0X3RyYXApCiBjb21wYXRfY3JlYXRlX2JvdW5jZV9m cmFtZToKICAgICAgICAgQVNTRVJUX0lOVEVSUlVQVFNfRU5BQkxFRAogICAg ICAgICBtb3YgICAlZnMsJWVkaQorICAgICAgICBBU01fU1RBQwogICAgICAg ICB0ZXN0YiAkMixVUkVHU19jcys4KCVyc3ApCiAgICAgICAgIGp6ICAgIDFm CiAgICAgICAgIC8qIFB1c2ggbmV3IGZyYW1lIGF0IHJlZ2lzdGVyZWQgZ3Vl c3QtT1Mgc3RhY2sgYmFzZS4gKi8KQEAgLTM2NCw2ICszNjUsNyBAQCBjb21w YXRfY3JlYXRlX2JvdW5jZV9mcmFtZToKICAgICAgICAgbW92bCAgVFJBUEJP VU5DRV9lcnJvcl9jb2RlKCVyZHgpLCVlYXgKIC5MZnQ4OiAgbW92bCAgJWVh eCwlZnM6KCVyc2kpICAgICAgICAgICAjIEVSUk9SIENPREUKIDE6CisgICAg ICAgIEFTTV9DTEFDCiAgICAgICAgIC8qIFJld3JpdGUgb3VyIHN0YWNrIGZy YW1lIGFuZCByZXR1cm4gdG8gZ3Vlc3QtT1MgbW9kZS4gKi8KICAgICAgICAg LyogSUEzMiBSZWYuIFZvbC4gMzogVEYsIFZNLCBSRiBhbmQgTlQgZmxhZ3Mg YXJlIGNsZWFyZWQgb24gdHJhcC4gKi8KICAgICAgICAgYW5kbCAgJH4oWDg2 X0VGTEFHU19WTXxYODZfRUZMQUdTX1JGfFwKQEAgLTQwMyw2ICs0MDUsNyBA QCBjb21wYXRfY3Jhc2hfcGFnZV9mYXVsdF80OgogICAgICAgICBhZGRsICAk NCwlZXNpCiBjb21wYXRfY3Jhc2hfcGFnZV9mYXVsdDoKIC5MZnQxNDogbW92 ICAgJWVkaSwlZnMKKyAgICAgICAgQVNNX0NMQUMKICAgICAgICAgbW92bCAg JWVzaSwlZWRpCiAgICAgICAgIGNhbGwgIHNob3dfcGFnZV93YWxrCiAgICAg ICAgIGptcCAgIGRvbV9jcmFzaF9zeW5jX2V4dGFibGUKZGlmZiAtLWdpdCBh L3hlbi9hcmNoL3g4Ni94ODZfNjQvZW50cnkuUyBiL3hlbi9hcmNoL3g4Ni94 ODZfNjQvZW50cnkuUwppbmRleCBhZDhjNjRjLi5mNzE3OGNkIDEwMDY0NAot LS0gYS94ZW4vYXJjaC94ODYveDg2XzY0L2VudHJ5LlMKKysrIGIveGVuL2Fy Y2gveDg2L3g4Nl82NC9lbnRyeS5TCkBAIC00MjAsOSArNDIwLDExIEBAIGRv bWFpbl9jcmFzaF9wYWdlX2ZhdWx0XzE2OgogZG9tYWluX2NyYXNoX3BhZ2Vf ZmF1bHRfODoKICAgICAgICAgYWRkcSAgJDgsJXJzaQogZG9tYWluX2NyYXNo X3BhZ2VfZmF1bHQ6CisgICAgICAgIEFTTV9DTEFDCiAgICAgICAgIG1vdnEg ICVyc2ksJXJkaQogICAgICAgICBjYWxsICBzaG93X3BhZ2Vfd2FsawogRU5U UlkoZG9tX2NyYXNoX3N5bmNfZXh0YWJsZSkKKyAgICAgICAgQVNNX0NMQUMK ICAgICAgICAgIyBHZXQgb3V0IG9mIHRoZSBndWVzdC1zYXZlIGFyZWEgb2Yg dGhlIHN0YWNrLgogICAgICAgICBHRVRfU1RBQ0tfRU5EKGF4KQogICAgICAg ICBsZWFxICBTVEFDS19DUFVJTkZPX0ZJRUxEKGd1ZXN0X2NwdV91c2VyX3Jl Z3MpKCVyYXgpLCVyc3AKLS0gCjIuMS40Cgo= --=separator Content-Type: application/octet-stream; name="xsa183-4.6.patch" Content-Disposition: attachment; filename="xsa183-4.6.patch" Content-Transfer-Encoding: base64 RnJvbSA3NzdlYmUzMGU4MWFiMjg0ZjliNzgzOTI4NzVmZTg4NGE1OTNkZjM1 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBXZWQsIDE1IEp1 biAyMDE2IDE4OjMyOjE0ICswMTAwClN1YmplY3Q6IFtQQVRDSF0geDg2L2Vu dHJ5OiBBdm9pZCBTTUFQIHZpb2xhdGlvbiBpbgogY29tcGF0X2NyZWF0ZV9i b3VuY2VfZnJhbWUoKQoKQSAzMmJpdCBndWVzdCBrZXJuZWwgbWlnaHQgYmUg cnVubmluZyBvbiB1c2VyIG1hcHBpbmdzLgpjb21wYXRfY3JlYXRlX2JvdW5j ZV9mcmFtZSgpIG11c3Qgd2hpdGVsaXN0IGl0cyBndWVzdCBhY2Nlc3NlcyB0 byBhdm9pZApyaXNraW5nIGEgU01BUCB2aW9sYXRpb24uCgpGb3IgYm90aCB2 YXJpYW50cyBvZiBjcmVhdGVfYm91bmNlX2ZyYW1lKCksIHJlLWJsYWNrbGlz dCB1c2VyIGFjY2Vzc2VzIGlmCmV4ZWN1dGlvbiBleGl0cyB2aWEgYW4gZXhj ZXB0aW9uIHRhYmxlIHJlZGlyZWN0aW9uLgoKVGhpcyBpcyBYU0EtMTgzIC8g Q1ZFLTIwMTYtNjI1OQoKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8 YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEdlb3Jn ZSBEdW5sYXAgPGdlb3JnZS5kdW5sYXBAY2l0cml4LmNvbT4KUmV2aWV3ZWQt Ynk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KLS0tCnYyOgog KiBJbmNsdWRlIENMQUMgb24gdGhlIGV4aXQgcGF0aHMgZnJvbSBjb21wYXRf Y3JlYXRlX2JvdW5jZV9mcmFtZSB3aGljaCBvY2N1cgogICBmcm9tIGZhdWx0 cyBhdHRlbXB0aW5nIHRvIGxvYWQgJWZzCiAqIFJlcG9zaXRpb24gQVNNX1NU QUMgdG8gYXZvaWQgYnJlYWtpbmcgdGhlIG1hY3JvLW9wIGZ1c2lvbiBvZiB0 ZXN0L2p6Ci0tLQogeGVuL2FyY2gveDg2L3g4Nl82NC9jb21wYXQvZW50cnku UyB8IDMgKysrCiB4ZW4vYXJjaC94ODYveDg2XzY0L2VudHJ5LlMgICAgICAg IHwgMiArKwogMiBmaWxlcyBjaGFuZ2VkLCA1IGluc2VydGlvbnMoKykKCmRp ZmYgLS1naXQgYS94ZW4vYXJjaC94ODYveDg2XzY0L2NvbXBhdC9lbnRyeS5T IGIveGVuL2FyY2gveDg2L3g4Nl82NC9jb21wYXQvZW50cnkuUwppbmRleCAw ZTNkYjdjLi4xZWFmNGJiIDEwMDY0NAotLS0gYS94ZW4vYXJjaC94ODYveDg2 XzY0L2NvbXBhdC9lbnRyeS5TCisrKyBiL3hlbi9hcmNoL3g4Ni94ODZfNjQv Y29tcGF0L2VudHJ5LlMKQEAgLTM1MCw2ICszNTAsNyBAQCBFTlRSWShjb21w YXRfaW50ODBfZGlyZWN0X3RyYXApCiBjb21wYXRfY3JlYXRlX2JvdW5jZV9m cmFtZToKICAgICAgICAgQVNTRVJUX0lOVEVSUlVQVFNfRU5BQkxFRAogICAg ICAgICBtb3YgICAlZnMsJWVkaQorICAgICAgICBBU01fU1RBQwogICAgICAg ICB0ZXN0YiAkMixVUkVHU19jcys4KCVyc3ApCiAgICAgICAgIGp6ICAgIDFm CiAgICAgICAgIC8qIFB1c2ggbmV3IGZyYW1lIGF0IHJlZ2lzdGVyZWQgZ3Vl c3QtT1Mgc3RhY2sgYmFzZS4gKi8KQEAgLTQwMyw2ICs0MDQsNyBAQCBVTkxJ S0VMWV9TVEFSVChueiwgY29tcGF0X2JvdW5jZV9mYWlsc2FmZSkKICAgICAg ICAgbW92bCAgJWRzLCVlYXgKIC5MZnQxMjogbW92bCAgJWVheCwlZnM6MCo0 KCVyc2kpICAgICAgICAjIERTCiBVTkxJS0VMWV9FTkQoY29tcGF0X2JvdW5j ZV9mYWlsc2FmZSkKKyAgICAgICAgQVNNX0NMQUMKICAgICAgICAgLyogUmV3 cml0ZSBvdXIgc3RhY2sgZnJhbWUgYW5kIHJldHVybiB0byBndWVzdC1PUyBt b2RlLiAqLwogICAgICAgICAvKiBJQTMyIFJlZi4gVm9sLiAzOiBURiwgVk0s IFJGIGFuZCBOVCBmbGFncyBhcmUgY2xlYXJlZCBvbiB0cmFwLiAqLwogICAg ICAgICBhbmRsICAkfihYODZfRUZMQUdTX1ZNfFg4Nl9FRkxBR1NfUkZ8XApA QCAtNDQ4LDYgKzQ1MCw3IEBAIGNvbXBhdF9jcmFzaF9wYWdlX2ZhdWx0XzQ6 CiAgICAgICAgIGFkZGwgICQ0LCVlc2kKIGNvbXBhdF9jcmFzaF9wYWdlX2Zh dWx0OgogLkxmdDE0OiBtb3YgICAlZWRpLCVmcworICAgICAgICBBU01fQ0xB QwogICAgICAgICBtb3ZsICAlZXNpLCVlZGkKICAgICAgICAgY2FsbCAgc2hv d19wYWdlX3dhbGsKICAgICAgICAgam1wICAgZG9tX2NyYXNoX3N5bmNfZXh0 YWJsZQpkaWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L3g4Nl82NC9lbnRyeS5T IGIveGVuL2FyY2gveDg2L3g4Nl82NC9lbnRyeS5TCmluZGV4IDZlMjc1MDgu LjBjMmU2M2EgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL3g4Ni94ODZfNjQvZW50 cnkuUworKysgYi94ZW4vYXJjaC94ODYveDg2XzY0L2VudHJ5LlMKQEAgLTQ2 Miw5ICs0NjIsMTEgQEAgZG9tYWluX2NyYXNoX3BhZ2VfZmF1bHRfMTY6CiBk b21haW5fY3Jhc2hfcGFnZV9mYXVsdF84OgogICAgICAgICBhZGRxICAkOCwl cnNpCiBkb21haW5fY3Jhc2hfcGFnZV9mYXVsdDoKKyAgICAgICAgQVNNX0NM QUMKICAgICAgICAgbW92cSAgJXJzaSwlcmRpCiAgICAgICAgIGNhbGwgIHNo b3dfcGFnZV93YWxrCiBFTlRSWShkb21fY3Jhc2hfc3luY19leHRhYmxlKQor ICAgICAgICBBU01fQ0xBQwogICAgICAgICAjIEdldCBvdXQgb2YgdGhlIGd1 ZXN0LXNhdmUgYXJlYSBvZiB0aGUgc3RhY2suCiAgICAgICAgIEdFVF9TVEFD S19CQVNFKCVyYXgpCiAgICAgICAgIGxlYXEgIFNUQUNLX0NQVUlORk9fRklF TEQoZ3Vlc3RfY3B1X3VzZXJfcmVncykoJXJheCksJXJzcAotLSAKMi4xLjQK Cg== --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Tue Jul 26 12:06:59 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 26 Jul 2016 12:06:59 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bS17Z-0006xi-Cv; Tue, 26 Jul 2016 12:06:01 +0000 Received: from mail6.bemta6.messagelabs.com ([85.158.143.247]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bS17Y-0006xI-H2; Tue, 26 Jul 2016 12:06:00 +0000 Received: from [85.158.143.35] by server-1.bemta-6.messagelabs.com id FB/8B-21406-72257975; Tue, 26 Jul 2016 12:05:59 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupmleJIrShJLcpLzFFi42LJaLquqqsWND3 cYMl1ZYtbN1uZLZZ8XMxiserqAVYHZo+ju38zBTBGsWbmJeVXJLBmnDr4iKVgV3TF1iPdjA2M j0K7GDk5hAROM0r09It1MXIB2asYJS58OMMGkmAWcJW4sW8zlK0oceFeAwuIzSsgKHFy5hMwW 0JAU+LOm1XsILaIQJHEznMvwWw2AT2JuWcnMUH06ki83L8azBYWqJTY+Xs1O8QcM4m2LwvB4i wCqhL3Fy9hm8DIMwvJ6llIVs9CsnoWIwdQXFNi/S59CFNaYvk/DohqeYntb+cwQ9guEu+f97N A2I4SVy8eY4SZOKX7ITuEbS/xpqGTCcK2kVi1/hSKmgWMPKsY1YtTi8pSi3Qt9JKKMtMzSnIT M3N0DQ3M9HJTi4sT01NzEpOK9ZLzczcxAqOEAQh2MM6+7H+IUZKDSUmUl2nCtHAhvqT8lMqMx OKM+KLSnNTiQ4wyHBxKErydAdPDhQSLUtNTK9Iyc4DxCpOW4OBREuGVB0nzFhck5hZnpkOkTj EacyyZfm0tE8eim4/3Mwmx5OXnpUqJ8/aBlAqAlGaU5sENgqWRS4yyUsK8jECnCfEUpBblZpa gyr9iFOdgVBLmbQGZwpOZVwK37xXQKUxApyzgmQxySkkiQkqqgZE7ILDqwN6r9z+2689L5Pn8 /qnfndz3B/wdNxyWVQ+a+kulk2eVTL5/5L4orry1p7ssnRTfnmf6tPVeivaES/IlEs3l7XdvW fBzvdp+WkpG+4Pp5801J7cpHzDXPnTry5Xd0VbTfHnPnXweKl2kF+J75lLDsp1LF+h0XZh8rr aCrbgr+3je67NKLMUZiYZazEXFiQCcQ8+mHgMAAA== X-Env-Sender: gdunlap@xenbits.xen.org X-Msg-Ref: server-7.tower-21.messagelabs.com!1469534757!25755524!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 8.77; banners=-,-,- X-VirusChecked: Checked Received: (qmail 12038 invoked from network); 26 Jul 2016 12:05:58 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-7.tower-21.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 26 Jul 2016 12:05:58 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bS16r-0000Yk-BP; Tue, 26 Jul 2016 12:05:17 +0000 Received: from gdunlap by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1bS16r-00051A-AE; Tue, 26 Jul 2016 12:05:17 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 26 Jul 2016 12:05:17 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 183 (CVE-2016-6259) - x86: Missing SMAP whitelisting in 32-bit exception / event delivery X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-6259 / XSA-183 version 5 x86: Missing SMAP whitelisting in 32-bit exception / event delivery UPDATES IN VERSION 5 ==================== Public release. ISSUE DESCRIPTION ================= Supervisor Mode Access Prevention is a hardware feature designed to make an Operating System more robust, by raising a pagefault rather than accidentally following a pointer into userspace. However, legitimate accesses into userspace require whitelisting, and the exception delivery mechanism for 32bit PV guests wasn't whitelisted. IMPACT ====== A malicious 32-bit PV guest kernel can trigger a safety check, crashing the hypervisor and causing a denial of service to other VMs on the host. VULNERABLE SYSTEMS ================== Xen version 4.5 and newer are vulnerable. Versions 4.4 and older are not, due to not having software support for SMAP. The vulnerability is only exposed on x86 hardware supporting the SMAP feature (Intel Broadwell and later CPUs). The vulnerability is not exposed on ARM hardware, or x86 hardware which do not support SMAP. The vulnerability is only exposed to x86 32bit PV guests. The vulnerability is not exposed to 64bit PV guests or HVM guests. MITIGATION ========== Running only HVM guests or 64-bit PV guests, avoids the vulnerability. Disabling SMAP in the hypervisor by booting Xen with "smap=0" on the command line will avoid this vulnerability. (Depending on the circumstances this workaround may pose a small risk of increasing the impact of other, possibly unknown, vulnerabilities.) CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa183.patch xen-unstable, 4.7.x xsa183-4.6.patch Xen 4.6.x, 4.5.x $ sha256sum xsa183* ea0ea4b294332814330f222e6d78eea3b19c394eac8ae22feb4a5bd21e90331f xsa183-unstable.patch 0fee41f21a3eb4af1487590098047f4625688bcef7419572a8f418f9fb728468 xsa183-4.6.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Deployment of the "smap=0" mitigation is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because this produces a guest-visible change which could lead to rediscovery of the vulnerability. And: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJXl0M9AAoJEIP+FMlX6CvZYB4IAIkCjnrkDBqYcPJrnAAjNDGL v/qJiE6NAKlvqyi/pRkDodAk+5CLvvjDHmTBtqvT+7SU3ixt4C80MLiVMCuJVsUw kMcp95KsJne1TSoivAqSXED+J3gkIWXG8PYvpUOwwOqr0aJViuN9Uv52g0+MVUsW OnkHzYzyyMkIRi0bIzXmhvGeHTUxVhcz8RjMWsjD9FPb+i6lu/kfNUvpiecVa0mx 0J7ByS5l4iEefCH+beT35NFg1BfQINU3cMmDM/i8pklRuJI+HKCYFzPGJyl2+Ccr 0Zd7Lgub2jGsJjgXjBBPCHw/CCdlmX7RiiAvnIQU5adBtCIk6p0T0ugcGXwTIAw= =ydwH -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa183-unstable.patch" Content-Disposition: attachment; filename="xsa183-unstable.patch" Content-Transfer-Encoding: base64 RnJvbSAyZmQ0ZjM0MDU4ZmI1Zjg3ZmJkODA5NzhkYmQyY2I0NThhZmY1NjVk IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBXZWQsIDE1IEp1 biAyMDE2IDE4OjMyOjE0ICswMTAwClN1YmplY3Q6IFtQQVRDSF0geDg2L2Vu dHJ5OiBBdm9pZCBTTUFQIHZpb2xhdGlvbiBpbgogY29tcGF0X2NyZWF0ZV9i b3VuY2VfZnJhbWUoKQoKQSAzMmJpdCBndWVzdCBrZXJuZWwgbWlnaHQgYmUg cnVubmluZyBvbiB1c2VyIG1hcHBpbmdzLgpjb21wYXRfY3JlYXRlX2JvdW5j ZV9mcmFtZSgpIG11c3Qgd2hpdGVsaXN0IGl0cyBndWVzdCBhY2Nlc3NlcyB0 byBhdm9pZApyaXNraW5nIGEgU01BUCB2aW9sYXRpb24uCgpGb3IgYm90aCB2 YXJpYW50cyBvZiBjcmVhdGVfYm91bmNlX2ZyYW1lKCksIHJlLWJsYWNrbGlz dCB1c2VyIGFjY2Vzc2VzIGlmCmV4ZWN1dGlvbiBleGl0cyB2aWEgYW4gZXhj ZXB0aW9uIHRhYmxlIHJlZGlyZWN0aW9uLgoKVGhpcyBpcyBYU0EtMTgzIC8g Q1ZFLTIwMTYtNjI1OQoKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8 YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEdlb3Jn ZSBEdW5sYXAgPGdlb3JnZS5kdW5sYXBAY2l0cml4LmNvbT4KUmV2aWV3ZWQt Ynk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KLS0tCnYyOgog KiBJbmNsdWRlIENMQUMgb24gdGhlIGV4aXQgcGF0aHMgZnJvbSBjb21wYXRf Y3JlYXRlX2JvdW5jZV9mcmFtZSB3aGljaCBvY2N1cgogICBmcm9tIGZhdWx0 cyBhdHRlbXB0aW5nIHRvIGxvYWQgJWZzCiAqIFJlcG9zaXRpb24gQVNNX1NU QUMgdG8gYXZvaWQgYnJlYWtpbmcgdGhlIG1hY3JvLW9wIGZ1c2lvbiBvZiB0 ZXN0L2p6Ci0tLQogeGVuL2FyY2gveDg2L3g4Nl82NC9jb21wYXQvZW50cnku UyB8IDMgKysrCiB4ZW4vYXJjaC94ODYveDg2XzY0L2VudHJ5LlMgICAgICAg IHwgMiArKwogMiBmaWxlcyBjaGFuZ2VkLCA1IGluc2VydGlvbnMoKykKCmRp ZmYgLS1naXQgYS94ZW4vYXJjaC94ODYveDg2XzY0L2NvbXBhdC9lbnRyeS5T IGIveGVuL2FyY2gveDg2L3g4Nl82NC9jb21wYXQvZW50cnkuUwppbmRleCA3 ZjAyYWZkLi5lODBjNTNjIDEwMDY0NAotLS0gYS94ZW4vYXJjaC94ODYveDg2 XzY0L2NvbXBhdC9lbnRyeS5TCisrKyBiL3hlbi9hcmNoL3g4Ni94ODZfNjQv Y29tcGF0L2VudHJ5LlMKQEAgLTMxOCw2ICszMTgsNyBAQCBFTlRSWShjb21w YXRfaW50ODBfZGlyZWN0X3RyYXApCiBjb21wYXRfY3JlYXRlX2JvdW5jZV9m cmFtZToKICAgICAgICAgQVNTRVJUX0lOVEVSUlVQVFNfRU5BQkxFRAogICAg ICAgICBtb3YgICAlZnMsJWVkaQorICAgICAgICBBU01fU1RBQwogICAgICAg ICB0ZXN0YiAkMixVUkVHU19jcys4KCVyc3ApCiAgICAgICAgIGp6ICAgIDFm CiAgICAgICAgIC8qIFB1c2ggbmV3IGZyYW1lIGF0IHJlZ2lzdGVyZWQgZ3Vl c3QtT1Mgc3RhY2sgYmFzZS4gKi8KQEAgLTM2NCw2ICszNjUsNyBAQCBjb21w YXRfY3JlYXRlX2JvdW5jZV9mcmFtZToKICAgICAgICAgbW92bCAgVFJBUEJP VU5DRV9lcnJvcl9jb2RlKCVyZHgpLCVlYXgKIC5MZnQ4OiAgbW92bCAgJWVh eCwlZnM6KCVyc2kpICAgICAgICAgICAjIEVSUk9SIENPREUKIDE6CisgICAg ICAgIEFTTV9DTEFDCiAgICAgICAgIC8qIFJld3JpdGUgb3VyIHN0YWNrIGZy YW1lIGFuZCByZXR1cm4gdG8gZ3Vlc3QtT1MgbW9kZS4gKi8KICAgICAgICAg LyogSUEzMiBSZWYuIFZvbC4gMzogVEYsIFZNLCBSRiBhbmQgTlQgZmxhZ3Mg YXJlIGNsZWFyZWQgb24gdHJhcC4gKi8KICAgICAgICAgYW5kbCAgJH4oWDg2 X0VGTEFHU19WTXxYODZfRUZMQUdTX1JGfFwKQEAgLTQwMyw2ICs0MDUsNyBA QCBjb21wYXRfY3Jhc2hfcGFnZV9mYXVsdF80OgogICAgICAgICBhZGRsICAk NCwlZXNpCiBjb21wYXRfY3Jhc2hfcGFnZV9mYXVsdDoKIC5MZnQxNDogbW92 ICAgJWVkaSwlZnMKKyAgICAgICAgQVNNX0NMQUMKICAgICAgICAgbW92bCAg JWVzaSwlZWRpCiAgICAgICAgIGNhbGwgIHNob3dfcGFnZV93YWxrCiAgICAg ICAgIGptcCAgIGRvbV9jcmFzaF9zeW5jX2V4dGFibGUKZGlmZiAtLWdpdCBh L3hlbi9hcmNoL3g4Ni94ODZfNjQvZW50cnkuUyBiL3hlbi9hcmNoL3g4Ni94 ODZfNjQvZW50cnkuUwppbmRleCBhZDhjNjRjLi5mNzE3OGNkIDEwMDY0NAot LS0gYS94ZW4vYXJjaC94ODYveDg2XzY0L2VudHJ5LlMKKysrIGIveGVuL2Fy Y2gveDg2L3g4Nl82NC9lbnRyeS5TCkBAIC00MjAsOSArNDIwLDExIEBAIGRv bWFpbl9jcmFzaF9wYWdlX2ZhdWx0XzE2OgogZG9tYWluX2NyYXNoX3BhZ2Vf ZmF1bHRfODoKICAgICAgICAgYWRkcSAgJDgsJXJzaQogZG9tYWluX2NyYXNo X3BhZ2VfZmF1bHQ6CisgICAgICAgIEFTTV9DTEFDCiAgICAgICAgIG1vdnEg ICVyc2ksJXJkaQogICAgICAgICBjYWxsICBzaG93X3BhZ2Vfd2FsawogRU5U UlkoZG9tX2NyYXNoX3N5bmNfZXh0YWJsZSkKKyAgICAgICAgQVNNX0NMQUMK ICAgICAgICAgIyBHZXQgb3V0IG9mIHRoZSBndWVzdC1zYXZlIGFyZWEgb2Yg dGhlIHN0YWNrLgogICAgICAgICBHRVRfU1RBQ0tfRU5EKGF4KQogICAgICAg ICBsZWFxICBTVEFDS19DUFVJTkZPX0ZJRUxEKGd1ZXN0X2NwdV91c2VyX3Jl Z3MpKCVyYXgpLCVyc3AKLS0gCjIuMS40Cgo= --=separator Content-Type: application/octet-stream; name="xsa183-4.6.patch" Content-Disposition: attachment; filename="xsa183-4.6.patch" Content-Transfer-Encoding: base64 RnJvbSA3NzdlYmUzMGU4MWFiMjg0ZjliNzgzOTI4NzVmZTg4NGE1OTNkZjM1 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBXZWQsIDE1IEp1 biAyMDE2IDE4OjMyOjE0ICswMTAwClN1YmplY3Q6IFtQQVRDSF0geDg2L2Vu dHJ5OiBBdm9pZCBTTUFQIHZpb2xhdGlvbiBpbgogY29tcGF0X2NyZWF0ZV9i b3VuY2VfZnJhbWUoKQoKQSAzMmJpdCBndWVzdCBrZXJuZWwgbWlnaHQgYmUg cnVubmluZyBvbiB1c2VyIG1hcHBpbmdzLgpjb21wYXRfY3JlYXRlX2JvdW5j ZV9mcmFtZSgpIG11c3Qgd2hpdGVsaXN0IGl0cyBndWVzdCBhY2Nlc3NlcyB0 byBhdm9pZApyaXNraW5nIGEgU01BUCB2aW9sYXRpb24uCgpGb3IgYm90aCB2 YXJpYW50cyBvZiBjcmVhdGVfYm91bmNlX2ZyYW1lKCksIHJlLWJsYWNrbGlz dCB1c2VyIGFjY2Vzc2VzIGlmCmV4ZWN1dGlvbiBleGl0cyB2aWEgYW4gZXhj ZXB0aW9uIHRhYmxlIHJlZGlyZWN0aW9uLgoKVGhpcyBpcyBYU0EtMTgzIC8g Q1ZFLTIwMTYtNjI1OQoKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8 YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEdlb3Jn ZSBEdW5sYXAgPGdlb3JnZS5kdW5sYXBAY2l0cml4LmNvbT4KUmV2aWV3ZWQt Ynk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KLS0tCnYyOgog KiBJbmNsdWRlIENMQUMgb24gdGhlIGV4aXQgcGF0aHMgZnJvbSBjb21wYXRf Y3JlYXRlX2JvdW5jZV9mcmFtZSB3aGljaCBvY2N1cgogICBmcm9tIGZhdWx0 cyBhdHRlbXB0aW5nIHRvIGxvYWQgJWZzCiAqIFJlcG9zaXRpb24gQVNNX1NU QUMgdG8gYXZvaWQgYnJlYWtpbmcgdGhlIG1hY3JvLW9wIGZ1c2lvbiBvZiB0 ZXN0L2p6Ci0tLQogeGVuL2FyY2gveDg2L3g4Nl82NC9jb21wYXQvZW50cnku UyB8IDMgKysrCiB4ZW4vYXJjaC94ODYveDg2XzY0L2VudHJ5LlMgICAgICAg IHwgMiArKwogMiBmaWxlcyBjaGFuZ2VkLCA1IGluc2VydGlvbnMoKykKCmRp ZmYgLS1naXQgYS94ZW4vYXJjaC94ODYveDg2XzY0L2NvbXBhdC9lbnRyeS5T IGIveGVuL2FyY2gveDg2L3g4Nl82NC9jb21wYXQvZW50cnkuUwppbmRleCAw ZTNkYjdjLi4xZWFmNGJiIDEwMDY0NAotLS0gYS94ZW4vYXJjaC94ODYveDg2 XzY0L2NvbXBhdC9lbnRyeS5TCisrKyBiL3hlbi9hcmNoL3g4Ni94ODZfNjQv Y29tcGF0L2VudHJ5LlMKQEAgLTM1MCw2ICszNTAsNyBAQCBFTlRSWShjb21w YXRfaW50ODBfZGlyZWN0X3RyYXApCiBjb21wYXRfY3JlYXRlX2JvdW5jZV9m cmFtZToKICAgICAgICAgQVNTRVJUX0lOVEVSUlVQVFNfRU5BQkxFRAogICAg ICAgICBtb3YgICAlZnMsJWVkaQorICAgICAgICBBU01fU1RBQwogICAgICAg ICB0ZXN0YiAkMixVUkVHU19jcys4KCVyc3ApCiAgICAgICAgIGp6ICAgIDFm CiAgICAgICAgIC8qIFB1c2ggbmV3IGZyYW1lIGF0IHJlZ2lzdGVyZWQgZ3Vl c3QtT1Mgc3RhY2sgYmFzZS4gKi8KQEAgLTQwMyw2ICs0MDQsNyBAQCBVTkxJ S0VMWV9TVEFSVChueiwgY29tcGF0X2JvdW5jZV9mYWlsc2FmZSkKICAgICAg ICAgbW92bCAgJWRzLCVlYXgKIC5MZnQxMjogbW92bCAgJWVheCwlZnM6MCo0 KCVyc2kpICAgICAgICAjIERTCiBVTkxJS0VMWV9FTkQoY29tcGF0X2JvdW5j ZV9mYWlsc2FmZSkKKyAgICAgICAgQVNNX0NMQUMKICAgICAgICAgLyogUmV3 cml0ZSBvdXIgc3RhY2sgZnJhbWUgYW5kIHJldHVybiB0byBndWVzdC1PUyBt b2RlLiAqLwogICAgICAgICAvKiBJQTMyIFJlZi4gVm9sLiAzOiBURiwgVk0s IFJGIGFuZCBOVCBmbGFncyBhcmUgY2xlYXJlZCBvbiB0cmFwLiAqLwogICAg ICAgICBhbmRsICAkfihYODZfRUZMQUdTX1ZNfFg4Nl9FRkxBR1NfUkZ8XApA QCAtNDQ4LDYgKzQ1MCw3IEBAIGNvbXBhdF9jcmFzaF9wYWdlX2ZhdWx0XzQ6 CiAgICAgICAgIGFkZGwgICQ0LCVlc2kKIGNvbXBhdF9jcmFzaF9wYWdlX2Zh dWx0OgogLkxmdDE0OiBtb3YgICAlZWRpLCVmcworICAgICAgICBBU01fQ0xB QwogICAgICAgICBtb3ZsICAlZXNpLCVlZGkKICAgICAgICAgY2FsbCAgc2hv d19wYWdlX3dhbGsKICAgICAgICAgam1wICAgZG9tX2NyYXNoX3N5bmNfZXh0 YWJsZQpkaWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L3g4Nl82NC9lbnRyeS5T IGIveGVuL2FyY2gveDg2L3g4Nl82NC9lbnRyeS5TCmluZGV4IDZlMjc1MDgu LjBjMmU2M2EgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL3g4Ni94ODZfNjQvZW50 cnkuUworKysgYi94ZW4vYXJjaC94ODYveDg2XzY0L2VudHJ5LlMKQEAgLTQ2 Miw5ICs0NjIsMTEgQEAgZG9tYWluX2NyYXNoX3BhZ2VfZmF1bHRfMTY6CiBk b21haW5fY3Jhc2hfcGFnZV9mYXVsdF84OgogICAgICAgICBhZGRxICAkOCwl cnNpCiBkb21haW5fY3Jhc2hfcGFnZV9mYXVsdDoKKyAgICAgICAgQVNNX0NM QUMKICAgICAgICAgbW92cSAgJXJzaSwlcmRpCiAgICAgICAgIGNhbGwgIHNo b3dfcGFnZV93YWxrCiBFTlRSWShkb21fY3Jhc2hfc3luY19leHRhYmxlKQor ICAgICAgICBBU01fQ0xBQwogICAgICAgICAjIEdldCBvdXQgb2YgdGhlIGd1 ZXN0LXNhdmUgYXJlYSBvZiB0aGUgc3RhY2suCiAgICAgICAgIEdFVF9TVEFD S19CQVNFKCVyYXgpCiAgICAgICAgIGxlYXEgIFNUQUNLX0NQVUlORk9fRklF TEQoZ3Vlc3RfY3B1X3VzZXJfcmVncykoJXJheCksJXJzcAotLSAKMi4xLjQK Cg== --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Wed Jul 27 16:08:18 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 27 Jul 2016 16:08:18 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bSRMZ-00074j-4C; Wed, 27 Jul 2016 16:07:15 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bSRMX-00074X-Mf; Wed, 27 Jul 2016 16:07:13 +0000 Received: from [193.109.254.147] by server-11.bemta-14.messagelabs.com id DC/1D-09831-03CD8975; Wed, 27 Jul 2016 16:07:12 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFuphleJIrShJLcpLzFFi42LJaLquqqt/Z0a 4wd1X+ha3brYyWyz5uJjFYtXVA6wOzB5Hd/9mCmCMYs3MS8qvSGDNuH58CVvBNseKHXf3szYw brfpYuTiEBI4zihx9thSZghnEaPE3WdtjF2MnBzMAq4SN/ZtZoOwFSUu3GtgAbF5BQQlTs58A mZLCGhK3Hmzih3EFhEokth57iWYzSagJzH37CQmiF4diZf7V4PZwgLxEm+fH2WDmGMmsedNL9 gcFgFViXnnvzJPYOSZhWT1LCSrZyFZPYuRAyiuKbF+lz6EKS2x/B8HRLW8xPa3c5ghbA+JJ78 ussNM/L1tHivMxCndD9lhar50/WaGqemf0M+OrGYBI88qRvXi1KKy1CJdC72kosz0jJLcxMwc XUNDE73c1OLixPTUnMSkYr3k/NxNjMA4YQCCHYwbJzkfYpTkYFIS5V3kOCNciC8pP6UyI7E4I 76oNCe1+BCjDAeHkgTvl1tAOcGi1PTUirTMHGDEwqQlOHiURHiDbgOleYsLEnOLM9MhUqcYjT mWTL+2lolj0c3H+5mEWPLy81KlxHmtQUoFQEozSvPgBsESySVGWSlhXkag04R4ClKLcjNLUOV fMYpzMCoJ8/qATOHJzCuB2/cK6BQmoFOKY8FOKUlESEk1MLafvPTmwqbTfMuP8iY1x7VzTr+y VHxvpk/6Gy3fi5FlW1ckHPjBpGk5qeYTT+vlPOUHpQmXApb93RvNffG26ivz1/EXt1rNOMwpo bTmdHv4fce0B6oL7Tadin5248qksslJTz6uFLzm3+CnbJTzxzBV06Pcy55vQlq0m/iXxGJ29e 8M1f82L1BiKc5INNRiLipOBABA779yHwMAAA== X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-9.tower-27.messagelabs.com!1469635630!56284410!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 8.77; banners=-,-,- X-VirusChecked: Checked Received: (qmail 62824 invoked from network); 27 Jul 2016 16:07:11 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-9.tower-27.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 27 Jul 2016 16:07:11 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bSRME-00036Q-2T; Wed, 27 Jul 2016 16:06:54 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1bSRMD-0006Jd-Sq; Wed, 27 Jul 2016 16:06:53 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Wed, 27 Jul 2016 16:06:53 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 184 (CVE-2016-5403) - virtio: unbounded memory allocation issue X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-5403 / XSA-184 version 2 virtio: unbounded memory allocation issue UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= A guest can submit virtio requests without bothering to wait for completion and is therefore not bound by virtqueue size. (This requires reusing vring descriptors in more than one request, which is incorrect but possible.) Processing a request allocates a VirtQueueElement and therefore causes unbounded memory allocation controlled by the guest. IMPACT ====== A malicious guest administrator can cause unbounded memory allocation in QEMU, which can cause an Out-of-Memory condition in the domain running qemu. Thus, a malicious guest administrator can cause a denial of service affecting the whole host. VULNERABLE SYSTEMS ================== ARM systems are not vulnerable. PV domains are not vulnerable. Only HVM domains where virtio-net devices are provided to the guest are vulnerable. Note that NO such devices are provided by default, so the default configuration is not vulnerable. HVM domains run with QEMU stub domains are not vulnerable. (Note that all virtio subsystems are affected; but only virtio-net is a supported configuration. See docs/misc/qemu-xen-security.) MITIGATION ========== Running PV only will avoid the issue. Running HVM domains with Xen PV drivers instead of virtio-net will avoid the issue. Running HVM domains with with stubdomains will mitigate the issue. CREDITS ======= This issue was discovered by Zhenhao Hong of the 360 Marvel Team. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa184-qemuu-master.patch qemu-upstream, Xen unstable, 4.7.x, 4.6.x, 4.5.x, 4.4.x xsa184-qemut-master.patch qemu-traditional, Xen unstable, 4.7.x, 4.6.x, 4.5.x, 4.4.x $ sha256sum xsa184* ea41a25dac82cc5c0ef8e599feb6ed400e99414110d4dba8017d6bd048bc3de4 xsa184-qemut-master.patch 2d675e5e08d9443cf2e5f3aa37521241d6ed898a602b5111d6969023e67b9b6b xsa184-qemuu-master.patch $ NOTES ON THE EMBARGO PERIOD =========================== Note that the embargo period is shorter than normal as the Xen Security team were only notified of the issue on 25 July. DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJXmNwVAAoJEIP+FMlX6CvZUUQIAMMpYEr4wyoPEWe1w/4TrtQt eTaDbBFFblfuHOTQcXZephlWBtSZ1bHbdEiTsQnflBYWLLiZZP1tud0f3MvN03uN M9kTv1LsAb29NC19Oy1w02AOVXm0XklA3JbFG5OoidWVYra0UQSFKeZvi8Tlqr5C ry2+jdErRGHsQFkjecBU0zSqXmz0+rcTlpzHtfJw3We3J9J4A1WPfAjXN3dL81yx Tdl3P2heokhR2jsZgi7ZgIBo/s4rD4wbRD5gL4pf6eokyJIib7NFhctMi8hLDkTL RbJh7sb+U9G5B2arMhRE7e00v7PgSfh+ossBQljszWhbHHCctggmGGIqWF0AvuQ= =+1d1 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa184-qemut-master.patch" Content-Disposition: attachment; filename="xsa184-qemut-master.patch" Content-Transfer-Encoding: base64 RnJvbSAxN2Q4YzRlNDdkZmI0MWNiNjc3ODUyMGZmMmVhYjdhMTFmZTEyZGZk IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBQIEogUCA8cHBhbmRp dEByZWRoYXQuY29tPgpEYXRlOiBUdWUsIDI2IEp1bCAyMDE2IDE1OjMxOjU5 ICswMTAwClN1YmplY3Q6IFtQQVRDSF0gdmlydGlvOiBlcnJvciBvdXQgaWYg Z3Vlc3QgZXhjZWVkcyB2aXJ0cXVldWUgc2l6ZQoKQSBicm9rZW4gb3IgbWFs aWNpb3VzIGd1ZXN0IGNhbiBzdWJtaXQgbW9yZSByZXF1ZXN0cyB0aGFuIHRo ZSB2aXJ0cXVldWUKc2l6ZSBwZXJtaXRzLgoKVGhlIGd1ZXN0IGNhbiBzdWJt aXQgcmVxdWVzdHMgd2l0aG91dCBib3RoZXJpbmcgdG8gd2FpdCBmb3IgY29t cGxldGlvbgphbmQgaXMgdGhlcmVmb3JlIG5vdCBib3VuZCBieSB2aXJ0cXVl dWUgc2l6ZS4gIFRoaXMgcmVxdWlyZXMgcmV1c2luZwp2cmluZyBkZXNjcmlw dG9ycyBpbiBtb3JlIHRoYW4gb25lIHJlcXVlc3QsIHdoaWNoIGlzIGluY29y cmVjdCBidXQKcG9zc2libGUuICBQcm9jZXNzaW5nIGEgcmVxdWVzdCBhbGxv Y2F0ZXMgYSBWaXJ0UXVldWVFbGVtZW50IGFuZAp0aGVyZWZvcmUgY2F1c2Vz IHVuYm91bmRlZCBtZW1vcnkgYWxsb2NhdGlvbiBjb250cm9sbGVkIGJ5IHRo ZSBndWVzdC4KCkV4aXQgd2l0aCBhbiBlcnJvciBpZiB0aGUgZ3Vlc3QgcHJv dmlkZXMgbW9yZSByZXF1ZXN0cyB0aGFuIHRoZQp2aXJ0cXVldWUgc2l6ZSBw ZXJtaXRzLiAgVGhpcyBib3VuZHMgbWVtb3J5IGFsbG9jYXRpb24gYW5kIG1h a2VzIHRoZQpidWdneSBndWVzdCB2aXNpYmxlIHRvIHRoZSB1c2VyLgoKUmVw b3J0ZWQtYnk6IFpoZW5oYW8gSG9uZyA8emhlbmhhb2hvbmdAZ21haWwuY29t PgpTaWduZWQtb2ZmLWJ5OiBTdGVmYW4gSGFqbm9jemkgPHN0ZWZhbmhhQHJl ZGhhdC5jb20+Ci0tLQogaHcvdmlydGlvLmMgfCA1ICsrKysrCiAxIGZpbGUg Y2hhbmdlZCwgNSBpbnNlcnRpb25zKCspCgpkaWZmIC0tZ2l0IGEvaHcvdmly dGlvLmMgYi9ody92aXJ0aW8uYwppbmRleCBjMjZmZWZmLi40Mjg5N2JmIDEw MDY0NAotLS0gYS9ody92aXJ0aW8uYworKysgYi9ody92aXJ0aW8uYwpAQCAt NDIxLDYgKzQyMSwxMSBAQCBpbnQgdmlydHF1ZXVlX3BvcChWaXJ0UXVldWUg KnZxLCBWaXJ0UXVldWVFbGVtZW50ICplbGVtKQogICAgIC8qIFdoZW4gd2Ug c3RhcnQgdGhlcmUgYXJlIG5vbmUgb2YgZWl0aGVyIGlucHV0IG5vciBvdXRw dXQuICovCiAgICAgZWxlbS0+b3V0X251bSA9IGVsZW0tPmluX251bSA9IDA7 CiAKKyAgICBpZiAodnEtPmludXNlID49IHZxLT52cmluZy5udW0pIHsKKyAg ICAgICAgZnByaW50ZihzdGRlcnIsICJWaXJ0cXVldWUgc2l6ZSBleGNlZWRl ZCIpOworICAgICAgICBleGl0KDEpOworICAgIH0KKwogICAgIGkgPSBoZWFk ID0gdmlydHF1ZXVlX2dldF9oZWFkKHZxLCB2cS0+bGFzdF9hdmFpbF9pZHgr Kyk7CiAgICAgZG8gewogICAgICAgICBzdHJ1Y3QgaW92ZWMgKnNnOwotLSAK Mi4xLjQKCg== --=separator Content-Type: application/octet-stream; name="xsa184-qemuu-master.patch" Content-Disposition: attachment; filename="xsa184-qemuu-master.patch" Content-Transfer-Encoding: base64 RnJvbSBlNDY5ZGIyNWQ2YjJlNWM3MWNkMTU0NTE4ODkyMjY2NDFjNTNhNWNk IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBQIEogUCA8cHBhbmRp dEByZWRoYXQuY29tPgpEYXRlOiBNb24sIDI1IEp1bCAyMDE2IDE3OjM3OjE4 ICswNTMwClN1YmplY3Q6IFtQQVRDSF0gdmlydGlvOiBlcnJvciBvdXQgaWYg Z3Vlc3QgZXhjZWVkcyB2aXJ0cXVldWUgc2l6ZQoKQSBicm9rZW4gb3IgbWFs aWNpb3VzIGd1ZXN0IGNhbiBzdWJtaXQgbW9yZSByZXF1ZXN0cyB0aGFuIHRo ZSB2aXJ0cXVldWUKc2l6ZSBwZXJtaXRzLgoKVGhlIGd1ZXN0IGNhbiBzdWJt aXQgcmVxdWVzdHMgd2l0aG91dCBib3RoZXJpbmcgdG8gd2FpdCBmb3IgY29t cGxldGlvbgphbmQgaXMgdGhlcmVmb3JlIG5vdCBib3VuZCBieSB2aXJ0cXVl dWUgc2l6ZS4gIFRoaXMgcmVxdWlyZXMgcmV1c2luZwp2cmluZyBkZXNjcmlw dG9ycyBpbiBtb3JlIHRoYW4gb25lIHJlcXVlc3QsIHdoaWNoIGlzIGluY29y cmVjdCBidXQKcG9zc2libGUuICBQcm9jZXNzaW5nIGEgcmVxdWVzdCBhbGxv Y2F0ZXMgYSBWaXJ0UXVldWVFbGVtZW50IGFuZAp0aGVyZWZvcmUgY2F1c2Vz IHVuYm91bmRlZCBtZW1vcnkgYWxsb2NhdGlvbiBjb250cm9sbGVkIGJ5IHRo ZSBndWVzdC4KCkV4aXQgd2l0aCBhbiBlcnJvciBpZiB0aGUgZ3Vlc3QgcHJv dmlkZXMgbW9yZSByZXF1ZXN0cyB0aGFuIHRoZQp2aXJ0cXVldWUgc2l6ZSBw ZXJtaXRzLiAgVGhpcyBib3VuZHMgbWVtb3J5IGFsbG9jYXRpb24gYW5kIG1h a2VzIHRoZQpidWdneSBndWVzdCB2aXNpYmxlIHRvIHRoZSB1c2VyLgoKUmVw b3J0ZWQtYnk6IFpoZW5oYW8gSG9uZyA8emhlbmhhb2hvbmdAZ21haWwuY29t PgpTaWduZWQtb2ZmLWJ5OiBTdGVmYW4gSGFqbm9jemkgPHN0ZWZhbmhhQHJl ZGhhdC5jb20+Ci0tLQogaHcvdmlydGlvL3ZpcnRpby5jIHwgNSArKysrKwog MSBmaWxlIGNoYW5nZWQsIDUgaW5zZXJ0aW9ucygrKQoKZGlmZiAtLWdpdCBh L2h3L3ZpcnRpby92aXJ0aW8uYyBiL2h3L3ZpcnRpby92aXJ0aW8uYwppbmRl eCBkMjRmNzc1Li5mOGFjMGZiIDEwMDY0NAotLS0gYS9ody92aXJ0aW8vdmly dGlvLmMKKysrIGIvaHcvdmlydGlvL3ZpcnRpby5jCkBAIC00ODMsNiArNDgz LDExIEBAIGludCB2aXJ0cXVldWVfcG9wKFZpcnRRdWV1ZSAqdnEsIFZpcnRR dWV1ZUVsZW1lbnQgKmVsZW0pCiAKICAgICBtYXggPSB2cS0+dnJpbmcubnVt OwogCisgICAgaWYgKHZxLT5pbnVzZSA+PSBtYXgpIHsKKyAgICAgICAgZXJy b3JfcmVwb3J0KCJWaXJ0cXVldWUgc2l6ZSBleGNlZWRlZCIpOworICAgICAg ICBleGl0KDEpOworICAgIH0KKwogICAgIGkgPSBoZWFkID0gdmlydHF1ZXVl X2dldF9oZWFkKHZxLCB2cS0+bGFzdF9hdmFpbF9pZHgrKyk7CiAgICAgaWYg KHZpcnRpb192ZGV2X2hhc19mZWF0dXJlKHZkZXYsIFZJUlRJT19SSU5HX0Zf RVZFTlRfSURYKSkgewogICAgICAgICB2cmluZ19zZXRfYXZhaWxfZXZlbnQo dnEsIHZxLT5sYXN0X2F2YWlsX2lkeCk7Ci0tIAoyLjEuNAoK --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Wed Jul 27 16:08:18 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 27 Jul 2016 16:08:18 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bSRMZ-00074j-4C; Wed, 27 Jul 2016 16:07:15 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bSRMX-00074X-Mf; Wed, 27 Jul 2016 16:07:13 +0000 Received: from [193.109.254.147] by server-11.bemta-14.messagelabs.com id DC/1D-09831-03CD8975; Wed, 27 Jul 2016 16:07:12 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFuphleJIrShJLcpLzFFi42LJaLquqqt/Z0a 4wd1X+ha3brYyWyz5uJjFYtXVA6wOzB5Hd/9mCmCMYs3MS8qvSGDNuH58CVvBNseKHXf3szYw brfpYuTiEBI4zihx9thSZghnEaPE3WdtjF2MnBzMAq4SN/ZtZoOwFSUu3GtgAbF5BQQlTs58A mZLCGhK3Hmzih3EFhEokth57iWYzSagJzH37CQmiF4diZf7V4PZwgLxEm+fH2WDmGMmsedNL9 gcFgFViXnnvzJPYOSZhWT1LCSrZyFZPYuRAyiuKbF+lz6EKS2x/B8HRLW8xPa3c5ghbA+JJ78 ussNM/L1tHivMxCndD9lhar50/WaGqemf0M+OrGYBI88qRvXi1KKy1CJdC72kosz0jJLcxMwc XUNDE73c1OLixPTUnMSkYr3k/NxNjMA4YQCCHYwbJzkfYpTkYFIS5V3kOCNciC8pP6UyI7E4I 76oNCe1+BCjDAeHkgTvl1tAOcGi1PTUirTMHGDEwqQlOHiURHiDbgOleYsLEnOLM9MhUqcYjT mWTL+2lolj0c3H+5mEWPLy81KlxHmtQUoFQEozSvPgBsESySVGWSlhXkag04R4ClKLcjNLUOV fMYpzMCoJ8/qATOHJzCuB2/cK6BQmoFOKY8FOKUlESEk1MLafvPTmwqbTfMuP8iY1x7VzTr+y VHxvpk/6Gy3fi5FlW1ckHPjBpGk5qeYTT+vlPOUHpQmXApb93RvNffG26ivz1/EXt1rNOMwpo bTmdHv4fce0B6oL7Tadin5248qksslJTz6uFLzm3+CnbJTzxzBV06Pcy55vQlq0m/iXxGJ29e 8M1f82L1BiKc5INNRiLipOBABA779yHwMAAA== X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-9.tower-27.messagelabs.com!1469635630!56284410!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 8.77; banners=-,-,- X-VirusChecked: Checked Received: (qmail 62824 invoked from network); 27 Jul 2016 16:07:11 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-9.tower-27.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 27 Jul 2016 16:07:11 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bSRME-00036Q-2T; Wed, 27 Jul 2016 16:06:54 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1bSRMD-0006Jd-Sq; Wed, 27 Jul 2016 16:06:53 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Wed, 27 Jul 2016 16:06:53 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 184 (CVE-2016-5403) - virtio: unbounded memory allocation issue X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-5403 / XSA-184 version 2 virtio: unbounded memory allocation issue UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= A guest can submit virtio requests without bothering to wait for completion and is therefore not bound by virtqueue size. (This requires reusing vring descriptors in more than one request, which is incorrect but possible.) Processing a request allocates a VirtQueueElement and therefore causes unbounded memory allocation controlled by the guest. IMPACT ====== A malicious guest administrator can cause unbounded memory allocation in QEMU, which can cause an Out-of-Memory condition in the domain running qemu. Thus, a malicious guest administrator can cause a denial of service affecting the whole host. VULNERABLE SYSTEMS ================== ARM systems are not vulnerable. PV domains are not vulnerable. Only HVM domains where virtio-net devices are provided to the guest are vulnerable. Note that NO such devices are provided by default, so the default configuration is not vulnerable. HVM domains run with QEMU stub domains are not vulnerable. (Note that all virtio subsystems are affected; but only virtio-net is a supported configuration. See docs/misc/qemu-xen-security.) MITIGATION ========== Running PV only will avoid the issue. Running HVM domains with Xen PV drivers instead of virtio-net will avoid the issue. Running HVM domains with with stubdomains will mitigate the issue. CREDITS ======= This issue was discovered by Zhenhao Hong of the 360 Marvel Team. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa184-qemuu-master.patch qemu-upstream, Xen unstable, 4.7.x, 4.6.x, 4.5.x, 4.4.x xsa184-qemut-master.patch qemu-traditional, Xen unstable, 4.7.x, 4.6.x, 4.5.x, 4.4.x $ sha256sum xsa184* ea41a25dac82cc5c0ef8e599feb6ed400e99414110d4dba8017d6bd048bc3de4 xsa184-qemut-master.patch 2d675e5e08d9443cf2e5f3aa37521241d6ed898a602b5111d6969023e67b9b6b xsa184-qemuu-master.patch $ NOTES ON THE EMBARGO PERIOD =========================== Note that the embargo period is shorter than normal as the Xen Security team were only notified of the issue on 25 July. DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJXmNwVAAoJEIP+FMlX6CvZUUQIAMMpYEr4wyoPEWe1w/4TrtQt eTaDbBFFblfuHOTQcXZephlWBtSZ1bHbdEiTsQnflBYWLLiZZP1tud0f3MvN03uN M9kTv1LsAb29NC19Oy1w02AOVXm0XklA3JbFG5OoidWVYra0UQSFKeZvi8Tlqr5C ry2+jdErRGHsQFkjecBU0zSqXmz0+rcTlpzHtfJw3We3J9J4A1WPfAjXN3dL81yx Tdl3P2heokhR2jsZgi7ZgIBo/s4rD4wbRD5gL4pf6eokyJIib7NFhctMi8hLDkTL RbJh7sb+U9G5B2arMhRE7e00v7PgSfh+ossBQljszWhbHHCctggmGGIqWF0AvuQ= =+1d1 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa184-qemut-master.patch" Content-Disposition: attachment; filename="xsa184-qemut-master.patch" Content-Transfer-Encoding: base64 RnJvbSAxN2Q4YzRlNDdkZmI0MWNiNjc3ODUyMGZmMmVhYjdhMTFmZTEyZGZk IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBQIEogUCA8cHBhbmRp dEByZWRoYXQuY29tPgpEYXRlOiBUdWUsIDI2IEp1bCAyMDE2IDE1OjMxOjU5 ICswMTAwClN1YmplY3Q6IFtQQVRDSF0gdmlydGlvOiBlcnJvciBvdXQgaWYg Z3Vlc3QgZXhjZWVkcyB2aXJ0cXVldWUgc2l6ZQoKQSBicm9rZW4gb3IgbWFs aWNpb3VzIGd1ZXN0IGNhbiBzdWJtaXQgbW9yZSByZXF1ZXN0cyB0aGFuIHRo ZSB2aXJ0cXVldWUKc2l6ZSBwZXJtaXRzLgoKVGhlIGd1ZXN0IGNhbiBzdWJt aXQgcmVxdWVzdHMgd2l0aG91dCBib3RoZXJpbmcgdG8gd2FpdCBmb3IgY29t cGxldGlvbgphbmQgaXMgdGhlcmVmb3JlIG5vdCBib3VuZCBieSB2aXJ0cXVl dWUgc2l6ZS4gIFRoaXMgcmVxdWlyZXMgcmV1c2luZwp2cmluZyBkZXNjcmlw dG9ycyBpbiBtb3JlIHRoYW4gb25lIHJlcXVlc3QsIHdoaWNoIGlzIGluY29y cmVjdCBidXQKcG9zc2libGUuICBQcm9jZXNzaW5nIGEgcmVxdWVzdCBhbGxv Y2F0ZXMgYSBWaXJ0UXVldWVFbGVtZW50IGFuZAp0aGVyZWZvcmUgY2F1c2Vz IHVuYm91bmRlZCBtZW1vcnkgYWxsb2NhdGlvbiBjb250cm9sbGVkIGJ5IHRo ZSBndWVzdC4KCkV4aXQgd2l0aCBhbiBlcnJvciBpZiB0aGUgZ3Vlc3QgcHJv dmlkZXMgbW9yZSByZXF1ZXN0cyB0aGFuIHRoZQp2aXJ0cXVldWUgc2l6ZSBw ZXJtaXRzLiAgVGhpcyBib3VuZHMgbWVtb3J5IGFsbG9jYXRpb24gYW5kIG1h a2VzIHRoZQpidWdneSBndWVzdCB2aXNpYmxlIHRvIHRoZSB1c2VyLgoKUmVw b3J0ZWQtYnk6IFpoZW5oYW8gSG9uZyA8emhlbmhhb2hvbmdAZ21haWwuY29t PgpTaWduZWQtb2ZmLWJ5OiBTdGVmYW4gSGFqbm9jemkgPHN0ZWZhbmhhQHJl ZGhhdC5jb20+Ci0tLQogaHcvdmlydGlvLmMgfCA1ICsrKysrCiAxIGZpbGUg Y2hhbmdlZCwgNSBpbnNlcnRpb25zKCspCgpkaWZmIC0tZ2l0IGEvaHcvdmly dGlvLmMgYi9ody92aXJ0aW8uYwppbmRleCBjMjZmZWZmLi40Mjg5N2JmIDEw MDY0NAotLS0gYS9ody92aXJ0aW8uYworKysgYi9ody92aXJ0aW8uYwpAQCAt NDIxLDYgKzQyMSwxMSBAQCBpbnQgdmlydHF1ZXVlX3BvcChWaXJ0UXVldWUg KnZxLCBWaXJ0UXVldWVFbGVtZW50ICplbGVtKQogICAgIC8qIFdoZW4gd2Ug c3RhcnQgdGhlcmUgYXJlIG5vbmUgb2YgZWl0aGVyIGlucHV0IG5vciBvdXRw dXQuICovCiAgICAgZWxlbS0+b3V0X251bSA9IGVsZW0tPmluX251bSA9IDA7 CiAKKyAgICBpZiAodnEtPmludXNlID49IHZxLT52cmluZy5udW0pIHsKKyAg ICAgICAgZnByaW50ZihzdGRlcnIsICJWaXJ0cXVldWUgc2l6ZSBleGNlZWRl ZCIpOworICAgICAgICBleGl0KDEpOworICAgIH0KKwogICAgIGkgPSBoZWFk ID0gdmlydHF1ZXVlX2dldF9oZWFkKHZxLCB2cS0+bGFzdF9hdmFpbF9pZHgr Kyk7CiAgICAgZG8gewogICAgICAgICBzdHJ1Y3QgaW92ZWMgKnNnOwotLSAK Mi4xLjQKCg== --=separator Content-Type: application/octet-stream; name="xsa184-qemuu-master.patch" Content-Disposition: attachment; filename="xsa184-qemuu-master.patch" Content-Transfer-Encoding: base64 RnJvbSBlNDY5ZGIyNWQ2YjJlNWM3MWNkMTU0NTE4ODkyMjY2NDFjNTNhNWNk IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBQIEogUCA8cHBhbmRp dEByZWRoYXQuY29tPgpEYXRlOiBNb24sIDI1IEp1bCAyMDE2IDE3OjM3OjE4 ICswNTMwClN1YmplY3Q6IFtQQVRDSF0gdmlydGlvOiBlcnJvciBvdXQgaWYg Z3Vlc3QgZXhjZWVkcyB2aXJ0cXVldWUgc2l6ZQoKQSBicm9rZW4gb3IgbWFs aWNpb3VzIGd1ZXN0IGNhbiBzdWJtaXQgbW9yZSByZXF1ZXN0cyB0aGFuIHRo ZSB2aXJ0cXVldWUKc2l6ZSBwZXJtaXRzLgoKVGhlIGd1ZXN0IGNhbiBzdWJt aXQgcmVxdWVzdHMgd2l0aG91dCBib3RoZXJpbmcgdG8gd2FpdCBmb3IgY29t cGxldGlvbgphbmQgaXMgdGhlcmVmb3JlIG5vdCBib3VuZCBieSB2aXJ0cXVl dWUgc2l6ZS4gIFRoaXMgcmVxdWlyZXMgcmV1c2luZwp2cmluZyBkZXNjcmlw dG9ycyBpbiBtb3JlIHRoYW4gb25lIHJlcXVlc3QsIHdoaWNoIGlzIGluY29y cmVjdCBidXQKcG9zc2libGUuICBQcm9jZXNzaW5nIGEgcmVxdWVzdCBhbGxv Y2F0ZXMgYSBWaXJ0UXVldWVFbGVtZW50IGFuZAp0aGVyZWZvcmUgY2F1c2Vz IHVuYm91bmRlZCBtZW1vcnkgYWxsb2NhdGlvbiBjb250cm9sbGVkIGJ5IHRo ZSBndWVzdC4KCkV4aXQgd2l0aCBhbiBlcnJvciBpZiB0aGUgZ3Vlc3QgcHJv dmlkZXMgbW9yZSByZXF1ZXN0cyB0aGFuIHRoZQp2aXJ0cXVldWUgc2l6ZSBw ZXJtaXRzLiAgVGhpcyBib3VuZHMgbWVtb3J5IGFsbG9jYXRpb24gYW5kIG1h a2VzIHRoZQpidWdneSBndWVzdCB2aXNpYmxlIHRvIHRoZSB1c2VyLgoKUmVw b3J0ZWQtYnk6IFpoZW5oYW8gSG9uZyA8emhlbmhhb2hvbmdAZ21haWwuY29t PgpTaWduZWQtb2ZmLWJ5OiBTdGVmYW4gSGFqbm9jemkgPHN0ZWZhbmhhQHJl ZGhhdC5jb20+Ci0tLQogaHcvdmlydGlvL3ZpcnRpby5jIHwgNSArKysrKwog MSBmaWxlIGNoYW5nZWQsIDUgaW5zZXJ0aW9ucygrKQoKZGlmZiAtLWdpdCBh L2h3L3ZpcnRpby92aXJ0aW8uYyBiL2h3L3ZpcnRpby92aXJ0aW8uYwppbmRl eCBkMjRmNzc1Li5mOGFjMGZiIDEwMDY0NAotLS0gYS9ody92aXJ0aW8vdmly dGlvLmMKKysrIGIvaHcvdmlydGlvL3ZpcnRpby5jCkBAIC00ODMsNiArNDgz LDExIEBAIGludCB2aXJ0cXVldWVfcG9wKFZpcnRRdWV1ZSAqdnEsIFZpcnRR dWV1ZUVsZW1lbnQgKmVsZW0pCiAKICAgICBtYXggPSB2cS0+dnJpbmcubnVt OwogCisgICAgaWYgKHZxLT5pbnVzZSA+PSBtYXgpIHsKKyAgICAgICAgZXJy b3JfcmVwb3J0KCJWaXJ0cXVldWUgc2l6ZSBleGNlZWRlZCIpOworICAgICAg ICBleGl0KDEpOworICAgIH0KKwogICAgIGkgPSBoZWFkID0gdmlydHF1ZXVl X2dldF9oZWFkKHZxLCB2cS0+bGFzdF9hdmFpbF9pZHgrKyk7CiAgICAgaWYg KHZpcnRpb192ZGV2X2hhc19mZWF0dXJlKHZkZXYsIFZJUlRJT19SSU5HX0Zf RVZFTlRfSURYKSkgewogICAgICAgICB2cmluZ19zZXRfYXZhaWxfZXZlbnQo dnEsIHZxLT5sYXN0X2F2YWlsX2lkeCk7Ci0tIAoyLjEuNAoK --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator--