From xen-announce-bounces@lists.xen.org Fri Feb 10 12:44:49 2017 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 10 Feb 2017 12:44:49 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ccAY6-0004Po-PV; Fri, 10 Feb 2017 12:43:38 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ccAY5-0004PZ-6B; Fri, 10 Feb 2017 12:43:37 +0000 Received: from [193.109.254.147] by server-10.bemta-6.messagelabs.com id 83/23-13192-875BD985; Fri, 10 Feb 2017 12:43:36 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprOKsWRWlGSWpSXmKPExsWS0XRdVbd069w Ig+0TVSxu3WxltljycTGLxaqrB1gdmD2O7v7NFMAYxZqZl5RfkcCa0fTgOFPBD/OK21dnsjQw bjXpYuTiEBI4zijx4PdLVghnEaPE16mf2boYOTmYBVwlbuzbDGUrSly418ACYvMKCEqcnPkEz JYQ0JS482YVO4gtIlAksfPcSzCbTUBPYu7ZSUwQvToSL/evBrI5OIQFwiRuPBSBGGMm0XnjCy uIzSKgKrHq6x6mCYw8s5BsnoVk8ywkm2cBTWIG2rx+lz6EKS2x/B8HRLW8xPa3c5ghbEeJVyd XsUPYdhIHF1xkhZk4pfshO0Sro0THcieYkqd9nUzIShYw8qxi1ChOLSpLLdI1MtVLKspMzyjJ TczM0TU0MNPLTS0uTkxPzUlMKtZLzs/dxAiMEgYg2MG4akHgIUZJDiYlUd7vM+ZGCPEl5adUZ iQWZ8QXleakFh9ilOHgUJLgDd0ClBMsSk1PrUjLzAHGK0xagoNHSYT3/2agNG9xQWJucWY6RO oUoz3HnxsnXzJxfNl5Bkiu234BSE5bd+0lkxBLXn5eqpQ4ry7IVAGQtozSPLihsPRyiVFWSpi XEehMIZ6C1KLczBJU+VeM4hyMSsK8j0GW82TmlcDtfgV0FhPQWddPzwI5qyQRISXVwOi+9xXf grQT6VntjueUPzRf+h3QU80wzS707XpptjtTVrm/8NOeonc6MS/l54YvHQz+7GFvN+SGWbsvu 6vm9TG440lwNWf9tnsyvVyaCov2+Xz8azVBpMbea8fRl/vfL1V9zbloJ7thMoNGApf6cquV/f Ln9nYvTltZ3yXL22zT2pTbekBfXomlOCPRUIu5qDgRAOiNMF4qAwAA X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-16.tower-27.messagelabs.com!1486730612!86102669!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.2.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 2110 invoked from network); 10 Feb 2017 12:43:33 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-16.tower-27.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 10 Feb 2017 12:43:33 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ccAXl-0001Wi-Eu; Fri, 10 Feb 2017 12:43:17 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1ccAXl-0000Q3-Dy; Fri, 10 Feb 2017 12:43:17 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Fri, 10 Feb 2017 12:43:17 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 208 (CVE-2017-2615) - oob access in cirrus bitblt copy X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2017-2615 / XSA-208 oob access in cirrus bitblt copy ISSUE DESCRIPTION ================= When doing bitblt copy backwards, qemu should negate the blit width. This avoids an oob access before the start of video memory. IMPACT ====== A malicious guest administrator can cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation. VULNERABLE SYSTEMS ================== Versions of qemu shipped with all Xen versions are vulnerable. Xen systems running on x86 with HVM guests, with the qemu process running in dom0 are vulnerable. Only guests provided with the "cirrus" emulated video card can exploit the vulnerability. The non-default "stdvga" emulated video card is not vulnerable. (With xl the emulated video card is controlled by the "stdvga=" and "vga=" domain configuration options.) ARM systems are not vulnerable. Systems using only PV guests are not vulnerable. For VMs whose qemu process is running in a stub domain, a successful attacker will only gain the privileges of that stubdom, which should be only over the guest itself. Both upstream-based versions of qemu (device_model_version="qemu-xen") and `traditional' qemu (device_model_version="qemu-xen-traditional") are vulnerable. MITIGATION ========== Running only PV guests will avoid the issue. Running HVM guests with the device model in a stubdomain will mitigate the issue. Changing the video card emulation to stdvga (stdvga=1, vga="stdvga", in the xl domain configuration) will avoid the vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa208-qemuu.patch qemu-xen, mainline qemu xsa208-qemut.patch qemu-xen-traditional $ sha256sum xsa208* 4369cce9b72daf2418a1b9dd7be6529c312b447b814c44d634bab462e80a15f5 xsa208-qemut.patch 1e516e3df1091415b6ba34aaf54fa67eac91e22daceaad569b11baa2316c78ba xsa208-qemuu.patch $ NOTE REGARDING LACK OF EMBARGO ============================== This issue has already been publicly disclosed. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYnbVQAAoJEIP+FMlX6CvZs2sIAKtkU1ptqojrE6GpgdMegdIS hMcCcEVdDoYt47z9BxXcNA87kyjGLbIaliACF3GQclhBy8f6Ytm6MLQMvh79YO/l 8AvZELKSo5U/Z1El/HQ/ezzWTV15FHwdG64HvDf7SdlRquVyS0fxWLuiq8gmWXRd bpGcbAwwdRHvrvguMpajif89ZfTWPSHRq8onS1C96SBJW8aUXxzzyKWoX1EvNWN3 vnKC5eXQ5uhLERmh6meIZo2OwB7PlMTuasgVJan915/CGF8CS+B5wqQmiL0uxfRT fnTBVTfXHC/TzkkREJtnwgHIEv/E+Vygheeg/2P9bEaNkiN3CG5kK/ZOxgWNYU4= =eEKh -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa208-qemut.patch" Content-Disposition: attachment; filename="xsa208-qemut.patch" Content-Transfer-Encoding: base64 RnJvbTogTGkgUWlhbmcgPGFkZHJlc3NAaGlkZGVuPgoKV2hlbiBkb2luZyBi aXRibHQgY29weSBpbiBiYWNrd2FyZCBtb2RlLCB3ZSBzaG91bGQgbWludXMg dGhlCmJsdCB3aWR0aCBmaXJzdCBqdXN0IGxpa2UgdGhlIGFkZGluZyBpbiB0 aGUgZm9yd2FyZCBtb2RlLiBUaGlzCmNhbiBhdm9pZCB0aGUgb29iIGFjY2Vz cyBvZiB0aGUgZnJvbnQgb2YgdmdhJ3MgdnJhbS4KClNpZ25lZC1vZmYtYnk6 IExpIFFpYW5nIDxhZGRyZXNzQGhpZGRlbj4KTWVzc2FnZS1pZDogYWRkcmVz c0BoaWRkZW4KCnsga3JheGVsOiB3aXRoIGJhY2t3YXJkIGJsaXRzIChuZWdh dGl2ZSBwaXRjaCkgYWRkciBpcyB0aGUgdG9wbW9zdAogICAgICAgICAgYWRk cmVzcywgc28gY2hlY2sgaXQgYXMtaXMgYWdhaW5zdCB2cmFtIHNpemUgXQoK WyBUaGlzIGlzIENWRS0yMDE3LTI2MTUgLyBYU0EtMjA4ICAtIElhbiBKYWNr c29uIF0KCkNjOiBhZGRyZXNzQGhpZGRlbgpDYzogUCBKIFAgPGFkZHJlc3NA aGlkZGVuPgpDYzogTGFzemxvIEVyc2VrIDxhZGRyZXNzQGhpZGRlbj4KQ2M6 IFBhb2xvIEJvbnppbmkgPGFkZHJlc3NAaGlkZGVuPgpDYzogV29sZmdhbmcg QnVtaWxsZXIgPGFkZHJlc3NAaGlkZGVuPgpGaXhlczogZDM1MzJhMGRiMDIy OTZlNjg3NzExYjhjZGM3NzkxOTI0ZWZjY2VhMCAoQ1ZFLTIwMTQtODEwNikK U2lnbmVkLW9mZi1ieTogR2VyZCBIb2ZmbWFubiA8YWRkcmVzc0BoaWRkZW4+ ClNpZ25lZC1vZmYtYnk6IElhbiBKYWNrc29uIDxpYW4uamFja3NvbkBldS5j aXRyaXguY29tPgotLS0KIGh3L2Rpc3BsYXkvY2lycnVzX3ZnYS5jIHwgNyAr KystLS0tCiAxIGZpbGUgY2hhbmdlZCwgMyBpbnNlcnRpb25zKCspLCA0IGRl bGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL2h3L2Rpc3BsYXkvY2lycnVzX3Zn YS5jIGIvaHcvZGlzcGxheS9jaXJydXNfdmdhLmMKaW5kZXggYmRiMDkyZS4u M2JiZTNkNSAxMDA2NDQKLS0tIGEvaHcvZGlzcGxheS9jaXJydXNfdmdhLmMK KysrIGIvaHcvZGlzcGxheS9jaXJydXNfdmdhLmMKQEAgLTMwNywxMSArMzA3 LDkgQEAgc3RhdGljIGJvb2wgYmxpdF9yZWdpb25faXNfdW5zYWZlKHN0cnVj dCBDaXJydXNWR0FTdGF0ZSAqcywKIHsKICAgICBpZiAocGl0Y2ggPCAwKSB7 CiAgICAgICAgIGludDY0X3QgbWluID0gYWRkcgotICAgICAgICAgICAgKyAo KGludDY0X3Qpcy0+Y2lycnVzX2JsdF9oZWlnaHQtMSkgKiBwaXRjaDsKLSAg ICAgICAgaW50MzJfdCBtYXggPSBhZGRyCi0gICAgICAgICAgICArIHMtPmNp cnJ1c19ibHRfd2lkdGg7Ci0gICAgICAgIGlmIChtaW4gPCAwIHx8IG1heCA+ PSBzLT52cmFtX3NpemUpIHsKKyAgICAgICAgICAgICsgKChpbnQ2NF90KXMt PmNpcnJ1c19ibHRfaGVpZ2h0IC0gMSkgKiBwaXRjaAorICAgICAgICAgICAg LSBzLT5jaXJydXNfYmx0X3dpZHRoOworICAgICAgICBpZiAobWluIDwgLTEg fHwgYWRkciA+PSBzLT52cmFtX3NpemUpIHsKICAgICAgICAgICAgIHJldHVy biB0cnVlOwogICAgICAgICB9CiAgICAgfSBlbHNlIHsK --=separator Content-Type: application/octet-stream; name="xsa208-qemuu.patch" Content-Disposition: attachment; filename="xsa208-qemuu.patch" Content-Transfer-Encoding: base64 RnJvbTogTGkgUWlhbmcgPGFkZHJlc3NAaGlkZGVuPgoKV2hlbiBkb2luZyBi aXRibHQgY29weSBpbiBiYWNrd2FyZCBtb2RlLCB3ZSBzaG91bGQgbWludXMg dGhlCmJsdCB3aWR0aCBmaXJzdCBqdXN0IGxpa2UgdGhlIGFkZGluZyBpbiB0 aGUgZm9yd2FyZCBtb2RlLiBUaGlzCmNhbiBhdm9pZCB0aGUgb29iIGFjY2Vz cyBvZiB0aGUgZnJvbnQgb2YgdmdhJ3MgdnJhbS4KClNpZ25lZC1vZmYtYnk6 IExpIFFpYW5nIDxhZGRyZXNzQGhpZGRlbj4KTWVzc2FnZS1pZDogYWRkcmVz c0BoaWRkZW4KCnsga3JheGVsOiB3aXRoIGJhY2t3YXJkIGJsaXRzIChuZWdh dGl2ZSBwaXRjaCkgYWRkciBpcyB0aGUgdG9wbW9zdAogICAgICAgICAgYWRk cmVzcywgc28gY2hlY2sgaXQgYXMtaXMgYWdhaW5zdCB2cmFtIHNpemUgXQoK WyBUaGlzIGlzIENWRS0yMDE3LTI2MTUgLyBYU0EtMjA4ICAtIElhbiBKYWNr c29uIF0KCkNjOiBhZGRyZXNzQGhpZGRlbgpDYzogUCBKIFAgPGFkZHJlc3NA aGlkZGVuPgpDYzogTGFzemxvIEVyc2VrIDxhZGRyZXNzQGhpZGRlbj4KQ2M6 IFBhb2xvIEJvbnppbmkgPGFkZHJlc3NAaGlkZGVuPgpDYzogV29sZmdhbmcg QnVtaWxsZXIgPGFkZHJlc3NAaGlkZGVuPgpGaXhlczogZDM1MzJhMGRiMDIy OTZlNjg3NzExYjhjZGM3NzkxOTI0ZWZjY2VhMCAoQ1ZFLTIwMTQtODEwNikK U2lnbmVkLW9mZi1ieTogR2VyZCBIb2ZmbWFubiA8YWRkcmVzc0BoaWRkZW4+ Ci0tLQogaHcvZGlzcGxheS9jaXJydXNfdmdhLmMgfCA3ICsrKy0tLS0KIDEg ZmlsZSBjaGFuZ2VkLCAzIGluc2VydGlvbnMoKyksIDQgZGVsZXRpb25zKC0p CgpkaWZmIC0tZ2l0IGEvaHcvZGlzcGxheS9jaXJydXNfdmdhLmMgYi9ody9k aXNwbGF5L2NpcnJ1c192Z2EuYwppbmRleCBiZGIwOTJlLi4zYmJlM2Q1IDEw MDY0NAotLS0gYS9ody9kaXNwbGF5L2NpcnJ1c192Z2EuYworKysgYi9ody9k aXNwbGF5L2NpcnJ1c192Z2EuYwpAQCAtMjc3LDEwICsyNzcsOSBAQCBzdGF0 aWMgYm9vbCBibGl0X3JlZ2lvbl9pc191bnNhZmUoc3RydWN0IENpcnJ1c1ZH QVN0YXRlICpzLAogICAgIH0KICAgICBpZiAocGl0Y2ggPCAwKSB7CiAgICAg ICAgIGludDY0X3QgbWluID0gYWRkcgotICAgICAgICAgICAgKyAoKGludDY0 X3Qpcy0+Y2lycnVzX2JsdF9oZWlnaHQtMSkgKiBwaXRjaDsKLSAgICAgICAg aW50MzJfdCBtYXggPSBhZGRyCi0gICAgICAgICAgICArIHMtPmNpcnJ1c19i bHRfd2lkdGg7Ci0gICAgICAgIGlmIChtaW4gPCAwIHx8IG1heCA+IHMtPnZn YS52cmFtX3NpemUpIHsKKyAgICAgICAgICAgICsgKChpbnQ2NF90KXMtPmNp cnJ1c19ibHRfaGVpZ2h0IC0gMSkgKiBwaXRjaAorICAgICAgICAgICAgLSBz LT5jaXJydXNfYmx0X3dpZHRoOworICAgICAgICBpZiAobWluIDwgLTEgfHwg YWRkciA+PSBzLT52Z2EudnJhbV9zaXplKSB7CiAgICAgICAgICAgICByZXR1 cm4gdHJ1ZTsKICAgICAgICAgfQogICAgIH0gZWxzZSB7Ci0tIAoxLjguMy4x Cg== --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Fri Feb 10 12:44:49 2017 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 10 Feb 2017 12:44:49 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ccAY6-0004Po-PV; Fri, 10 Feb 2017 12:43:38 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ccAY5-0004PZ-6B; Fri, 10 Feb 2017 12:43:37 +0000 Received: from [193.109.254.147] by server-10.bemta-6.messagelabs.com id 83/23-13192-875BD985; Fri, 10 Feb 2017 12:43:36 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprOKsWRWlGSWpSXmKPExsWS0XRdVbd069w Ig+0TVSxu3WxltljycTGLxaqrB1gdmD2O7v7NFMAYxZqZl5RfkcCa0fTgOFPBD/OK21dnsjQw bjXpYuTiEBI4zijx4PdLVghnEaPE16mf2boYOTmYBVwlbuzbDGUrSly418ACYvMKCEqcnPkEz JYQ0JS482YVO4gtIlAksfPcSzCbTUBPYu7ZSUwQvToSL/evBrI5OIQFwiRuPBSBGGMm0XnjCy uIzSKgKrHq6x6mCYw8s5BsnoVk8ywkm2cBTWIG2rx+lz6EKS2x/B8HRLW8xPa3c5ghbEeJVyd XsUPYdhIHF1xkhZk4pfshO0Sro0THcieYkqd9nUzIShYw8qxi1ChOLSpLLdI1MtVLKspMzyjJ TczM0TU0MNPLTS0uTkxPzUlMKtZLzs/dxAiMEgYg2MG4akHgIUZJDiYlUd7vM+ZGCPEl5adUZ iQWZ8QXleakFh9ilOHgUJLgDd0ClBMsSk1PrUjLzAHGK0xagoNHSYT3/2agNG9xQWJucWY6RO oUoz3HnxsnXzJxfNl5Bkiu234BSE5bd+0lkxBLXn5eqpQ4ry7IVAGQtozSPLihsPRyiVFWSpi XEehMIZ6C1KLczBJU+VeM4hyMSsK8j0GW82TmlcDtfgV0FhPQWddPzwI5qyQRISXVwOi+9xXf grQT6VntjueUPzRf+h3QU80wzS707XpptjtTVrm/8NOeonc6MS/l54YvHQz+7GFvN+SGWbsvu 6vm9TG440lwNWf9tnsyvVyaCov2+Xz8azVBpMbea8fRl/vfL1V9zbloJ7thMoNGApf6cquV/f Ln9nYvTltZ3yXL22zT2pTbekBfXomlOCPRUIu5qDgRAOiNMF4qAwAA X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-16.tower-27.messagelabs.com!1486730612!86102669!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.2.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 2110 invoked from network); 10 Feb 2017 12:43:33 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-16.tower-27.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 10 Feb 2017 12:43:33 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ccAXl-0001Wi-Eu; Fri, 10 Feb 2017 12:43:17 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1ccAXl-0000Q3-Dy; Fri, 10 Feb 2017 12:43:17 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Fri, 10 Feb 2017 12:43:17 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 208 (CVE-2017-2615) - oob access in cirrus bitblt copy X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2017-2615 / XSA-208 oob access in cirrus bitblt copy ISSUE DESCRIPTION ================= When doing bitblt copy backwards, qemu should negate the blit width. This avoids an oob access before the start of video memory. IMPACT ====== A malicious guest administrator can cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation. VULNERABLE SYSTEMS ================== Versions of qemu shipped with all Xen versions are vulnerable. Xen systems running on x86 with HVM guests, with the qemu process running in dom0 are vulnerable. Only guests provided with the "cirrus" emulated video card can exploit the vulnerability. The non-default "stdvga" emulated video card is not vulnerable. (With xl the emulated video card is controlled by the "stdvga=" and "vga=" domain configuration options.) ARM systems are not vulnerable. Systems using only PV guests are not vulnerable. For VMs whose qemu process is running in a stub domain, a successful attacker will only gain the privileges of that stubdom, which should be only over the guest itself. Both upstream-based versions of qemu (device_model_version="qemu-xen") and `traditional' qemu (device_model_version="qemu-xen-traditional") are vulnerable. MITIGATION ========== Running only PV guests will avoid the issue. Running HVM guests with the device model in a stubdomain will mitigate the issue. Changing the video card emulation to stdvga (stdvga=1, vga="stdvga", in the xl domain configuration) will avoid the vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa208-qemuu.patch qemu-xen, mainline qemu xsa208-qemut.patch qemu-xen-traditional $ sha256sum xsa208* 4369cce9b72daf2418a1b9dd7be6529c312b447b814c44d634bab462e80a15f5 xsa208-qemut.patch 1e516e3df1091415b6ba34aaf54fa67eac91e22daceaad569b11baa2316c78ba xsa208-qemuu.patch $ NOTE REGARDING LACK OF EMBARGO ============================== This issue has already been publicly disclosed. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYnbVQAAoJEIP+FMlX6CvZs2sIAKtkU1ptqojrE6GpgdMegdIS hMcCcEVdDoYt47z9BxXcNA87kyjGLbIaliACF3GQclhBy8f6Ytm6MLQMvh79YO/l 8AvZELKSo5U/Z1El/HQ/ezzWTV15FHwdG64HvDf7SdlRquVyS0fxWLuiq8gmWXRd bpGcbAwwdRHvrvguMpajif89ZfTWPSHRq8onS1C96SBJW8aUXxzzyKWoX1EvNWN3 vnKC5eXQ5uhLERmh6meIZo2OwB7PlMTuasgVJan915/CGF8CS+B5wqQmiL0uxfRT fnTBVTfXHC/TzkkREJtnwgHIEv/E+Vygheeg/2P9bEaNkiN3CG5kK/ZOxgWNYU4= =eEKh -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa208-qemut.patch" Content-Disposition: attachment; filename="xsa208-qemut.patch" Content-Transfer-Encoding: base64 RnJvbTogTGkgUWlhbmcgPGFkZHJlc3NAaGlkZGVuPgoKV2hlbiBkb2luZyBi aXRibHQgY29weSBpbiBiYWNrd2FyZCBtb2RlLCB3ZSBzaG91bGQgbWludXMg dGhlCmJsdCB3aWR0aCBmaXJzdCBqdXN0IGxpa2UgdGhlIGFkZGluZyBpbiB0 aGUgZm9yd2FyZCBtb2RlLiBUaGlzCmNhbiBhdm9pZCB0aGUgb29iIGFjY2Vz cyBvZiB0aGUgZnJvbnQgb2YgdmdhJ3MgdnJhbS4KClNpZ25lZC1vZmYtYnk6 IExpIFFpYW5nIDxhZGRyZXNzQGhpZGRlbj4KTWVzc2FnZS1pZDogYWRkcmVz c0BoaWRkZW4KCnsga3JheGVsOiB3aXRoIGJhY2t3YXJkIGJsaXRzIChuZWdh dGl2ZSBwaXRjaCkgYWRkciBpcyB0aGUgdG9wbW9zdAogICAgICAgICAgYWRk cmVzcywgc28gY2hlY2sgaXQgYXMtaXMgYWdhaW5zdCB2cmFtIHNpemUgXQoK WyBUaGlzIGlzIENWRS0yMDE3LTI2MTUgLyBYU0EtMjA4ICAtIElhbiBKYWNr c29uIF0KCkNjOiBhZGRyZXNzQGhpZGRlbgpDYzogUCBKIFAgPGFkZHJlc3NA aGlkZGVuPgpDYzogTGFzemxvIEVyc2VrIDxhZGRyZXNzQGhpZGRlbj4KQ2M6 IFBhb2xvIEJvbnppbmkgPGFkZHJlc3NAaGlkZGVuPgpDYzogV29sZmdhbmcg QnVtaWxsZXIgPGFkZHJlc3NAaGlkZGVuPgpGaXhlczogZDM1MzJhMGRiMDIy OTZlNjg3NzExYjhjZGM3NzkxOTI0ZWZjY2VhMCAoQ1ZFLTIwMTQtODEwNikK U2lnbmVkLW9mZi1ieTogR2VyZCBIb2ZmbWFubiA8YWRkcmVzc0BoaWRkZW4+ ClNpZ25lZC1vZmYtYnk6IElhbiBKYWNrc29uIDxpYW4uamFja3NvbkBldS5j aXRyaXguY29tPgotLS0KIGh3L2Rpc3BsYXkvY2lycnVzX3ZnYS5jIHwgNyAr KystLS0tCiAxIGZpbGUgY2hhbmdlZCwgMyBpbnNlcnRpb25zKCspLCA0IGRl bGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL2h3L2Rpc3BsYXkvY2lycnVzX3Zn YS5jIGIvaHcvZGlzcGxheS9jaXJydXNfdmdhLmMKaW5kZXggYmRiMDkyZS4u M2JiZTNkNSAxMDA2NDQKLS0tIGEvaHcvZGlzcGxheS9jaXJydXNfdmdhLmMK KysrIGIvaHcvZGlzcGxheS9jaXJydXNfdmdhLmMKQEAgLTMwNywxMSArMzA3 LDkgQEAgc3RhdGljIGJvb2wgYmxpdF9yZWdpb25faXNfdW5zYWZlKHN0cnVj dCBDaXJydXNWR0FTdGF0ZSAqcywKIHsKICAgICBpZiAocGl0Y2ggPCAwKSB7 CiAgICAgICAgIGludDY0X3QgbWluID0gYWRkcgotICAgICAgICAgICAgKyAo KGludDY0X3Qpcy0+Y2lycnVzX2JsdF9oZWlnaHQtMSkgKiBwaXRjaDsKLSAg ICAgICAgaW50MzJfdCBtYXggPSBhZGRyCi0gICAgICAgICAgICArIHMtPmNp cnJ1c19ibHRfd2lkdGg7Ci0gICAgICAgIGlmIChtaW4gPCAwIHx8IG1heCA+ PSBzLT52cmFtX3NpemUpIHsKKyAgICAgICAgICAgICsgKChpbnQ2NF90KXMt PmNpcnJ1c19ibHRfaGVpZ2h0IC0gMSkgKiBwaXRjaAorICAgICAgICAgICAg LSBzLT5jaXJydXNfYmx0X3dpZHRoOworICAgICAgICBpZiAobWluIDwgLTEg fHwgYWRkciA+PSBzLT52cmFtX3NpemUpIHsKICAgICAgICAgICAgIHJldHVy biB0cnVlOwogICAgICAgICB9CiAgICAgfSBlbHNlIHsK --=separator Content-Type: application/octet-stream; name="xsa208-qemuu.patch" Content-Disposition: attachment; filename="xsa208-qemuu.patch" Content-Transfer-Encoding: base64 RnJvbTogTGkgUWlhbmcgPGFkZHJlc3NAaGlkZGVuPgoKV2hlbiBkb2luZyBi aXRibHQgY29weSBpbiBiYWNrd2FyZCBtb2RlLCB3ZSBzaG91bGQgbWludXMg dGhlCmJsdCB3aWR0aCBmaXJzdCBqdXN0IGxpa2UgdGhlIGFkZGluZyBpbiB0 aGUgZm9yd2FyZCBtb2RlLiBUaGlzCmNhbiBhdm9pZCB0aGUgb29iIGFjY2Vz cyBvZiB0aGUgZnJvbnQgb2YgdmdhJ3MgdnJhbS4KClNpZ25lZC1vZmYtYnk6 IExpIFFpYW5nIDxhZGRyZXNzQGhpZGRlbj4KTWVzc2FnZS1pZDogYWRkcmVz c0BoaWRkZW4KCnsga3JheGVsOiB3aXRoIGJhY2t3YXJkIGJsaXRzIChuZWdh dGl2ZSBwaXRjaCkgYWRkciBpcyB0aGUgdG9wbW9zdAogICAgICAgICAgYWRk cmVzcywgc28gY2hlY2sgaXQgYXMtaXMgYWdhaW5zdCB2cmFtIHNpemUgXQoK WyBUaGlzIGlzIENWRS0yMDE3LTI2MTUgLyBYU0EtMjA4ICAtIElhbiBKYWNr c29uIF0KCkNjOiBhZGRyZXNzQGhpZGRlbgpDYzogUCBKIFAgPGFkZHJlc3NA aGlkZGVuPgpDYzogTGFzemxvIEVyc2VrIDxhZGRyZXNzQGhpZGRlbj4KQ2M6 IFBhb2xvIEJvbnppbmkgPGFkZHJlc3NAaGlkZGVuPgpDYzogV29sZmdhbmcg QnVtaWxsZXIgPGFkZHJlc3NAaGlkZGVuPgpGaXhlczogZDM1MzJhMGRiMDIy OTZlNjg3NzExYjhjZGM3NzkxOTI0ZWZjY2VhMCAoQ1ZFLTIwMTQtODEwNikK U2lnbmVkLW9mZi1ieTogR2VyZCBIb2ZmbWFubiA8YWRkcmVzc0BoaWRkZW4+ Ci0tLQogaHcvZGlzcGxheS9jaXJydXNfdmdhLmMgfCA3ICsrKy0tLS0KIDEg ZmlsZSBjaGFuZ2VkLCAzIGluc2VydGlvbnMoKyksIDQgZGVsZXRpb25zKC0p CgpkaWZmIC0tZ2l0IGEvaHcvZGlzcGxheS9jaXJydXNfdmdhLmMgYi9ody9k aXNwbGF5L2NpcnJ1c192Z2EuYwppbmRleCBiZGIwOTJlLi4zYmJlM2Q1IDEw MDY0NAotLS0gYS9ody9kaXNwbGF5L2NpcnJ1c192Z2EuYworKysgYi9ody9k aXNwbGF5L2NpcnJ1c192Z2EuYwpAQCAtMjc3LDEwICsyNzcsOSBAQCBzdGF0 aWMgYm9vbCBibGl0X3JlZ2lvbl9pc191bnNhZmUoc3RydWN0IENpcnJ1c1ZH QVN0YXRlICpzLAogICAgIH0KICAgICBpZiAocGl0Y2ggPCAwKSB7CiAgICAg ICAgIGludDY0X3QgbWluID0gYWRkcgotICAgICAgICAgICAgKyAoKGludDY0 X3Qpcy0+Y2lycnVzX2JsdF9oZWlnaHQtMSkgKiBwaXRjaDsKLSAgICAgICAg aW50MzJfdCBtYXggPSBhZGRyCi0gICAgICAgICAgICArIHMtPmNpcnJ1c19i bHRfd2lkdGg7Ci0gICAgICAgIGlmIChtaW4gPCAwIHx8IG1heCA+IHMtPnZn YS52cmFtX3NpemUpIHsKKyAgICAgICAgICAgICsgKChpbnQ2NF90KXMtPmNp cnJ1c19ibHRfaGVpZ2h0IC0gMSkgKiBwaXRjaAorICAgICAgICAgICAgLSBz LT5jaXJydXNfYmx0X3dpZHRoOworICAgICAgICBpZiAobWluIDwgLTEgfHwg YWRkciA+PSBzLT52Z2EudnJhbV9zaXplKSB7CiAgICAgICAgICAgICByZXR1 cm4gdHJ1ZTsKICAgICAgICAgfQogICAgIH0gZWxzZSB7Ci0tIAoxLjguMy4x Cg== --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Mon Feb 13 18:15:43 2017 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 13 Feb 2017 18:15:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cdL99-0000Zd-03; Mon, 13 Feb 2017 18:14:43 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cdL97-0000ZR-JZ; Mon, 13 Feb 2017 18:14:41 +0000 Received: from [85.158.139.211] by server-7.bemta-5.messagelabs.com id 53/3B-02154-097F1A85; Mon, 13 Feb 2017 18:14:40 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrKKsWRWlGSWpSXmKPExsWS0XRdVbfv+8I Ig9+/TC1u3WxltljycTGLxaqrB1gdmD2O7v7NFMAYxZqZl5RfkcCa8f7yDJaCHZEVHUd6WBoY b4R0MXJxCAkcZ5Q4cK6DCcJZxCix9cEJ1i5GTg5mAVeJG/s2s0HYihIX7jWwgNi8AoISJ2c+A bMlBDQl7rxZxQ5iiwgUSew89xLMZhPQk5h7dhITRK+OxMv9q4FsDg5hgTCJGw9FIMaYSVzYdY YRxGYRUJV42jWfeQIjzywkm2ch2TwLyeZZQJOYgTav36UPYUpLLP/HAVEtL7H97RxmCNtR4tX JVewQtp3EwQUXWWEmTul+yA7R6ijRsdwJpuRpXycTqhKIY2acWMgIYTtJfL/6nB1ZzQJG/lWM GsWpRWWpRbpGFnpJRZnpGSW5iZk5uoYGpnq5qcXFiempOYlJxXrJ+bmbGIHRVs/AwLiDsW+V3 yFGSQ4mJVHe2E0LI4T4kvJTKjMSizPii0pzUosPMcpwcChJ8CZ+A8oJFqWmp1akZeYA4x4mLc HBoyTCWwiS5i0uSMwtzkyHSJ1itOT4c+PkSyaOLzvPAMl12y+8ZBJiycvPS5US57UDaRAAacg ozYMbB0tNlxhlpYR5GRkYGIR4ClKLcjNLUOVfMYpzMCoJ87qDTOHJzCuB2/oK6CAmoINY48AO KklESEk1MDI/CDxfGbemb6Opk8red3W7HK2C9932FXqZcYxbuibN03PavNMLYi7qtX16fuTa5 ETRQ0+2V3coJfNNe7DkzZ/gKcmflhfVtrp17r9lrm7FbO7rcVnbsktc02XB3bgl2oEXDA6Gnj 4Wv8Uj0GGh7HXvO8uOGHru+Xlv3w5x4Rdv5rfdqflwYqYSS3FGoqEWc1FxIgDxDL6hSAMAAA= = X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-14.tower-206.messagelabs.com!1487009677!45859319!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.2.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 6804 invoked from network); 13 Feb 2017 18:14:38 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-14.tower-206.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 13 Feb 2017 18:14:38 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cdL8t-00068A-Fd; Mon, 13 Feb 2017 18:14:27 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1cdL8t-0007j3-EY; Mon, 13 Feb 2017 18:14:27 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Mon, 13 Feb 2017 18:14:27 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 208 (CVE-2017-2615) - oob access in cirrus bitblt copy X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2017-2615 / XSA-208 version 2 oob access in cirrus bitblt copy UPDATES IN VERSION 2 ==================== Included backport for qemu-xen versions 4.7 (and earlier); fixed qemu-xen-traditional patch. Also included proper (non-obscured) e-mail addresses from upstream patch. Removed "possibly" from Impact. 3 patches updated ISSUE DESCRIPTION ================= When doing bitblt copy backwards, qemu should negate the blit width. This avoids an oob access before the start of video memory. IMPACT ====== A malicious guest administrator can cause an out of bounds memory access, leading to information disclosure or privilege escalation. VULNERABLE SYSTEMS ================== Versions of qemu shipped with all Xen versions are vulnerable. Xen systems running on x86 with HVM guests, with the qemu process running in dom0 are vulnerable. Only guests provided with the "cirrus" emulated video card can exploit the vulnerability. The non-default "stdvga" emulated video card is not vulnerable. (With xl the emulated video card is controlled by the "stdvga=" and "vga=" domain configuration options.) ARM systems are not vulnerable. Systems using only PV guests are not vulnerable. For VMs whose qemu process is running in a stub domain, a successful attacker will only gain the privileges of that stubdom, which should be only over the guest itself. Both upstream-based versions of qemu (device_model_version="qemu-xen") and `traditional' qemu (device_model_version="qemu-xen-traditional") are vulnerable. MITIGATION ========== Running only PV guests will avoid the issue. Running HVM guests with the device model in a stubdomain will mitigate the issue. Changing the video card emulation to stdvga (stdvga=1, vga="stdvga", in the xl domain configuration) will avoid the vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa208-qemuu.patch mainline qemu, qemu-xen master,4.8 xsa208-qemuu-4.7.patch qemu-xen 4.4, 4.5, 4.6, 4.7 xsa208-qemut.patch qemu-xen-traditional $ sha256sum xsa208* afde3e9d4bf5225f92c36dec9ff673b0b1b0bad4452d406f0c12edc85e2fec72 xsa208-qemut.patch e492d528141be5899d46c2ac0bcd0c40ca9d9bfc40906a8e7a565361f17ce38d xsa208-qemuu.patch 09471b66c9d9fc5616e7b96ab67bbb51987e7d9520d1b81cb27cbbb168659ad5 xsa208-qemuu-4.7.patch $ NOTE REGARDING LACK OF EMBARGO ============================== This issue has already been publicly disclosed. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYofdiAAoJEIP+FMlX6CvZ3UEIAMJUV177OqZ0O7436zYpM9S+ fEku8b/G7npRcm0L9PtD8PG39IVtqrtIDHIpzMxHA0qbMx3PqWp1G3iBVwFnj21e ALtKjdNaoDA8nqFEQ3/AbyZ7jn91oYWwmJ7+pKGds+Q+juFof6FVOXCjhNp0XSA6 EDvsz8vOI4fWTtEuVGbg1GnvgEAjKLE9/bE/4zdkWo2WSiWRRCj/yEAr5n0v0R5n 0EEvk21H0XESk2zBk0/UxompNuqbHwOZhBkQ65DxNSkWMIA9hUgqyinR674luHKC mDkAq8bXar6n1TBQCbWq5f/+50FOApEs0EvJuzWAG7MEkFPaeDSilFb6obhxHjo= =294C -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa208-qemut.patch" Content-Disposition: attachment; filename="xsa208-qemut.patch" Content-Transfer-Encoding: base64 RnJvbSA4ZjYzMjY1ZWZlYjZmOTJlNjNmN2U3NDljYjI2MTMxYjY4YjIwZGY3 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBMaSBRaWFuZyA8bGlx aWFuZzYtc0AzNjAuY24+CkRhdGU6IE1vbiwgMTMgRmViIDIwMTcgMTU6MjI6 MTUgKzAwMDAKU3ViamVjdDogW1BBVENIXSBjaXJydXM6IGZpeCBvb2IgYWNj ZXNzIGlzc3VlIChDVkUtMjAxNy0yNjE1KQoKV2hlbiBkb2luZyBiaXRibHQg Y29weSBpbiBiYWNrd2FyZCBtb2RlLCB3ZSBzaG91bGQgbWludXMgdGhlCmJs dCB3aWR0aCBmaXJzdCBqdXN0IGxpa2UgdGhlIGFkZGluZyBpbiB0aGUgZm9y d2FyZCBtb2RlLiBUaGlzCmNhbiBhdm9pZCB0aGUgb29iIGFjY2VzcyBvZiB0 aGUgZnJvbnQgb2YgdmdhJ3MgdnJhbS4KClRoaXMgaXMgWFNBLTIwOC4KCnVw c3RyZWFtLWNvbW1pdC1pZDogNjJkNGM2YmQ1MjYzYmI4NDEzYTA2YzgwMTQ0 ZmM2NzhkZjZkZmI2NAoKU2lnbmVkLW9mZi1ieTogTGkgUWlhbmcgPGxpcWlh bmc2LXNAMzYwLmNuPgoKeyBrcmF4ZWw6IHdpdGggYmFja3dhcmQgYmxpdHMg KG5lZ2F0aXZlIHBpdGNoKSBhZGRyIGlzIHRoZSB0b3Btb3N0CiAgICAgICAg ICBhZGRyZXNzLCBzbyBjaGVjayBpdCBhcy1pcyBhZ2FpbnN0IHZyYW0gc2l6 ZSBdCgpbIFRoaXMgaXMgQ1ZFLTIwMTctMjYxNSAvIFhTQS0yMDggIC0gSWFu IEphY2tzb24gXQoKQ2M6IHFlbXUtc3RhYmxlQG5vbmdudS5vcmcKQ2M6IFAg SiBQIDxwcGFuZGl0QHJlZGhhdC5jb20+CkNjOiBMYXN6bG8gRXJzZWsgPGxl cnNla0ByZWRoYXQuY29tPgpDYzogUGFvbG8gQm9uemluaSA8cGJvbnppbmlA cmVkaGF0LmNvbT4KQ2M6IFdvbGZnYW5nIEJ1bWlsbGVyIDx3LmJ1bWlsbGVy QHByb3htb3guY29tPgpGaXhlczogZDM1MzJhMGRiMDIyOTZlNjg3NzExYjhj ZGM3NzkxOTI0ZWZjY2VhMCAoQ1ZFLTIwMTQtODEwNikKU2lnbmVkLW9mZi1i eTogR2VyZCBIb2ZmbWFubiA8a3JheGVsQHJlZGhhdC5jb20+Ck1lc3NhZ2Ut aWQ6IDE0ODU5MzgxMDEtMjY2MDItMS1naXQtc2VuZC1lbWFpbC1rcmF4ZWxA cmVkaGF0LmNvbQpSZXZpZXdlZC1ieTogTGFzemxvIEVyc2VrIDxsZXJzZWtA cmVkaGF0LmNvbT4KU2lnbmVkLW9mZi1ieTogU3RlZmFubyBTdGFiZWxsaW5p IDxzc3RhYmVsbGluaUBrZXJuZWwub3JnPgpTaWduZWQtb2ZmLWJ5OiBJYW4g SmFja3NvbiA8aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4KLS0tCiBody9j aXJydXNfdmdhLmMgfCA3ICsrKy0tLS0KIDEgZmlsZSBjaGFuZ2VkLCAzIGlu c2VydGlvbnMoKyksIDQgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvaHcv Y2lycnVzX3ZnYS5jIGIvaHcvY2lycnVzX3ZnYS5jCmluZGV4IGU2YzM4OTMu LjM2NGUyMmQgMTAwNjQ0Ci0tLSBhL2h3L2NpcnJ1c192Z2EuYworKysgYi9o dy9jaXJydXNfdmdhLmMKQEAgLTMwOCwxMCArMzA4LDkgQEAgc3RhdGljIGJv b2wgYmxpdF9yZWdpb25faXNfdW5zYWZlKHN0cnVjdCBDaXJydXNWR0FTdGF0 ZSAqcywKIHsKICAgICBpZiAocGl0Y2ggPCAwKSB7CiAgICAgICAgIGludDY0 X3QgbWluID0gYWRkcgotICAgICAgICAgICAgKyAoKGludDY0X3Qpcy0+Y2ly cnVzX2JsdF9oZWlnaHQtMSkgKiBwaXRjaDsKLSAgICAgICAgaW50MzJfdCBt YXggPSBhZGRyCi0gICAgICAgICAgICArIHMtPmNpcnJ1c19ibHRfd2lkdGg7 Ci0gICAgICAgIGlmIChtaW4gPCAwIHx8IG1heCA+PSBzLT52cmFtX3NpemUp IHsKKyAgICAgICAgICAgICsgKChpbnQ2NF90KXMtPmNpcnJ1c19ibHRfaGVp Z2h0IC0gMSkgKiBwaXRjaAorICAgICAgICAgICAgLSBzLT5jaXJydXNfYmx0 X3dpZHRoOworICAgICAgICBpZiAobWluIDwgLTEgfHwgYWRkciA+PSBzLT52 cmFtX3NpemUpIHsKICAgICAgICAgICAgIHJldHVybiB0cnVlOwogICAgICAg ICB9CiAgICAgfSBlbHNlIHsKLS0gCjIuMS40Cgo= --=separator Content-Type: application/octet-stream; name="xsa208-qemuu.patch" Content-Disposition: attachment; filename="xsa208-qemuu.patch" Content-Transfer-Encoding: base64 RnJvbSA4ZjYzMjY1ZWZlYjZmOTJlNjNmN2U3NDljYjI2MTMxYjY4YjIwZGY3 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBMaSBRaWFuZyA8bGlx aWFuZzYtc0AzNjAuY24+CkRhdGU6IE1vbiwgMTMgRmViIDIwMTcgMTU6MjI6 MTUgKzAwMDAKU3ViamVjdDogW1BBVENIXSBjaXJydXM6IGZpeCBvb2IgYWNj ZXNzIGlzc3VlIChDVkUtMjAxNy0yNjE1KQoKV2hlbiBkb2luZyBiaXRibHQg Y29weSBpbiBiYWNrd2FyZCBtb2RlLCB3ZSBzaG91bGQgbWludXMgdGhlCmJs dCB3aWR0aCBmaXJzdCBqdXN0IGxpa2UgdGhlIGFkZGluZyBpbiB0aGUgZm9y d2FyZCBtb2RlLiBUaGlzCmNhbiBhdm9pZCB0aGUgb29iIGFjY2VzcyBvZiB0 aGUgZnJvbnQgb2YgdmdhJ3MgdnJhbS4KClRoaXMgaXMgWFNBLTIwOC4KCnVw c3RyZWFtLWNvbW1pdC1pZDogNjJkNGM2YmQ1MjYzYmI4NDEzYTA2YzgwMTQ0 ZmM2NzhkZjZkZmI2NAoKU2lnbmVkLW9mZi1ieTogTGkgUWlhbmcgPGxpcWlh bmc2LXNAMzYwLmNuPgoKeyBrcmF4ZWw6IHdpdGggYmFja3dhcmQgYmxpdHMg KG5lZ2F0aXZlIHBpdGNoKSBhZGRyIGlzIHRoZSB0b3Btb3N0CiAgICAgICAg ICBhZGRyZXNzLCBzbyBjaGVjayBpdCBhcy1pcyBhZ2FpbnN0IHZyYW0gc2l6 ZSBdCgpbIFRoaXMgaXMgQ1ZFLTIwMTctMjYxNSAvIFhTQS0yMDggIC0gSWFu IEphY2tzb24gXQoKQ2M6IHFlbXUtc3RhYmxlQG5vbmdudS5vcmcKQ2M6IFAg SiBQIDxwcGFuZGl0QHJlZGhhdC5jb20+CkNjOiBMYXN6bG8gRXJzZWsgPGxl cnNla0ByZWRoYXQuY29tPgpDYzogUGFvbG8gQm9uemluaSA8cGJvbnppbmlA cmVkaGF0LmNvbT4KQ2M6IFdvbGZnYW5nIEJ1bWlsbGVyIDx3LmJ1bWlsbGVy QHByb3htb3guY29tPgpGaXhlczogZDM1MzJhMGRiMDIyOTZlNjg3NzExYjhj ZGM3NzkxOTI0ZWZjY2VhMCAoQ1ZFLTIwMTQtODEwNikKU2lnbmVkLW9mZi1i eTogR2VyZCBIb2ZmbWFubiA8a3JheGVsQHJlZGhhdC5jb20+Ck1lc3NhZ2Ut aWQ6IDE0ODU5MzgxMDEtMjY2MDItMS1naXQtc2VuZC1lbWFpbC1rcmF4ZWxA cmVkaGF0LmNvbQpSZXZpZXdlZC1ieTogTGFzemxvIEVyc2VrIDxsZXJzZWtA cmVkaGF0LmNvbT4KU2lnbmVkLW9mZi1ieTogU3RlZmFubyBTdGFiZWxsaW5p IDxzc3RhYmVsbGluaUBrZXJuZWwub3JnPgotLS0KIGh3L2Rpc3BsYXkvY2ly cnVzX3ZnYS5jIHwgNyArKystLS0tCiAxIGZpbGUgY2hhbmdlZCwgMyBpbnNl cnRpb25zKCspLCA0IGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL2h3L2Rp c3BsYXkvY2lycnVzX3ZnYS5jIGIvaHcvZGlzcGxheS9jaXJydXNfdmdhLmMK aW5kZXggYmRiMDkyZS4uM2JiZTNkNSAxMDA2NDQKLS0tIGEvaHcvZGlzcGxh eS9jaXJydXNfdmdhLmMKKysrIGIvaHcvZGlzcGxheS9jaXJydXNfdmdhLmMK QEAgLTI3NywxMCArMjc3LDkgQEAgc3RhdGljIGJvb2wgYmxpdF9yZWdpb25f aXNfdW5zYWZlKHN0cnVjdCBDaXJydXNWR0FTdGF0ZSAqcywKICAgICB9CiAg ICAgaWYgKHBpdGNoIDwgMCkgewogICAgICAgICBpbnQ2NF90IG1pbiA9IGFk ZHIKLSAgICAgICAgICAgICsgKChpbnQ2NF90KXMtPmNpcnJ1c19ibHRfaGVp Z2h0LTEpICogcGl0Y2g7Ci0gICAgICAgIGludDMyX3QgbWF4ID0gYWRkcgot ICAgICAgICAgICAgKyBzLT5jaXJydXNfYmx0X3dpZHRoOwotICAgICAgICBp ZiAobWluIDwgMCB8fCBtYXggPiBzLT52Z2EudnJhbV9zaXplKSB7CisgICAg ICAgICAgICArICgoaW50NjRfdClzLT5jaXJydXNfYmx0X2hlaWdodCAtIDEp ICogcGl0Y2gKKyAgICAgICAgICAgIC0gcy0+Y2lycnVzX2JsdF93aWR0aDsK KyAgICAgICAgaWYgKG1pbiA8IC0xIHx8IGFkZHIgPj0gcy0+dmdhLnZyYW1f c2l6ZSkgewogICAgICAgICAgICAgcmV0dXJuIHRydWU7CiAgICAgICAgIH0K ICAgICB9IGVsc2UgewotLSAKMS44LjMuMQo= --=separator Content-Type: application/octet-stream; name="xsa208-qemuu-4.7.patch" Content-Disposition: attachment; filename="xsa208-qemuu-4.7.patch" Content-Transfer-Encoding: base64 RnJvbSA4ZjYzMjY1ZWZlYjZmOTJlNjNmN2U3NDljYjI2MTMxYjY4YjIwZGY3 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBMaSBRaWFuZyA8bGlx aWFuZzYtc0AzNjAuY24+CkRhdGU6IE1vbiwgMTMgRmViIDIwMTcgMTU6MjI6 MTUgKzAwMDAKU3ViamVjdDogW1BBVENIXSBjaXJydXM6IGZpeCBvb2IgYWNj ZXNzIGlzc3VlIChDVkUtMjAxNy0yNjE1KQoKV2hlbiBkb2luZyBiaXRibHQg Y29weSBpbiBiYWNrd2FyZCBtb2RlLCB3ZSBzaG91bGQgbWludXMgdGhlCmJs dCB3aWR0aCBmaXJzdCBqdXN0IGxpa2UgdGhlIGFkZGluZyBpbiB0aGUgZm9y d2FyZCBtb2RlLiBUaGlzCmNhbiBhdm9pZCB0aGUgb29iIGFjY2VzcyBvZiB0 aGUgZnJvbnQgb2YgdmdhJ3MgdnJhbS4KClRoaXMgaXMgWFNBLTIwOC4KCnVw c3RyZWFtLWNvbW1pdC1pZDogNjJkNGM2YmQ1MjYzYmI4NDEzYTA2YzgwMTQ0 ZmM2NzhkZjZkZmI2NAoKU2lnbmVkLW9mZi1ieTogTGkgUWlhbmcgPGxpcWlh bmc2LXNAMzYwLmNuPgoKeyBrcmF4ZWw6IHdpdGggYmFja3dhcmQgYmxpdHMg KG5lZ2F0aXZlIHBpdGNoKSBhZGRyIGlzIHRoZSB0b3Btb3N0CiAgICAgICAg ICBhZGRyZXNzLCBzbyBjaGVjayBpdCBhcy1pcyBhZ2FpbnN0IHZyYW0gc2l6 ZSBdCgpDYzogcWVtdS1zdGFibGVAbm9uZ251Lm9yZwpDYzogUCBKIFAgPHBw YW5kaXRAcmVkaGF0LmNvbT4KQ2M6IExhc3psbyBFcnNlayA8bGVyc2VrQHJl ZGhhdC5jb20+CkNjOiBQYW9sbyBCb256aW5pIDxwYm9uemluaUByZWRoYXQu Y29tPgpDYzogV29sZmdhbmcgQnVtaWxsZXIgPHcuYnVtaWxsZXJAcHJveG1v eC5jb20+CkZpeGVzOiBkMzUzMmEwZGIwMjI5NmU2ODc3MTFiOGNkYzc3OTE5 MjRlZmNjZWEwIChDVkUtMjAxNC04MTA2KQpTaWduZWQtb2ZmLWJ5OiBHZXJk IEhvZmZtYW5uIDxrcmF4ZWxAcmVkaGF0LmNvbT4KTWVzc2FnZS1pZDogMTQ4 NTkzODEwMS0yNjYwMi0xLWdpdC1zZW5kLWVtYWlsLWtyYXhlbEByZWRoYXQu Y29tClJldmlld2VkLWJ5OiBMYXN6bG8gRXJzZWsgPGxlcnNla0ByZWRoYXQu Y29tPgpTaWduZWQtb2ZmLWJ5OiBTdGVmYW5vIFN0YWJlbGxpbmkgPHNzdGFi ZWxsaW5pQGtlcm5lbC5vcmc+Ci0tLQogaHcvZGlzcGxheS9jaXJydXNfdmdh LmMgfCA3ICsrKy0tLS0KIDEgZmlsZSBjaGFuZ2VkLCAzIGluc2VydGlvbnMo KyksIDQgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvaHcvZGlzcGxheS9j aXJydXNfdmdhLmMgYi9ody9kaXNwbGF5L2NpcnJ1c192Z2EuYwppbmRleCA1 MTk4MDM3Li43YmYzNzA3IDEwMDY0NAotLS0gYS9ody9kaXNwbGF5L2NpcnJ1 c192Z2EuYworKysgYi9ody9kaXNwbGF5L2NpcnJ1c192Z2EuYwpAQCAtMjcy LDEwICsyNzIsOSBAQCBzdGF0aWMgYm9vbCBibGl0X3JlZ2lvbl9pc191bnNh ZmUoc3RydWN0IENpcnJ1c1ZHQVN0YXRlICpzLAogewogICAgIGlmIChwaXRj aCA8IDApIHsKICAgICAgICAgaW50NjRfdCBtaW4gPSBhZGRyCi0gICAgICAg ICAgICArICgoaW50NjRfdClzLT5jaXJydXNfYmx0X2hlaWdodC0xKSAqIHBp dGNoOwotICAgICAgICBpbnQzMl90IG1heCA9IGFkZHIKLSAgICAgICAgICAg ICsgcy0+Y2lycnVzX2JsdF93aWR0aDsKLSAgICAgICAgaWYgKG1pbiA8IDAg fHwgbWF4ID49IHMtPnZnYS52cmFtX3NpemUpIHsKKyAgICAgICAgICAgICsg KChpbnQ2NF90KXMtPmNpcnJ1c19ibHRfaGVpZ2h0IC0gMSkgKiBwaXRjaAor ICAgICAgICAgICAgLSBzLT5jaXJydXNfYmx0X3dpZHRoOworICAgICAgICBp ZiAobWluIDwgLTEgfHwgYWRkciA+PSBzLT52Z2EudnJhbV9zaXplKSB7CiAg ICAgICAgICAgICByZXR1cm4gdHJ1ZTsKICAgICAgICAgfQogICAgIH0gZWxz ZSB7Ci0tIAoyLjEuNAoK --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Mon Feb 13 18:15:43 2017 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 13 Feb 2017 18:15:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cdL99-0000Zd-03; Mon, 13 Feb 2017 18:14:43 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cdL97-0000ZR-JZ; Mon, 13 Feb 2017 18:14:41 +0000 Received: from [85.158.139.211] by server-7.bemta-5.messagelabs.com id 53/3B-02154-097F1A85; Mon, 13 Feb 2017 18:14:40 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrKKsWRWlGSWpSXmKPExsWS0XRdVbfv+8I Ig9+/TC1u3WxltljycTGLxaqrB1gdmD2O7v7NFMAYxZqZl5RfkcCa8f7yDJaCHZEVHUd6WBoY b4R0MXJxCAkcZ5Q4cK6DCcJZxCix9cEJ1i5GTg5mAVeJG/s2s0HYihIX7jWwgNi8AoISJ2c+A bMlBDQl7rxZxQ5iiwgUSew89xLMZhPQk5h7dhITRK+OxMv9q4FsDg5hgTCJGw9FIMaYSVzYdY YRxGYRUJV42jWfeQIjzywkm2ch2TwLyeZZQJOYgTav36UPYUpLLP/HAVEtL7H97RxmCNtR4tX JVewQtp3EwQUXWWEmTul+yA7R6ijRsdwJpuRpXycTqhKIY2acWMgIYTtJfL/6nB1ZzQJG/lWM GsWpRWWpRbpGFnpJRZnpGSW5iZk5uoYGpnq5qcXFiempOYlJxXrJ+bmbGIHRVs/AwLiDsW+V3 yFGSQ4mJVHe2E0LI4T4kvJTKjMSizPii0pzUosPMcpwcChJ8CZ+A8oJFqWmp1akZeYA4x4mLc HBoyTCWwiS5i0uSMwtzkyHSJ1itOT4c+PkSyaOLzvPAMl12y+8ZBJiycvPS5US57UDaRAAacg ozYMbB0tNlxhlpYR5GRkYGIR4ClKLcjNLUOVfMYpzMCoJ87qDTOHJzCuB2/oK6CAmoINY48AO KklESEk1MDI/CDxfGbemb6Opk8red3W7HK2C9932FXqZcYxbuibN03PavNMLYi7qtX16fuTa5 ETRQ0+2V3coJfNNe7DkzZ/gKcmflhfVtrp17r9lrm7FbO7rcVnbsktc02XB3bgl2oEXDA6Gnj 4Wv8Uj0GGh7HXvO8uOGHru+Xlv3w5x4Rdv5rfdqflwYqYSS3FGoqEWc1FxIgDxDL6hSAMAAA= = X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-14.tower-206.messagelabs.com!1487009677!45859319!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.2.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 6804 invoked from network); 13 Feb 2017 18:14:38 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-14.tower-206.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 13 Feb 2017 18:14:38 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cdL8t-00068A-Fd; Mon, 13 Feb 2017 18:14:27 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1cdL8t-0007j3-EY; Mon, 13 Feb 2017 18:14:27 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Mon, 13 Feb 2017 18:14:27 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 208 (CVE-2017-2615) - oob access in cirrus bitblt copy X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2017-2615 / XSA-208 version 2 oob access in cirrus bitblt copy UPDATES IN VERSION 2 ==================== Included backport for qemu-xen versions 4.7 (and earlier); fixed qemu-xen-traditional patch. Also included proper (non-obscured) e-mail addresses from upstream patch. Removed "possibly" from Impact. 3 patches updated ISSUE DESCRIPTION ================= When doing bitblt copy backwards, qemu should negate the blit width. This avoids an oob access before the start of video memory. IMPACT ====== A malicious guest administrator can cause an out of bounds memory access, leading to information disclosure or privilege escalation. VULNERABLE SYSTEMS ================== Versions of qemu shipped with all Xen versions are vulnerable. Xen systems running on x86 with HVM guests, with the qemu process running in dom0 are vulnerable. Only guests provided with the "cirrus" emulated video card can exploit the vulnerability. The non-default "stdvga" emulated video card is not vulnerable. (With xl the emulated video card is controlled by the "stdvga=" and "vga=" domain configuration options.) ARM systems are not vulnerable. Systems using only PV guests are not vulnerable. For VMs whose qemu process is running in a stub domain, a successful attacker will only gain the privileges of that stubdom, which should be only over the guest itself. Both upstream-based versions of qemu (device_model_version="qemu-xen") and `traditional' qemu (device_model_version="qemu-xen-traditional") are vulnerable. MITIGATION ========== Running only PV guests will avoid the issue. Running HVM guests with the device model in a stubdomain will mitigate the issue. Changing the video card emulation to stdvga (stdvga=1, vga="stdvga", in the xl domain configuration) will avoid the vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa208-qemuu.patch mainline qemu, qemu-xen master,4.8 xsa208-qemuu-4.7.patch qemu-xen 4.4, 4.5, 4.6, 4.7 xsa208-qemut.patch qemu-xen-traditional $ sha256sum xsa208* afde3e9d4bf5225f92c36dec9ff673b0b1b0bad4452d406f0c12edc85e2fec72 xsa208-qemut.patch e492d528141be5899d46c2ac0bcd0c40ca9d9bfc40906a8e7a565361f17ce38d xsa208-qemuu.patch 09471b66c9d9fc5616e7b96ab67bbb51987e7d9520d1b81cb27cbbb168659ad5 xsa208-qemuu-4.7.patch $ NOTE REGARDING LACK OF EMBARGO ============================== This issue has already been publicly disclosed. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYofdiAAoJEIP+FMlX6CvZ3UEIAMJUV177OqZ0O7436zYpM9S+ fEku8b/G7npRcm0L9PtD8PG39IVtqrtIDHIpzMxHA0qbMx3PqWp1G3iBVwFnj21e ALtKjdNaoDA8nqFEQ3/AbyZ7jn91oYWwmJ7+pKGds+Q+juFof6FVOXCjhNp0XSA6 EDvsz8vOI4fWTtEuVGbg1GnvgEAjKLE9/bE/4zdkWo2WSiWRRCj/yEAr5n0v0R5n 0EEvk21H0XESk2zBk0/UxompNuqbHwOZhBkQ65DxNSkWMIA9hUgqyinR674luHKC mDkAq8bXar6n1TBQCbWq5f/+50FOApEs0EvJuzWAG7MEkFPaeDSilFb6obhxHjo= =294C -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa208-qemut.patch" Content-Disposition: attachment; filename="xsa208-qemut.patch" Content-Transfer-Encoding: base64 RnJvbSA4ZjYzMjY1ZWZlYjZmOTJlNjNmN2U3NDljYjI2MTMxYjY4YjIwZGY3 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBMaSBRaWFuZyA8bGlx aWFuZzYtc0AzNjAuY24+CkRhdGU6IE1vbiwgMTMgRmViIDIwMTcgMTU6MjI6 MTUgKzAwMDAKU3ViamVjdDogW1BBVENIXSBjaXJydXM6IGZpeCBvb2IgYWNj ZXNzIGlzc3VlIChDVkUtMjAxNy0yNjE1KQoKV2hlbiBkb2luZyBiaXRibHQg Y29weSBpbiBiYWNrd2FyZCBtb2RlLCB3ZSBzaG91bGQgbWludXMgdGhlCmJs dCB3aWR0aCBmaXJzdCBqdXN0IGxpa2UgdGhlIGFkZGluZyBpbiB0aGUgZm9y d2FyZCBtb2RlLiBUaGlzCmNhbiBhdm9pZCB0aGUgb29iIGFjY2VzcyBvZiB0 aGUgZnJvbnQgb2YgdmdhJ3MgdnJhbS4KClRoaXMgaXMgWFNBLTIwOC4KCnVw c3RyZWFtLWNvbW1pdC1pZDogNjJkNGM2YmQ1MjYzYmI4NDEzYTA2YzgwMTQ0 ZmM2NzhkZjZkZmI2NAoKU2lnbmVkLW9mZi1ieTogTGkgUWlhbmcgPGxpcWlh bmc2LXNAMzYwLmNuPgoKeyBrcmF4ZWw6IHdpdGggYmFja3dhcmQgYmxpdHMg KG5lZ2F0aXZlIHBpdGNoKSBhZGRyIGlzIHRoZSB0b3Btb3N0CiAgICAgICAg ICBhZGRyZXNzLCBzbyBjaGVjayBpdCBhcy1pcyBhZ2FpbnN0IHZyYW0gc2l6 ZSBdCgpbIFRoaXMgaXMgQ1ZFLTIwMTctMjYxNSAvIFhTQS0yMDggIC0gSWFu IEphY2tzb24gXQoKQ2M6IHFlbXUtc3RhYmxlQG5vbmdudS5vcmcKQ2M6IFAg SiBQIDxwcGFuZGl0QHJlZGhhdC5jb20+CkNjOiBMYXN6bG8gRXJzZWsgPGxl cnNla0ByZWRoYXQuY29tPgpDYzogUGFvbG8gQm9uemluaSA8cGJvbnppbmlA cmVkaGF0LmNvbT4KQ2M6IFdvbGZnYW5nIEJ1bWlsbGVyIDx3LmJ1bWlsbGVy QHByb3htb3guY29tPgpGaXhlczogZDM1MzJhMGRiMDIyOTZlNjg3NzExYjhj ZGM3NzkxOTI0ZWZjY2VhMCAoQ1ZFLTIwMTQtODEwNikKU2lnbmVkLW9mZi1i eTogR2VyZCBIb2ZmbWFubiA8a3JheGVsQHJlZGhhdC5jb20+Ck1lc3NhZ2Ut aWQ6IDE0ODU5MzgxMDEtMjY2MDItMS1naXQtc2VuZC1lbWFpbC1rcmF4ZWxA cmVkaGF0LmNvbQpSZXZpZXdlZC1ieTogTGFzemxvIEVyc2VrIDxsZXJzZWtA cmVkaGF0LmNvbT4KU2lnbmVkLW9mZi1ieTogU3RlZmFubyBTdGFiZWxsaW5p IDxzc3RhYmVsbGluaUBrZXJuZWwub3JnPgpTaWduZWQtb2ZmLWJ5OiBJYW4g SmFja3NvbiA8aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4KLS0tCiBody9j aXJydXNfdmdhLmMgfCA3ICsrKy0tLS0KIDEgZmlsZSBjaGFuZ2VkLCAzIGlu c2VydGlvbnMoKyksIDQgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvaHcv Y2lycnVzX3ZnYS5jIGIvaHcvY2lycnVzX3ZnYS5jCmluZGV4IGU2YzM4OTMu LjM2NGUyMmQgMTAwNjQ0Ci0tLSBhL2h3L2NpcnJ1c192Z2EuYworKysgYi9o dy9jaXJydXNfdmdhLmMKQEAgLTMwOCwxMCArMzA4LDkgQEAgc3RhdGljIGJv b2wgYmxpdF9yZWdpb25faXNfdW5zYWZlKHN0cnVjdCBDaXJydXNWR0FTdGF0 ZSAqcywKIHsKICAgICBpZiAocGl0Y2ggPCAwKSB7CiAgICAgICAgIGludDY0 X3QgbWluID0gYWRkcgotICAgICAgICAgICAgKyAoKGludDY0X3Qpcy0+Y2ly cnVzX2JsdF9oZWlnaHQtMSkgKiBwaXRjaDsKLSAgICAgICAgaW50MzJfdCBt YXggPSBhZGRyCi0gICAgICAgICAgICArIHMtPmNpcnJ1c19ibHRfd2lkdGg7 Ci0gICAgICAgIGlmIChtaW4gPCAwIHx8IG1heCA+PSBzLT52cmFtX3NpemUp IHsKKyAgICAgICAgICAgICsgKChpbnQ2NF90KXMtPmNpcnJ1c19ibHRfaGVp Z2h0IC0gMSkgKiBwaXRjaAorICAgICAgICAgICAgLSBzLT5jaXJydXNfYmx0 X3dpZHRoOworICAgICAgICBpZiAobWluIDwgLTEgfHwgYWRkciA+PSBzLT52 cmFtX3NpemUpIHsKICAgICAgICAgICAgIHJldHVybiB0cnVlOwogICAgICAg ICB9CiAgICAgfSBlbHNlIHsKLS0gCjIuMS40Cgo= --=separator Content-Type: application/octet-stream; name="xsa208-qemuu.patch" Content-Disposition: attachment; filename="xsa208-qemuu.patch" Content-Transfer-Encoding: base64 RnJvbSA4ZjYzMjY1ZWZlYjZmOTJlNjNmN2U3NDljYjI2MTMxYjY4YjIwZGY3 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBMaSBRaWFuZyA8bGlx aWFuZzYtc0AzNjAuY24+CkRhdGU6IE1vbiwgMTMgRmViIDIwMTcgMTU6MjI6 MTUgKzAwMDAKU3ViamVjdDogW1BBVENIXSBjaXJydXM6IGZpeCBvb2IgYWNj ZXNzIGlzc3VlIChDVkUtMjAxNy0yNjE1KQoKV2hlbiBkb2luZyBiaXRibHQg Y29weSBpbiBiYWNrd2FyZCBtb2RlLCB3ZSBzaG91bGQgbWludXMgdGhlCmJs dCB3aWR0aCBmaXJzdCBqdXN0IGxpa2UgdGhlIGFkZGluZyBpbiB0aGUgZm9y d2FyZCBtb2RlLiBUaGlzCmNhbiBhdm9pZCB0aGUgb29iIGFjY2VzcyBvZiB0 aGUgZnJvbnQgb2YgdmdhJ3MgdnJhbS4KClRoaXMgaXMgWFNBLTIwOC4KCnVw c3RyZWFtLWNvbW1pdC1pZDogNjJkNGM2YmQ1MjYzYmI4NDEzYTA2YzgwMTQ0 ZmM2NzhkZjZkZmI2NAoKU2lnbmVkLW9mZi1ieTogTGkgUWlhbmcgPGxpcWlh bmc2LXNAMzYwLmNuPgoKeyBrcmF4ZWw6IHdpdGggYmFja3dhcmQgYmxpdHMg KG5lZ2F0aXZlIHBpdGNoKSBhZGRyIGlzIHRoZSB0b3Btb3N0CiAgICAgICAg ICBhZGRyZXNzLCBzbyBjaGVjayBpdCBhcy1pcyBhZ2FpbnN0IHZyYW0gc2l6 ZSBdCgpbIFRoaXMgaXMgQ1ZFLTIwMTctMjYxNSAvIFhTQS0yMDggIC0gSWFu IEphY2tzb24gXQoKQ2M6IHFlbXUtc3RhYmxlQG5vbmdudS5vcmcKQ2M6IFAg SiBQIDxwcGFuZGl0QHJlZGhhdC5jb20+CkNjOiBMYXN6bG8gRXJzZWsgPGxl cnNla0ByZWRoYXQuY29tPgpDYzogUGFvbG8gQm9uemluaSA8cGJvbnppbmlA cmVkaGF0LmNvbT4KQ2M6IFdvbGZnYW5nIEJ1bWlsbGVyIDx3LmJ1bWlsbGVy QHByb3htb3guY29tPgpGaXhlczogZDM1MzJhMGRiMDIyOTZlNjg3NzExYjhj ZGM3NzkxOTI0ZWZjY2VhMCAoQ1ZFLTIwMTQtODEwNikKU2lnbmVkLW9mZi1i eTogR2VyZCBIb2ZmbWFubiA8a3JheGVsQHJlZGhhdC5jb20+Ck1lc3NhZ2Ut aWQ6IDE0ODU5MzgxMDEtMjY2MDItMS1naXQtc2VuZC1lbWFpbC1rcmF4ZWxA cmVkaGF0LmNvbQpSZXZpZXdlZC1ieTogTGFzemxvIEVyc2VrIDxsZXJzZWtA cmVkaGF0LmNvbT4KU2lnbmVkLW9mZi1ieTogU3RlZmFubyBTdGFiZWxsaW5p IDxzc3RhYmVsbGluaUBrZXJuZWwub3JnPgotLS0KIGh3L2Rpc3BsYXkvY2ly cnVzX3ZnYS5jIHwgNyArKystLS0tCiAxIGZpbGUgY2hhbmdlZCwgMyBpbnNl cnRpb25zKCspLCA0IGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL2h3L2Rp c3BsYXkvY2lycnVzX3ZnYS5jIGIvaHcvZGlzcGxheS9jaXJydXNfdmdhLmMK aW5kZXggYmRiMDkyZS4uM2JiZTNkNSAxMDA2NDQKLS0tIGEvaHcvZGlzcGxh eS9jaXJydXNfdmdhLmMKKysrIGIvaHcvZGlzcGxheS9jaXJydXNfdmdhLmMK QEAgLTI3NywxMCArMjc3LDkgQEAgc3RhdGljIGJvb2wgYmxpdF9yZWdpb25f aXNfdW5zYWZlKHN0cnVjdCBDaXJydXNWR0FTdGF0ZSAqcywKICAgICB9CiAg ICAgaWYgKHBpdGNoIDwgMCkgewogICAgICAgICBpbnQ2NF90IG1pbiA9IGFk ZHIKLSAgICAgICAgICAgICsgKChpbnQ2NF90KXMtPmNpcnJ1c19ibHRfaGVp Z2h0LTEpICogcGl0Y2g7Ci0gICAgICAgIGludDMyX3QgbWF4ID0gYWRkcgot ICAgICAgICAgICAgKyBzLT5jaXJydXNfYmx0X3dpZHRoOwotICAgICAgICBp ZiAobWluIDwgMCB8fCBtYXggPiBzLT52Z2EudnJhbV9zaXplKSB7CisgICAg ICAgICAgICArICgoaW50NjRfdClzLT5jaXJydXNfYmx0X2hlaWdodCAtIDEp ICogcGl0Y2gKKyAgICAgICAgICAgIC0gcy0+Y2lycnVzX2JsdF93aWR0aDsK KyAgICAgICAgaWYgKG1pbiA8IC0xIHx8IGFkZHIgPj0gcy0+dmdhLnZyYW1f c2l6ZSkgewogICAgICAgICAgICAgcmV0dXJuIHRydWU7CiAgICAgICAgIH0K ICAgICB9IGVsc2UgewotLSAKMS44LjMuMQo= --=separator Content-Type: application/octet-stream; name="xsa208-qemuu-4.7.patch" Content-Disposition: attachment; filename="xsa208-qemuu-4.7.patch" Content-Transfer-Encoding: base64 RnJvbSA4ZjYzMjY1ZWZlYjZmOTJlNjNmN2U3NDljYjI2MTMxYjY4YjIwZGY3 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBMaSBRaWFuZyA8bGlx aWFuZzYtc0AzNjAuY24+CkRhdGU6IE1vbiwgMTMgRmViIDIwMTcgMTU6MjI6 MTUgKzAwMDAKU3ViamVjdDogW1BBVENIXSBjaXJydXM6IGZpeCBvb2IgYWNj ZXNzIGlzc3VlIChDVkUtMjAxNy0yNjE1KQoKV2hlbiBkb2luZyBiaXRibHQg Y29weSBpbiBiYWNrd2FyZCBtb2RlLCB3ZSBzaG91bGQgbWludXMgdGhlCmJs dCB3aWR0aCBmaXJzdCBqdXN0IGxpa2UgdGhlIGFkZGluZyBpbiB0aGUgZm9y d2FyZCBtb2RlLiBUaGlzCmNhbiBhdm9pZCB0aGUgb29iIGFjY2VzcyBvZiB0 aGUgZnJvbnQgb2YgdmdhJ3MgdnJhbS4KClRoaXMgaXMgWFNBLTIwOC4KCnVw c3RyZWFtLWNvbW1pdC1pZDogNjJkNGM2YmQ1MjYzYmI4NDEzYTA2YzgwMTQ0 ZmM2NzhkZjZkZmI2NAoKU2lnbmVkLW9mZi1ieTogTGkgUWlhbmcgPGxpcWlh bmc2LXNAMzYwLmNuPgoKeyBrcmF4ZWw6IHdpdGggYmFja3dhcmQgYmxpdHMg KG5lZ2F0aXZlIHBpdGNoKSBhZGRyIGlzIHRoZSB0b3Btb3N0CiAgICAgICAg ICBhZGRyZXNzLCBzbyBjaGVjayBpdCBhcy1pcyBhZ2FpbnN0IHZyYW0gc2l6 ZSBdCgpDYzogcWVtdS1zdGFibGVAbm9uZ251Lm9yZwpDYzogUCBKIFAgPHBw YW5kaXRAcmVkaGF0LmNvbT4KQ2M6IExhc3psbyBFcnNlayA8bGVyc2VrQHJl ZGhhdC5jb20+CkNjOiBQYW9sbyBCb256aW5pIDxwYm9uemluaUByZWRoYXQu Y29tPgpDYzogV29sZmdhbmcgQnVtaWxsZXIgPHcuYnVtaWxsZXJAcHJveG1v eC5jb20+CkZpeGVzOiBkMzUzMmEwZGIwMjI5NmU2ODc3MTFiOGNkYzc3OTE5 MjRlZmNjZWEwIChDVkUtMjAxNC04MTA2KQpTaWduZWQtb2ZmLWJ5OiBHZXJk IEhvZmZtYW5uIDxrcmF4ZWxAcmVkaGF0LmNvbT4KTWVzc2FnZS1pZDogMTQ4 NTkzODEwMS0yNjYwMi0xLWdpdC1zZW5kLWVtYWlsLWtyYXhlbEByZWRoYXQu Y29tClJldmlld2VkLWJ5OiBMYXN6bG8gRXJzZWsgPGxlcnNla0ByZWRoYXQu Y29tPgpTaWduZWQtb2ZmLWJ5OiBTdGVmYW5vIFN0YWJlbGxpbmkgPHNzdGFi ZWxsaW5pQGtlcm5lbC5vcmc+Ci0tLQogaHcvZGlzcGxheS9jaXJydXNfdmdh LmMgfCA3ICsrKy0tLS0KIDEgZmlsZSBjaGFuZ2VkLCAzIGluc2VydGlvbnMo KyksIDQgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvaHcvZGlzcGxheS9j aXJydXNfdmdhLmMgYi9ody9kaXNwbGF5L2NpcnJ1c192Z2EuYwppbmRleCA1 MTk4MDM3Li43YmYzNzA3IDEwMDY0NAotLS0gYS9ody9kaXNwbGF5L2NpcnJ1 c192Z2EuYworKysgYi9ody9kaXNwbGF5L2NpcnJ1c192Z2EuYwpAQCAtMjcy LDEwICsyNzIsOSBAQCBzdGF0aWMgYm9vbCBibGl0X3JlZ2lvbl9pc191bnNh ZmUoc3RydWN0IENpcnJ1c1ZHQVN0YXRlICpzLAogewogICAgIGlmIChwaXRj aCA8IDApIHsKICAgICAgICAgaW50NjRfdCBtaW4gPSBhZGRyCi0gICAgICAg ICAgICArICgoaW50NjRfdClzLT5jaXJydXNfYmx0X2hlaWdodC0xKSAqIHBp dGNoOwotICAgICAgICBpbnQzMl90IG1heCA9IGFkZHIKLSAgICAgICAgICAg ICsgcy0+Y2lycnVzX2JsdF93aWR0aDsKLSAgICAgICAgaWYgKG1pbiA8IDAg fHwgbWF4ID49IHMtPnZnYS52cmFtX3NpemUpIHsKKyAgICAgICAgICAgICsg KChpbnQ2NF90KXMtPmNpcnJ1c19ibHRfaGVpZ2h0IC0gMSkgKiBwaXRjaAor ICAgICAgICAgICAgLSBzLT5jaXJydXNfYmx0X3dpZHRoOworICAgICAgICBp ZiAobWluIDwgLTEgfHwgYWRkciA+PSBzLT52Z2EudnJhbV9zaXplKSB7CiAg ICAgICAgICAgICByZXR1cm4gdHJ1ZTsKICAgICAgICAgfQogICAgIH0gZWxz ZSB7Ci0tIAoyLjEuNAoK --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Wed Feb 15 12:07:20 2017 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 15 Feb 2017 12:07:20 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cdyLe-0002BB-04; Wed, 15 Feb 2017 12:06:14 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cdyLc-0002Av-NX; Wed, 15 Feb 2017 12:06:12 +0000 Received: from [193.109.254.147] by server-9.bemta-6.messagelabs.com id 2B/5E-27165-33444A85; Wed, 15 Feb 2017 12:06:11 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupmleJIrShJLcpLzFFi42LJaLquqmvksiT C4PsuHYtbN1uZLZZ8XMxiserqAVYHZo+ju38zBTBGsWbmJeVXJLBm7L3Rw1Rw3aRi3XPZBsYm gy5GLg4hgXOMEqefrGeFcDYwSpzZ1sDSxcjJwSzgKnFj32Y2CFtR4sI9iDivgKDEyZlPwGwJA U2JO29WsYPYIgJFEjvPvQSz2QT0JOaencQE0asj8XL/aiCbg0NYIEpiQ4cYxBgzib0z9zCD2C wCqhKnr7SzTmDkmYVk8ywkm2ch2TwLaBIz0Ob1u/QhTGmJ5f84IKrlJba/ncMMYVtLvJzYwwh hW0jsP3SaGWbilO6H7BC2vcTt1y+ZIGwbifWtGxiR1Sxg5FnFqFGcWlSWWqRrZKCXVJSZnlGS m5iZo2toYKaXm1pcnJiempOYVKyXnJ+7iREYJQxAsIPx17KAQ4ySHExKorzHzZZECPEl5adUZ iQWZ8QXleakFh9ilOHgUJLgTXcGygkWpaanVqRl5gDjFSYtwcGjJMKrAJLmLS5IzC3OTIdInW I05vhz4+RLJo512y+8ZBJiycvPS5US5/3sBFQqAFKaUZoHNwiWRi4xykoJ8zICnSbEU5BalJt Zgir/ilGcg1FJmFcJZCFPZl4J3L5XQKcwAZ3CGrcQ5JSSRISUVAPjhqlhX15GnDPQcV4sdLnB uqM4zF+hO/j5Jm4ep6dywWFri2U7ivxveqpNmhNwTaXpQVP+Md6got3rrrVtdfGbLvv32xbBO F/DwHcqL19kfb2S1a5nVvdZ+Pd2Mzu1x9furZi/Yd5LljXbpRfN0fdSfJd9YaPwvYK2Hrnfl6 +oZlyd4KjoxTxPiaU4I9FQi7moOBEAKutvmB4DAAA= X-Env-Sender: andrewcoop@xenbits.xen.org X-Msg-Ref: server-15.tower-27.messagelabs.com!1487160369!34328405!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.2.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 47170 invoked from network); 15 Feb 2017 12:06:10 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-15.tower-27.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 15 Feb 2017 12:06:10 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cdyLP-0005Ew-02; Wed, 15 Feb 2017 12:05:59 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1cdyLO-0001Ot-Rk; Wed, 15 Feb 2017 12:05:58 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Wed, 15 Feb 2017 12:05:58 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 207 - memory leak when destroying guest without PT devices X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-207 version 2 memory leak when destroying guest without PT devices UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= Certain internal state is set up, during domain construction, in preparation for possible pass-through device assignment. On ARM and AMD V-i hardware this setup includes memory allocation. On guest teardown, cleanup was erroneously only performed when the guest actually had a pass-through device assigned. IMPACT ====== A malicious guest may, by frequently rebooting over extended periods of time, run the system out of memory, resulting in a Denial of Service (DoS). The leak is no more than 4kbytes per guest boot. VULNERABLE SYSTEMS ================== Xen versions 3.3 and later are affected. ARM systems, and x86 AMD systems, are affected. Intel systems, and systems without IOMMU/SMMU hardware, are unaffected. All guest kinds can exploit this vulnerability. MITIGATION ========== Limiting the frequency with which a guest is able to reboot, will limit the memory leak. Rebooting each host (after migrating its guests) periodically will reclaim the leaked space. CREDITS ======= This issue was discovered by Oleksandr Tyshchenko of EPAM Systems. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa207.patch xen-unstable, Xen 4.8.x, Xen 4.7.x, Xen 4.6.x, Xen 4.5.x xsa207-4.4.patch Xen 4.4.x $ sha256sum xsa207* e9bcf807b3785ac4d78b621fba4a9395cd713d6e57cdaa66559bccf95ded1cd9 xsa207.patch 5f391cc621d619ee33c90398bda24588ebf8320750db4545677bb5222150ae6d xsa207-4.4.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches described above is permitted during the embargo, as is the mitigation of migrating a VM which has no devices assigned from IOMMU-capable hardware to IOMMU-incapable hardware, even on public-facing systems with untrusted guest users and administrators. HOWEVER, moving a VM from AMD to Intel hardware, in response to this vulnerability, is *not* permitted. This is because such a change is visible to guests, and would not normally be expected. Furthermore: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYpEP+AAoJEIP+FMlX6CvZPrMIAL7ULaO/oOicZzGHzMO0f1r6 MZDBPeLAg5EQ3oGl1oZenlEEQgSflzj2YHdwjdps2kZpJBaRJjNPmqOC3ZxetlyF +cEJWpw6u0IDRzukEWkQlFGQS68ShLjRcKWDi5+ftjo4rFh34uybrgRv7/nKtiuG ZLX7dqKZuqYBSYvSXjA8UejB//psGOu4jqNh15t0bxtQqc5BlgdJebOkKlgrxL2M BqI/kiZoRuKkDVBu2786oo3w8BCjyBktDR0B9dzRY6MEdTXqb+mE8IO7G492KQTk /ZW9rKeijauKLNgsSkZlqtA0TPTp7tujh9XxE/JfB8UcYFez86NWoBBY4g+Q3SQ= =kwFG -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa207.patch" Content-Disposition: attachment; filename="xsa207.patch" Content-Transfer-Encoding: base64 RnJvbTogT2xla3NhbmRyIFR5c2hjaGVua28gPG9sZWtzdHlzaEBnbWFpbC5j b20+ClN1YmplY3Q6IElPTU1VOiBhbHdheXMgY2FsbCB0ZWFyZG93biBjYWxs YmFjawoKVGhlcmUgaXMgYSBwb3NzaWJsZSBzY2VuYXJpbyB3aGVuIChkKS0+ bmVlZF9pb21tdSByZW1haW5zIHVuc2V0CmR1cmluZyBndWVzdCBkb21haW4g ZXhlY3V0aW9uLiBGb3IgZXhhbXBsZSwgd2hlbiBubyBkZXZpY2VzCndlcmUg YXNzaWduZWQgdG8gaXQuIFRha2luZyBpbnRvIGFjY291bnQgdGhhdCB0ZWFy ZG93biBjYWxsYmFjawppcyBub3QgY2FsbGVkIHdoZW4gKGQpLT5uZWVkX2lv bW11IGlzIHVuc2V0IHdlIG1pZ2h0IGhhdmUgdW5yZWxlYXNlZApyZXNvdXJz ZXMgYWZ0ZXIgZGVzdHJveWluZyBkb21haW4uCgpTbywgYWx3YXlzIGNhbGwg dGVhcmRvd24gY2FsbGJhY2sgdG8gcm9sbCBiYWNrIGFjdGlvbnMKdGhhdCB3 ZXJlIHBlcmZvcm1lZCBpbiBpbml0IGNhbGxiYWNrLgoKVGhpcyBpcyBYU0Et MjA3LgoKU2lnbmVkLW9mZi1ieTogT2xla3NhbmRyIFR5c2hjaGVua28gPG9s ZWtzdHlzaEBnbWFpbC5jb20+ClJldmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8 amJldWxpY2hAc3VzZS5jb20+ClRlc3RlZC1ieTogSmFuIEJldWxpY2ggPGpi ZXVsaWNoQHN1c2UuY29tPgpUZXN0ZWQtYnk6IEp1bGllbiBHcmFsbCA8anVs aWVuLmdyYWxsQGFybS5jb20+CgotLS0gYS94ZW4vZHJpdmVycy9wYXNzdGhy b3VnaC9pb21tdS5jCisrKyBiL3hlbi9kcml2ZXJzL3Bhc3N0aHJvdWdoL2lv bW11LmMKQEAgLTI0NCw4ICsyNDQsNyBAQCB2b2lkIGlvbW11X2RvbWFpbl9k ZXN0cm95KHN0cnVjdCBkb21haW4KICAgICBpZiAoICFpb21tdV9lbmFibGVk IHx8ICFkb21faW9tbXUoZCktPnBsYXRmb3JtX29wcyApCiAgICAgICAgIHJl dHVybjsKIAotICAgIGlmICggbmVlZF9pb21tdShkKSApCi0gICAgICAgIGlv bW11X3RlYXJkb3duKGQpOworICAgIGlvbW11X3RlYXJkb3duKGQpOwogCiAg ICAgYXJjaF9pb21tdV9kb21haW5fZGVzdHJveShkKTsKIH0K --=separator Content-Type: application/octet-stream; name="xsa207-4.4.patch" Content-Disposition: attachment; filename="xsa207-4.4.patch" Content-Transfer-Encoding: base64 RnJvbTogT2xla3NhbmRyIFR5c2hjaGVua28gPG9sZWtzdHlzaEBnbWFpbC5j b20+ClN1YmplY3Q6IElPTU1VOiBhbHdheXMgY2FsbCB0ZWFyZG93biBjYWxs YmFjawoKVGhlcmUgaXMgYSBwb3NzaWJsZSBzY2VuYXJpbyB3aGVuIChkKS0+ bmVlZF9pb21tdSByZW1haW5zIHVuc2V0CmR1cmluZyBndWVzdCBkb21haW4g ZXhlY3V0aW9uLiBGb3IgZXhhbXBsZSwgd2hlbiBubyBkZXZpY2VzCndlcmUg YXNzaWduZWQgdG8gaXQuIFRha2luZyBpbnRvIGFjY291bnQgdGhhdCB0ZWFy ZG93biBjYWxsYmFjawppcyBub3QgY2FsbGVkIHdoZW4gKGQpLT5uZWVkX2lv bW11IGlzIHVuc2V0IHdlIG1pZ2h0IGhhdmUgdW5yZWxlYXNlZApyZXNvdXJz ZXMgYWZ0ZXIgZGVzdHJveWluZyBkb21haW4uCgpTbywgYWx3YXlzIGNhbGwg dGVhcmRvd24gY2FsbGJhY2sgdG8gcm9sbCBiYWNrIGFjdGlvbnMKdGhhdCB3 ZXJlIHBlcmZvcm1lZCBpbiBpbml0IGNhbGxiYWNrLgoKVGhpcyBpcyBYU0Et MjA3LgoKU2lnbmVkLW9mZi1ieTogT2xla3NhbmRyIFR5c2hjaGVua28gPG9s ZWtzdHlzaEBnbWFpbC5jb20+ClJldmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8 amJldWxpY2hAc3VzZS5jb20+ClRlc3RlZC1ieTogSmFuIEJldWxpY2ggPGpi ZXVsaWNoQHN1c2UuY29tPgpUZXN0ZWQtYnk6IEp1bGllbiBHcmFsbCA8anVs aWVuLmdyYWxsQGFybS5jb20+CgotLS0gYS94ZW4vZHJpdmVycy9wYXNzdGhy b3VnaC9pb21tdS5jCisrKyBiL3hlbi9kcml2ZXJzL3Bhc3N0aHJvdWdoL2lv bW11LmMKQEAgLTQxOCw4ICs0MTgsNyBAQCB2b2lkIGlvbW11X2RvbWFpbl9k ZXN0cm95KHN0cnVjdCBkb21haW4KICAgICBpZiAoICFpb21tdV9lbmFibGVk IHx8ICFoZC0+cGxhdGZvcm1fb3BzICkKICAgICAgICAgcmV0dXJuOwogCi0g ICAgaWYgKCBuZWVkX2lvbW11KGQpICkKLSAgICAgICAgaW9tbXVfdGVhcmRv d24oZCk7CisgICAgaW9tbXVfdGVhcmRvd24oZCk7CiAKICAgICBsaXN0X2Zv cl9lYWNoX3NhZmUgKCBpb3BvcnRfbGlzdCwgdG1wLCAmaGQtPmcybV9pb3Bv cnRfbGlzdCApCiAgICAgewo= --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Wed Feb 15 12:07:20 2017 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 15 Feb 2017 12:07:20 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cdyLe-0002BB-04; Wed, 15 Feb 2017 12:06:14 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cdyLc-0002Av-NX; Wed, 15 Feb 2017 12:06:12 +0000 Received: from [193.109.254.147] by server-9.bemta-6.messagelabs.com id 2B/5E-27165-33444A85; Wed, 15 Feb 2017 12:06:11 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupmleJIrShJLcpLzFFi42LJaLquqmvksiT C4PsuHYtbN1uZLZZ8XMxiserqAVYHZo+ju38zBTBGsWbmJeVXJLBm7L3Rw1Rw3aRi3XPZBsYm gy5GLg4hgXOMEqefrGeFcDYwSpzZ1sDSxcjJwSzgKnFj32Y2CFtR4sI9iDivgKDEyZlPwGwJA U2JO29WsYPYIgJFEjvPvQSz2QT0JOaencQE0asj8XL/aiCbg0NYIEpiQ4cYxBgzib0z9zCD2C wCqhKnr7SzTmDkmYVk8ywkm2ch2TwLaBIz0Ob1u/QhTGmJ5f84IKrlJba/ncMMYVtLvJzYwwh hW0jsP3SaGWbilO6H7BC2vcTt1y+ZIGwbifWtGxiR1Sxg5FnFqFGcWlSWWqRrZKCXVJSZnlGS m5iZo2toYKaXm1pcnJiempOYVKyXnJ+7iREYJQxAsIPx17KAQ4ySHExKorzHzZZECPEl5adUZ iQWZ8QXleakFh9ilOHgUJLgTXcGygkWpaanVqRl5gDjFSYtwcGjJMKrAJLmLS5IzC3OTIdInW I05vhz4+RLJo512y+8ZBJiycvPS5US5/3sBFQqAFKaUZoHNwiWRi4xykoJ8zICnSbEU5BalJt Zgir/ilGcg1FJmFcJZCFPZl4J3L5XQKcwAZ3CGrcQ5JSSRISUVAPjhqlhX15GnDPQcV4sdLnB uqM4zF+hO/j5Jm4ep6dywWFri2U7ivxveqpNmhNwTaXpQVP+Md6got3rrrVtdfGbLvv32xbBO F/DwHcqL19kfb2S1a5nVvdZ+Pd2Mzu1x9furZi/Yd5LljXbpRfN0fdSfJd9YaPwvYK2Hrnfl6 +oZlyd4KjoxTxPiaU4I9FQi7moOBEAKutvmB4DAAA= X-Env-Sender: andrewcoop@xenbits.xen.org X-Msg-Ref: server-15.tower-27.messagelabs.com!1487160369!34328405!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.2.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 47170 invoked from network); 15 Feb 2017 12:06:10 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-15.tower-27.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 15 Feb 2017 12:06:10 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cdyLP-0005Ew-02; Wed, 15 Feb 2017 12:05:59 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1cdyLO-0001Ot-Rk; Wed, 15 Feb 2017 12:05:58 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Wed, 15 Feb 2017 12:05:58 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 207 - memory leak when destroying guest without PT devices X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-207 version 2 memory leak when destroying guest without PT devices UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= Certain internal state is set up, during domain construction, in preparation for possible pass-through device assignment. On ARM and AMD V-i hardware this setup includes memory allocation. On guest teardown, cleanup was erroneously only performed when the guest actually had a pass-through device assigned. IMPACT ====== A malicious guest may, by frequently rebooting over extended periods of time, run the system out of memory, resulting in a Denial of Service (DoS). The leak is no more than 4kbytes per guest boot. VULNERABLE SYSTEMS ================== Xen versions 3.3 and later are affected. ARM systems, and x86 AMD systems, are affected. Intel systems, and systems without IOMMU/SMMU hardware, are unaffected. All guest kinds can exploit this vulnerability. MITIGATION ========== Limiting the frequency with which a guest is able to reboot, will limit the memory leak. Rebooting each host (after migrating its guests) periodically will reclaim the leaked space. CREDITS ======= This issue was discovered by Oleksandr Tyshchenko of EPAM Systems. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa207.patch xen-unstable, Xen 4.8.x, Xen 4.7.x, Xen 4.6.x, Xen 4.5.x xsa207-4.4.patch Xen 4.4.x $ sha256sum xsa207* e9bcf807b3785ac4d78b621fba4a9395cd713d6e57cdaa66559bccf95ded1cd9 xsa207.patch 5f391cc621d619ee33c90398bda24588ebf8320750db4545677bb5222150ae6d xsa207-4.4.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches described above is permitted during the embargo, as is the mitigation of migrating a VM which has no devices assigned from IOMMU-capable hardware to IOMMU-incapable hardware, even on public-facing systems with untrusted guest users and administrators. HOWEVER, moving a VM from AMD to Intel hardware, in response to this vulnerability, is *not* permitted. This is because such a change is visible to guests, and would not normally be expected. Furthermore: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYpEP+AAoJEIP+FMlX6CvZPrMIAL7ULaO/oOicZzGHzMO0f1r6 MZDBPeLAg5EQ3oGl1oZenlEEQgSflzj2YHdwjdps2kZpJBaRJjNPmqOC3ZxetlyF +cEJWpw6u0IDRzukEWkQlFGQS68ShLjRcKWDi5+ftjo4rFh34uybrgRv7/nKtiuG ZLX7dqKZuqYBSYvSXjA8UejB//psGOu4jqNh15t0bxtQqc5BlgdJebOkKlgrxL2M BqI/kiZoRuKkDVBu2786oo3w8BCjyBktDR0B9dzRY6MEdTXqb+mE8IO7G492KQTk /ZW9rKeijauKLNgsSkZlqtA0TPTp7tujh9XxE/JfB8UcYFez86NWoBBY4g+Q3SQ= =kwFG -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa207.patch" Content-Disposition: attachment; filename="xsa207.patch" Content-Transfer-Encoding: base64 RnJvbTogT2xla3NhbmRyIFR5c2hjaGVua28gPG9sZWtzdHlzaEBnbWFpbC5j b20+ClN1YmplY3Q6IElPTU1VOiBhbHdheXMgY2FsbCB0ZWFyZG93biBjYWxs YmFjawoKVGhlcmUgaXMgYSBwb3NzaWJsZSBzY2VuYXJpbyB3aGVuIChkKS0+ bmVlZF9pb21tdSByZW1haW5zIHVuc2V0CmR1cmluZyBndWVzdCBkb21haW4g ZXhlY3V0aW9uLiBGb3IgZXhhbXBsZSwgd2hlbiBubyBkZXZpY2VzCndlcmUg YXNzaWduZWQgdG8gaXQuIFRha2luZyBpbnRvIGFjY291bnQgdGhhdCB0ZWFy ZG93biBjYWxsYmFjawppcyBub3QgY2FsbGVkIHdoZW4gKGQpLT5uZWVkX2lv bW11IGlzIHVuc2V0IHdlIG1pZ2h0IGhhdmUgdW5yZWxlYXNlZApyZXNvdXJz ZXMgYWZ0ZXIgZGVzdHJveWluZyBkb21haW4uCgpTbywgYWx3YXlzIGNhbGwg dGVhcmRvd24gY2FsbGJhY2sgdG8gcm9sbCBiYWNrIGFjdGlvbnMKdGhhdCB3 ZXJlIHBlcmZvcm1lZCBpbiBpbml0IGNhbGxiYWNrLgoKVGhpcyBpcyBYU0Et MjA3LgoKU2lnbmVkLW9mZi1ieTogT2xla3NhbmRyIFR5c2hjaGVua28gPG9s ZWtzdHlzaEBnbWFpbC5jb20+ClJldmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8 amJldWxpY2hAc3VzZS5jb20+ClRlc3RlZC1ieTogSmFuIEJldWxpY2ggPGpi ZXVsaWNoQHN1c2UuY29tPgpUZXN0ZWQtYnk6IEp1bGllbiBHcmFsbCA8anVs aWVuLmdyYWxsQGFybS5jb20+CgotLS0gYS94ZW4vZHJpdmVycy9wYXNzdGhy b3VnaC9pb21tdS5jCisrKyBiL3hlbi9kcml2ZXJzL3Bhc3N0aHJvdWdoL2lv bW11LmMKQEAgLTI0NCw4ICsyNDQsNyBAQCB2b2lkIGlvbW11X2RvbWFpbl9k ZXN0cm95KHN0cnVjdCBkb21haW4KICAgICBpZiAoICFpb21tdV9lbmFibGVk IHx8ICFkb21faW9tbXUoZCktPnBsYXRmb3JtX29wcyApCiAgICAgICAgIHJl dHVybjsKIAotICAgIGlmICggbmVlZF9pb21tdShkKSApCi0gICAgICAgIGlv bW11X3RlYXJkb3duKGQpOworICAgIGlvbW11X3RlYXJkb3duKGQpOwogCiAg ICAgYXJjaF9pb21tdV9kb21haW5fZGVzdHJveShkKTsKIH0K --=separator Content-Type: application/octet-stream; name="xsa207-4.4.patch" Content-Disposition: attachment; filename="xsa207-4.4.patch" Content-Transfer-Encoding: base64 RnJvbTogT2xla3NhbmRyIFR5c2hjaGVua28gPG9sZWtzdHlzaEBnbWFpbC5j b20+ClN1YmplY3Q6IElPTU1VOiBhbHdheXMgY2FsbCB0ZWFyZG93biBjYWxs YmFjawoKVGhlcmUgaXMgYSBwb3NzaWJsZSBzY2VuYXJpbyB3aGVuIChkKS0+ bmVlZF9pb21tdSByZW1haW5zIHVuc2V0CmR1cmluZyBndWVzdCBkb21haW4g ZXhlY3V0aW9uLiBGb3IgZXhhbXBsZSwgd2hlbiBubyBkZXZpY2VzCndlcmUg YXNzaWduZWQgdG8gaXQuIFRha2luZyBpbnRvIGFjY291bnQgdGhhdCB0ZWFy ZG93biBjYWxsYmFjawppcyBub3QgY2FsbGVkIHdoZW4gKGQpLT5uZWVkX2lv bW11IGlzIHVuc2V0IHdlIG1pZ2h0IGhhdmUgdW5yZWxlYXNlZApyZXNvdXJz ZXMgYWZ0ZXIgZGVzdHJveWluZyBkb21haW4uCgpTbywgYWx3YXlzIGNhbGwg dGVhcmRvd24gY2FsbGJhY2sgdG8gcm9sbCBiYWNrIGFjdGlvbnMKdGhhdCB3 ZXJlIHBlcmZvcm1lZCBpbiBpbml0IGNhbGxiYWNrLgoKVGhpcyBpcyBYU0Et MjA3LgoKU2lnbmVkLW9mZi1ieTogT2xla3NhbmRyIFR5c2hjaGVua28gPG9s ZWtzdHlzaEBnbWFpbC5jb20+ClJldmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8 amJldWxpY2hAc3VzZS5jb20+ClRlc3RlZC1ieTogSmFuIEJldWxpY2ggPGpi ZXVsaWNoQHN1c2UuY29tPgpUZXN0ZWQtYnk6IEp1bGllbiBHcmFsbCA8anVs aWVuLmdyYWxsQGFybS5jb20+CgotLS0gYS94ZW4vZHJpdmVycy9wYXNzdGhy b3VnaC9pb21tdS5jCisrKyBiL3hlbi9kcml2ZXJzL3Bhc3N0aHJvdWdoL2lv bW11LmMKQEAgLTQxOCw4ICs0MTgsNyBAQCB2b2lkIGlvbW11X2RvbWFpbl9k ZXN0cm95KHN0cnVjdCBkb21haW4KICAgICBpZiAoICFpb21tdV9lbmFibGVk IHx8ICFoZC0+cGxhdGZvcm1fb3BzICkKICAgICAgICAgcmV0dXJuOwogCi0g ICAgaWYgKCBuZWVkX2lvbW11KGQpICkKLSAgICAgICAgaW9tbXVfdGVhcmRv d24oZCk7CisgICAgaW9tbXVfdGVhcmRvd24oZCk7CiAKICAgICBsaXN0X2Zv cl9lYWNoX3NhZmUgKCBpb3BvcnRfbGlzdCwgdG1wLCAmaGQtPmcybV9pb3Bv cnRfbGlzdCApCiAgICAgewo= --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Tue Feb 21 12:01:16 2017 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 21 Feb 2017 12:01:16 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cg978-0006rE-53; Tue, 21 Feb 2017 12:00:14 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cg977-0006qj-By; Tue, 21 Feb 2017 12:00:13 +0000 Received: from [85.158.139.211] by server-9.bemta-5.messagelabs.com id CF/95-16818-CCB2CA85; Tue, 21 Feb 2017 12:00:12 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprEKsWRWlGSWpSXmKPExsWS0XRdVfe09po Ig4s9iha3brYyWyz5uJjFYtXVA6wOzB5Hd/9mCmCMYs3MS8qvSGDNOLh0FmvBK5+KI+dWMDUw rnXvYuTiEBI4zijxcNVmFghnEaPEi/s/mLsYOTmYBVwlbuzbzAZhK0pcuNfAAmLzCghKnJz5B MyWENCUuPNmFTuILSJQJLHz3Eswm01AT2Lu2UlMEL06Ei/3rwazhQXKJE4ves8EMcdM4sCafl YQm0VAVWLvvV/MExh5ZiFZPQvJ6llIVs9i5ACKa0qs36UPYUpLLP/HAVEtL7H97RxmCNtR4t7 j50wQtp3Em4U/2WEmTul+yA5T82jOY7iaBw2n2ZDVLGDkWcWoXpxaVJZapGukl1SUmZ5RkpuY maNraGCql5taXJyYnpqTmFSsl5yfu4kRGCcMQLCD8fsfp0OMkhxMSqK82VJrIoT4kvJTKjMSi zPii0pzUosPMcpwcChJ8PpoAeUEi1LTUyvSMnOAEQuTluDgURLhdQFJ8xYXJOYWZ6ZDpE4xWn L8uXHyJRPHl51ngOS67RdeMgmx5OXnpUqJ8wqDNAiANGSU5sGNgyWVS4yyUsK8jEAHCvEUpBb lZpagyr9iFOdgVBLmbQOZwpOZVwK39RXQQUxAB930WAlyUEkiQkqqgVE4OGTW95ADTfP/bZrx jKv8ZonQnsM/dZz4JftuL9b7KKCvp6vMIiScvarDunD59sBpF7mFso96r955h7lK86/3j2/96 kqqt24mvtD2D1LlfFS9/VPClHPhk2T2+yTXbS518rr3tkb6mA3jPc2Z6bdr7z+fea6VbfFu5c ptBU23nYRsVfZ8CldiKc5INNRiLipOBAD4T8srJQMAAA== X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-8.tower-206.messagelabs.com!1487678410!85823894!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.2.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 52146 invoked from network); 21 Feb 2017 12:00:11 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-8.tower-206.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 21 Feb 2017 12:00:11 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cg96x-0000DK-Cr; Tue, 21 Feb 2017 12:00:03 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1cg96x-0006uk-4m; Tue, 21 Feb 2017 12:00:03 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 21 Feb 2017 12:00:03 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 209 (CVE-2017-2620) - cirrus_bitblt_cputovideo does not check if memory region is safe X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2017-2620 / XSA-209 version 3 cirrus_bitblt_cputovideo does not check if memory region is safe UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo fails to check wethehr the specified memory region is safe. IMPACT ====== A malicious guest administrator can cause an out of bounds memory write, very likely exploitable as a privilege escalation. VULNERABLE SYSTEMS ================== Versions of qemu shipped with all Xen versions are vulnerable. Xen systems running on x86 with HVM guests, with the qemu process running in dom0 are vulnerable. Only guests provided with the "cirrus" emulated video card can exploit the vulnerability. The non-default "stdvga" emulated video card is not vulnerable. (With xl the emulated video card is controlled by the "stdvga=" and "vga=" domain configuration options.) ARM systems are not vulnerable. Systems using only PV guests are not vulnerable. For VMs whose qemu process is running in a stub domain, a successful attacker will only gain the privileges of that stubdom, which should be only over the guest itself. Both upstream-based versions of qemu (device_model_version="qemu-xen") and `traditional' qemu (device_model_version="qemu-xen-traditional") are vulnerable. MITIGATION ========== Running only PV guests will avoid the issue. Running HVM guests with the device model in a stubdomain will mitigate the issue. Changing the video card emulation to stdvga (stdvga=1, vga="stdvga", in the xl domain configuration) will avoid the vulnerability. CREDITS ======= This issue was discovered by Gerd Hoffmann of Red Hat. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa209-qemuu.patch qemu-xen, qemu upstream (no backport yet) qemu-xen-traditional $ sha256sum xsa209* 167af9ed7163fa7cf4abb52f865290ced3163c7684151bdc1324eb5e534faf13 xsa209-qemut.patch 297578aa43c3e6b21333f1b859fd1d3e68aaaae77b3cadbadd20cfeca8426df3 xsa209-qemuu.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. However, deployment of the "stdvga" mitigation (changing the video card emulation to stdvga) is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because this produces a guest-visible change which will indicate which component contains the vulnerability. Additionally, distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYrBl3AAoJEIP+FMlX6CvZ6LMIALETwnX9w8SifkvuYY3jotwp nQWY8ztJkMnai9X10RN6SeVf2dCpXLhATPuPGORgRiZJEuBaGHEsHa00i63FQBSL PaOAgzN1GY+u16Ygv2e3vPcN8mO55A6zcFErF2oLsrfdNsG4pJTwn7bMEjZiqSyG R9xIC6KiA1nojsZO+ynmRvHxFP6epySRayO0PZAGS75LdmEKVxClE3dAeMW77WNv dAs3Qi14hB5BmdryK5f1STk8r2b3UsN1pbvao8odiEWFaB9tPo273gj5RdfnEV3t EzTvH37Q3C4YFoTFx8p6fY5ejHNh4AeSyi9yE7lWtKhDZw56UhdfMmYIgDaKpig= =RBpg -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa209-qemut.patch" Content-Disposition: attachment; filename="xsa209-qemut.patch" Content-Transfer-Encoding: base64 RnJvbTogR2VyZCBIb2ZmbWFubiA8a3JheGVsQHJlZGhhdC5jb20+ClN1Ympl Y3Q6IFtQQVRDSCAzLzNdIGNpcnJ1czogYWRkIGJsaXRfaXNfdW5zYWZlIGNh bGwgdG8gY2lycnVzX2JpdGJsdF9jcHV0b3ZpZGVvCgpDSVJSVVNfQkxUTU9E RV9NRU1TWVNTUkMgYmxpdHMgZG8gTk9UIGNoZWNrIGJsaXQgZGVzdGluYXRp b24KYW5kIGJsaXQgd2lkdGgsIGF0IGFsbC4gIE9vcHMuICBGaXggaXQuCgpT ZWN1cml0eSBpbXBhY3Q6IGhpZ2guCgpUaGUgbWlzc2luZyBibGl0IGRlc3Rp bmF0aW9uIGNoZWNrIGFsbG93cyB0byB3cml0ZSB0byBob3N0IG1lbW9yeS4K QmFzaWNhbGx5IHNhbWUgYXMgQ1ZFLTIwMTQtODEwNiBmb3IgdGhlIG90aGVy IGJsaXQgdmFyaWFudHMuCgpUaGUgbWlzc2luZyBibGl0IHdpZHRoIGNoZWNr IGFsbG93cyB0byBvdmVyZmxvdyBjaXJydXNfYmx0YnVmLAp3aXRoIHRoZSBh dHRyYWN0aXZlIHRhcmdldCBjaXJydXNfc3JjcHRyIChjdXJyZW50IGNpcnJ1 c19ibHRidWYgd3JpdGUKcG9zaXRpb24pIGJlaW5nIGxvY2F0ZWQgcmlnaHQg YWZ0ZXIgY2lycnVzX2JsdGJ1ZiBpbiBDaXJydXNWR0FTdGF0ZS4KCkR1ZSB0 byBjaXJydXMgZW11bGF0aW9uIHdyaXRpbmcgY2lycnVzX2JsdGJ1ZiBieXRl d2lzZSB0aGUgYXR0YWNrZXIKaGFzbid0IGZ1bGwgY29udHJvbCBvdmVyIGNp cnJ1c19zcmNwdHIgdGhvdWdoLCBvbmx5IG9uZSBieXRlIGNhbiBiZQpjaGFu Z2VkLiAgT25jZSB0aGUgZmlyc3QgYnl0ZSBoYXMgYmVlbiBtb2RpZmllZCBm dXJ0aGVyIHdyaXRlcyBsYW5kCmVsc2V3aGVyZS4KClsgVGhpcyBpcyBDVkUt MjAxNy0yNjIwIC8gWFNBLTIwOSAgLSBJYW4gSmFja3NvbiBdCgpGaXhlZCBj b21waWxhdGlvbiBieSByZW1vdmluZyBleHRyYSBwYXJhbWV0ZXIgdG8gYmxp dF9pc191bnNhZmUuIC1pd2oKClJlcG9ydGVkLWJ5OiBHZXJkIEhvZmZtYW5u IDxnaG9mZm1hbkByZWRoYXQuY29tPgpTaWduZWQtb2ZmLWJ5OiBHZXJkIEhv ZmZtYW5uIDxrcmF4ZWxAcmVkaGF0LmNvbT4KU2lnbmVkLW9mZi1ieTogSWFu IEphY2tzb24gPGlhbi5qYWNrc29uQGV1LmNpdHJpeC5jb20+Ci0tLQpkaWZm IC0tZ2l0IGEvaHcvY2lycnVzX3ZnYS5jIGIvaHcvY2lycnVzX3ZnYS5jCmlu ZGV4IGU2YzM4OTMuLjQ1ZmFjYjYgMTAwNjQ0Ci0tLSBhL2h3L2NpcnJ1c192 Z2EuYworKysgYi9ody9jaXJydXNfdmdhLmMKQEAgLTkwMCw2ICs5MDAsMTAg QEAgc3RhdGljIGludCBjaXJydXNfYml0Ymx0X2NwdXRvdmlkZW8oQ2lycnVz VkdBU3RhdGUgKiBzKQogewogICAgIGludCB3OwogCisgICAgaWYgKGJsaXRf aXNfdW5zYWZlKHMpKSB7CisgICAgICAgIHJldHVybiAwOworICAgIH0KKwog ICAgIHMtPmNpcnJ1c19ibHRfbW9kZSAmPSB+Q0lSUlVTX0JMVE1PREVfTUVN U1lTU1JDOwogICAgIHMtPmNpcnJ1c19zcmNwdHIgPSAmcy0+Y2lycnVzX2Js dGJ1ZlswXTsKICAgICBzLT5jaXJydXNfc3JjcHRyX2VuZCA9ICZzLT5jaXJy dXNfYmx0YnVmWzBdOwpAQCAtOTI1LDYgKzkyOSwxMCBAQCBzdGF0aWMgaW50 IGNpcnJ1c19iaXRibHRfY3B1dG92aWRlbyhDaXJydXNWR0FTdGF0ZSAqIHMp CiAJfQogICAgICAgICBzLT5jaXJydXNfc3JjY291bnRlciA9IHMtPmNpcnJ1 c19ibHRfc3JjcGl0Y2ggKiBzLT5jaXJydXNfYmx0X2hlaWdodDsKICAgICB9 CisKKyAgICAvKiB0aGUgYmxpdF9pc191bnNhZmUgY2FsbCBhYm92ZSBzaG91 bGQgY2F0Y2ggdGhpcyAqLworICAgIGFzc2VydChzLT5jaXJydXNfYmx0X3Ny Y3BpdGNoIDw9IENJUlJVU19CTFRCVUZTSVpFKTsKKwogICAgIHMtPmNpcnJ1 c19zcmNwdHIgPSBzLT5jaXJydXNfYmx0YnVmOwogICAgIHMtPmNpcnJ1c19z cmNwdHJfZW5kID0gcy0+Y2lycnVzX2JsdGJ1ZiArIHMtPmNpcnJ1c19ibHRf c3JjcGl0Y2g7CiAgICAgY2lycnVzX3VwZGF0ZV9tZW1vcnlfYWNjZXNzKHMp Owo= --=separator Content-Type: application/octet-stream; name="xsa209-qemuu.patch" Content-Disposition: attachment; filename="xsa209-qemuu.patch" Content-Transfer-Encoding: base64 RnJvbTogR2VyZCBIb2ZmbWFubiA8a3JheGVsQHJlZGhhdC5jb20+ClN1Ympl Y3Q6IFtQQVRDSCAzLzNdIGNpcnJ1czogYWRkIGJsaXRfaXNfdW5zYWZlIGNh bGwgdG8gY2lycnVzX2JpdGJsdF9jcHV0b3ZpZGVvCgpDSVJSVVNfQkxUTU9E RV9NRU1TWVNTUkMgYmxpdHMgZG8gTk9UIGNoZWNrIGJsaXQgZGVzdGluYXRp b24KYW5kIGJsaXQgd2lkdGgsIGF0IGFsbC4gIE9vcHMuICBGaXggaXQuCgpT ZWN1cml0eSBpbXBhY3Q6IGhpZ2guCgpUaGUgbWlzc2luZyBibGl0IGRlc3Rp bmF0aW9uIGNoZWNrIGFsbG93cyB0byB3cml0ZSB0byBob3N0IG1lbW9yeS4K QmFzaWNhbGx5IHNhbWUgYXMgQ1ZFLTIwMTQtODEwNiBmb3IgdGhlIG90aGVy IGJsaXQgdmFyaWFudHMuCgpUaGUgbWlzc2luZyBibGl0IHdpZHRoIGNoZWNr IGFsbG93cyB0byBvdmVyZmxvdyBjaXJydXNfYmx0YnVmLAp3aXRoIHRoZSBh dHRyYWN0aXZlIHRhcmdldCBjaXJydXNfc3JjcHRyIChjdXJyZW50IGNpcnJ1 c19ibHRidWYgd3JpdGUKcG9zaXRpb24pIGJlaW5nIGxvY2F0ZWQgcmlnaHQg YWZ0ZXIgY2lycnVzX2JsdGJ1ZiBpbiBDaXJydXNWR0FTdGF0ZS4KCkR1ZSB0 byBjaXJydXMgZW11bGF0aW9uIHdyaXRpbmcgY2lycnVzX2JsdGJ1ZiBieXRl d2lzZSB0aGUgYXR0YWNrZXIKaGFzbid0IGZ1bGwgY29udHJvbCBvdmVyIGNp cnJ1c19zcmNwdHIgdGhvdWdoLCBvbmx5IG9uZSBieXRlIGNhbiBiZQpjaGFu Z2VkLiAgT25jZSB0aGUgZmlyc3QgYnl0ZSBoYXMgYmVlbiBtb2RpZmllZCBm dXJ0aGVyIHdyaXRlcyBsYW5kCmVsc2V3aGVyZS4KClsgVGhpcyBpcyBDVkUt MjAxNy0yNjIwIC8gWFNBLTIwOSAgLSBJYW4gSmFja3NvbiBdCgpSZXBvcnRl ZC1ieTogR2VyZCBIb2ZmbWFubiA8Z2hvZmZtYW5AcmVkaGF0LmNvbT4KU2ln bmVkLW9mZi1ieTogR2VyZCBIb2ZmbWFubiA8a3JheGVsQHJlZGhhdC5jb20+ Ci0tLQogaHcvZGlzcGxheS9jaXJydXNfdmdhLmMgfCA4ICsrKysrKysrCiAx IGZpbGUgY2hhbmdlZCwgOCBpbnNlcnRpb25zKCspCgpkaWZmIC0tZ2l0IGEv aHcvZGlzcGxheS9jaXJydXNfdmdhLmMgYi9ody9kaXNwbGF5L2NpcnJ1c192 Z2EuYwppbmRleCAwZTQ3Y2Y4Li5hMDkzZGM4IDEwMDY0NAotLS0gYS9ody9k aXNwbGF5L2NpcnJ1c192Z2EuYworKysgYi9ody9kaXNwbGF5L2NpcnJ1c192 Z2EuYwpAQCAtODk5LDYgKzg5OSwxMCBAQCBzdGF0aWMgaW50IGNpcnJ1c19i aXRibHRfY3B1dG92aWRlbyhDaXJydXNWR0FTdGF0ZSAqIHMpCiB7CiAgICAg aW50IHc7CiAKKyAgICBpZiAoYmxpdF9pc191bnNhZmUocywgdHJ1ZSkpIHsK KyAgICAgICAgcmV0dXJuIDA7CisgICAgfQorCiAgICAgcy0+Y2lycnVzX2Js dF9tb2RlICY9IH5DSVJSVVNfQkxUTU9ERV9NRU1TWVNTUkM7CiAgICAgcy0+ Y2lycnVzX3NyY3B0ciA9ICZzLT5jaXJydXNfYmx0YnVmWzBdOwogICAgIHMt PmNpcnJ1c19zcmNwdHJfZW5kID0gJnMtPmNpcnJ1c19ibHRidWZbMF07CkBA IC05MjQsNiArOTI4LDEwIEBAIHN0YXRpYyBpbnQgY2lycnVzX2JpdGJsdF9j cHV0b3ZpZGVvKENpcnJ1c1ZHQVN0YXRlICogcykKIAl9CiAgICAgICAgIHMt PmNpcnJ1c19zcmNjb3VudGVyID0gcy0+Y2lycnVzX2JsdF9zcmNwaXRjaCAq IHMtPmNpcnJ1c19ibHRfaGVpZ2h0OwogICAgIH0KKworICAgIC8qIHRoZSBi bGl0X2lzX3Vuc2FmZSBjYWxsIGFib3ZlIHNob3VsZCBjYXRjaCB0aGlzICov CisgICAgYXNzZXJ0KHMtPmNpcnJ1c19ibHRfc3JjcGl0Y2ggPD0gQ0lSUlVT X0JMVEJVRlNJWkUpOworCiAgICAgcy0+Y2lycnVzX3NyY3B0ciA9IHMtPmNp cnJ1c19ibHRidWY7CiAgICAgcy0+Y2lycnVzX3NyY3B0cl9lbmQgPSBzLT5j aXJydXNfYmx0YnVmICsgcy0+Y2lycnVzX2JsdF9zcmNwaXRjaDsKICAgICBj aXJydXNfdXBkYXRlX21lbW9yeV9hY2Nlc3Mocyk7Ci0tIAoxLjguMy4xCgo= --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Tue Feb 21 12:01:16 2017 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 21 Feb 2017 12:01:16 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cg978-0006rE-53; Tue, 21 Feb 2017 12:00:14 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cg977-0006qj-By; Tue, 21 Feb 2017 12:00:13 +0000 Received: from [85.158.139.211] by server-9.bemta-5.messagelabs.com id CF/95-16818-CCB2CA85; Tue, 21 Feb 2017 12:00:12 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprEKsWRWlGSWpSXmKPExsWS0XRdVfe09po Ig4s9iha3brYyWyz5uJjFYtXVA6wOzB5Hd/9mCmCMYs3MS8qvSGDNOLh0FmvBK5+KI+dWMDUw rnXvYuTiEBI4zijxcNVmFghnEaPEi/s/mLsYOTmYBVwlbuzbzAZhK0pcuNfAAmLzCghKnJz5B MyWENCUuPNmFTuILSJQJLHz3Eswm01AT2Lu2UlMEL06Ei/3rwazhQXKJE4ves8EMcdM4sCafl YQm0VAVWLvvV/MExh5ZiFZPQvJ6llIVs9i5ACKa0qs36UPYUpLLP/HAVEtL7H97RxmCNtR4t7 j50wQtp3Em4U/2WEmTul+yA5T82jOY7iaBw2n2ZDVLGDkWcWoXpxaVJZapGukl1SUmZ5RkpuY maNraGCql5taXJyYnpqTmFSsl5yfu4kRGCcMQLCD8fsfp0OMkhxMSqK82VJrIoT4kvJTKjMSi zPii0pzUosPMcpwcChJ8PpoAeUEi1LTUyvSMnOAEQuTluDgURLhdQFJ8xYXJOYWZ6ZDpE4xWn L8uXHyJRPHl51ngOS67RdeMgmx5OXnpUqJ8wqDNAiANGSU5sGNgyWVS4yyUsK8jEAHCvEUpBb lZpagyr9iFOdgVBLmbQOZwpOZVwK39RXQQUxAB930WAlyUEkiQkqqgVE4OGTW95ADTfP/bZrx jKv8ZonQnsM/dZz4JftuL9b7KKCvp6vMIiScvarDunD59sBpF7mFso96r955h7lK86/3j2/96 kqqt24mvtD2D1LlfFS9/VPClHPhk2T2+yTXbS518rr3tkb6mA3jPc2Z6bdr7z+fea6VbfFu5c ptBU23nYRsVfZ8CldiKc5INNRiLipOBAD4T8srJQMAAA== X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-8.tower-206.messagelabs.com!1487678410!85823894!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.2.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 52146 invoked from network); 21 Feb 2017 12:00:11 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-8.tower-206.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 21 Feb 2017 12:00:11 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cg96x-0000DK-Cr; Tue, 21 Feb 2017 12:00:03 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1cg96x-0006uk-4m; Tue, 21 Feb 2017 12:00:03 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 21 Feb 2017 12:00:03 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 209 (CVE-2017-2620) - cirrus_bitblt_cputovideo does not check if memory region is safe X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2017-2620 / XSA-209 version 3 cirrus_bitblt_cputovideo does not check if memory region is safe UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo fails to check wethehr the specified memory region is safe. IMPACT ====== A malicious guest administrator can cause an out of bounds memory write, very likely exploitable as a privilege escalation. VULNERABLE SYSTEMS ================== Versions of qemu shipped with all Xen versions are vulnerable. Xen systems running on x86 with HVM guests, with the qemu process running in dom0 are vulnerable. Only guests provided with the "cirrus" emulated video card can exploit the vulnerability. The non-default "stdvga" emulated video card is not vulnerable. (With xl the emulated video card is controlled by the "stdvga=" and "vga=" domain configuration options.) ARM systems are not vulnerable. Systems using only PV guests are not vulnerable. For VMs whose qemu process is running in a stub domain, a successful attacker will only gain the privileges of that stubdom, which should be only over the guest itself. Both upstream-based versions of qemu (device_model_version="qemu-xen") and `traditional' qemu (device_model_version="qemu-xen-traditional") are vulnerable. MITIGATION ========== Running only PV guests will avoid the issue. Running HVM guests with the device model in a stubdomain will mitigate the issue. Changing the video card emulation to stdvga (stdvga=1, vga="stdvga", in the xl domain configuration) will avoid the vulnerability. CREDITS ======= This issue was discovered by Gerd Hoffmann of Red Hat. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa209-qemuu.patch qemu-xen, qemu upstream (no backport yet) qemu-xen-traditional $ sha256sum xsa209* 167af9ed7163fa7cf4abb52f865290ced3163c7684151bdc1324eb5e534faf13 xsa209-qemut.patch 297578aa43c3e6b21333f1b859fd1d3e68aaaae77b3cadbadd20cfeca8426df3 xsa209-qemuu.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. However, deployment of the "stdvga" mitigation (changing the video card emulation to stdvga) is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because this produces a guest-visible change which will indicate which component contains the vulnerability. Additionally, distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYrBl3AAoJEIP+FMlX6CvZ6LMIALETwnX9w8SifkvuYY3jotwp nQWY8ztJkMnai9X10RN6SeVf2dCpXLhATPuPGORgRiZJEuBaGHEsHa00i63FQBSL PaOAgzN1GY+u16Ygv2e3vPcN8mO55A6zcFErF2oLsrfdNsG4pJTwn7bMEjZiqSyG R9xIC6KiA1nojsZO+ynmRvHxFP6epySRayO0PZAGS75LdmEKVxClE3dAeMW77WNv dAs3Qi14hB5BmdryK5f1STk8r2b3UsN1pbvao8odiEWFaB9tPo273gj5RdfnEV3t EzTvH37Q3C4YFoTFx8p6fY5ejHNh4AeSyi9yE7lWtKhDZw56UhdfMmYIgDaKpig= =RBpg -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa209-qemut.patch" Content-Disposition: attachment; filename="xsa209-qemut.patch" Content-Transfer-Encoding: base64 RnJvbTogR2VyZCBIb2ZmbWFubiA8a3JheGVsQHJlZGhhdC5jb20+ClN1Ympl Y3Q6IFtQQVRDSCAzLzNdIGNpcnJ1czogYWRkIGJsaXRfaXNfdW5zYWZlIGNh bGwgdG8gY2lycnVzX2JpdGJsdF9jcHV0b3ZpZGVvCgpDSVJSVVNfQkxUTU9E RV9NRU1TWVNTUkMgYmxpdHMgZG8gTk9UIGNoZWNrIGJsaXQgZGVzdGluYXRp b24KYW5kIGJsaXQgd2lkdGgsIGF0IGFsbC4gIE9vcHMuICBGaXggaXQuCgpT ZWN1cml0eSBpbXBhY3Q6IGhpZ2guCgpUaGUgbWlzc2luZyBibGl0IGRlc3Rp bmF0aW9uIGNoZWNrIGFsbG93cyB0byB3cml0ZSB0byBob3N0IG1lbW9yeS4K QmFzaWNhbGx5IHNhbWUgYXMgQ1ZFLTIwMTQtODEwNiBmb3IgdGhlIG90aGVy IGJsaXQgdmFyaWFudHMuCgpUaGUgbWlzc2luZyBibGl0IHdpZHRoIGNoZWNr IGFsbG93cyB0byBvdmVyZmxvdyBjaXJydXNfYmx0YnVmLAp3aXRoIHRoZSBh dHRyYWN0aXZlIHRhcmdldCBjaXJydXNfc3JjcHRyIChjdXJyZW50IGNpcnJ1 c19ibHRidWYgd3JpdGUKcG9zaXRpb24pIGJlaW5nIGxvY2F0ZWQgcmlnaHQg YWZ0ZXIgY2lycnVzX2JsdGJ1ZiBpbiBDaXJydXNWR0FTdGF0ZS4KCkR1ZSB0 byBjaXJydXMgZW11bGF0aW9uIHdyaXRpbmcgY2lycnVzX2JsdGJ1ZiBieXRl d2lzZSB0aGUgYXR0YWNrZXIKaGFzbid0IGZ1bGwgY29udHJvbCBvdmVyIGNp cnJ1c19zcmNwdHIgdGhvdWdoLCBvbmx5IG9uZSBieXRlIGNhbiBiZQpjaGFu Z2VkLiAgT25jZSB0aGUgZmlyc3QgYnl0ZSBoYXMgYmVlbiBtb2RpZmllZCBm dXJ0aGVyIHdyaXRlcyBsYW5kCmVsc2V3aGVyZS4KClsgVGhpcyBpcyBDVkUt MjAxNy0yNjIwIC8gWFNBLTIwOSAgLSBJYW4gSmFja3NvbiBdCgpGaXhlZCBj b21waWxhdGlvbiBieSByZW1vdmluZyBleHRyYSBwYXJhbWV0ZXIgdG8gYmxp dF9pc191bnNhZmUuIC1pd2oKClJlcG9ydGVkLWJ5OiBHZXJkIEhvZmZtYW5u IDxnaG9mZm1hbkByZWRoYXQuY29tPgpTaWduZWQtb2ZmLWJ5OiBHZXJkIEhv ZmZtYW5uIDxrcmF4ZWxAcmVkaGF0LmNvbT4KU2lnbmVkLW9mZi1ieTogSWFu IEphY2tzb24gPGlhbi5qYWNrc29uQGV1LmNpdHJpeC5jb20+Ci0tLQpkaWZm IC0tZ2l0IGEvaHcvY2lycnVzX3ZnYS5jIGIvaHcvY2lycnVzX3ZnYS5jCmlu ZGV4IGU2YzM4OTMuLjQ1ZmFjYjYgMTAwNjQ0Ci0tLSBhL2h3L2NpcnJ1c192 Z2EuYworKysgYi9ody9jaXJydXNfdmdhLmMKQEAgLTkwMCw2ICs5MDAsMTAg QEAgc3RhdGljIGludCBjaXJydXNfYml0Ymx0X2NwdXRvdmlkZW8oQ2lycnVz VkdBU3RhdGUgKiBzKQogewogICAgIGludCB3OwogCisgICAgaWYgKGJsaXRf aXNfdW5zYWZlKHMpKSB7CisgICAgICAgIHJldHVybiAwOworICAgIH0KKwog ICAgIHMtPmNpcnJ1c19ibHRfbW9kZSAmPSB+Q0lSUlVTX0JMVE1PREVfTUVN U1lTU1JDOwogICAgIHMtPmNpcnJ1c19zcmNwdHIgPSAmcy0+Y2lycnVzX2Js dGJ1ZlswXTsKICAgICBzLT5jaXJydXNfc3JjcHRyX2VuZCA9ICZzLT5jaXJy dXNfYmx0YnVmWzBdOwpAQCAtOTI1LDYgKzkyOSwxMCBAQCBzdGF0aWMgaW50 IGNpcnJ1c19iaXRibHRfY3B1dG92aWRlbyhDaXJydXNWR0FTdGF0ZSAqIHMp CiAJfQogICAgICAgICBzLT5jaXJydXNfc3JjY291bnRlciA9IHMtPmNpcnJ1 c19ibHRfc3JjcGl0Y2ggKiBzLT5jaXJydXNfYmx0X2hlaWdodDsKICAgICB9 CisKKyAgICAvKiB0aGUgYmxpdF9pc191bnNhZmUgY2FsbCBhYm92ZSBzaG91 bGQgY2F0Y2ggdGhpcyAqLworICAgIGFzc2VydChzLT5jaXJydXNfYmx0X3Ny Y3BpdGNoIDw9IENJUlJVU19CTFRCVUZTSVpFKTsKKwogICAgIHMtPmNpcnJ1 c19zcmNwdHIgPSBzLT5jaXJydXNfYmx0YnVmOwogICAgIHMtPmNpcnJ1c19z cmNwdHJfZW5kID0gcy0+Y2lycnVzX2JsdGJ1ZiArIHMtPmNpcnJ1c19ibHRf c3JjcGl0Y2g7CiAgICAgY2lycnVzX3VwZGF0ZV9tZW1vcnlfYWNjZXNzKHMp Owo= --=separator Content-Type: application/octet-stream; name="xsa209-qemuu.patch" Content-Disposition: attachment; filename="xsa209-qemuu.patch" Content-Transfer-Encoding: base64 RnJvbTogR2VyZCBIb2ZmbWFubiA8a3JheGVsQHJlZGhhdC5jb20+ClN1Ympl Y3Q6IFtQQVRDSCAzLzNdIGNpcnJ1czogYWRkIGJsaXRfaXNfdW5zYWZlIGNh bGwgdG8gY2lycnVzX2JpdGJsdF9jcHV0b3ZpZGVvCgpDSVJSVVNfQkxUTU9E RV9NRU1TWVNTUkMgYmxpdHMgZG8gTk9UIGNoZWNrIGJsaXQgZGVzdGluYXRp b24KYW5kIGJsaXQgd2lkdGgsIGF0IGFsbC4gIE9vcHMuICBGaXggaXQuCgpT ZWN1cml0eSBpbXBhY3Q6IGhpZ2guCgpUaGUgbWlzc2luZyBibGl0IGRlc3Rp bmF0aW9uIGNoZWNrIGFsbG93cyB0byB3cml0ZSB0byBob3N0IG1lbW9yeS4K QmFzaWNhbGx5IHNhbWUgYXMgQ1ZFLTIwMTQtODEwNiBmb3IgdGhlIG90aGVy IGJsaXQgdmFyaWFudHMuCgpUaGUgbWlzc2luZyBibGl0IHdpZHRoIGNoZWNr IGFsbG93cyB0byBvdmVyZmxvdyBjaXJydXNfYmx0YnVmLAp3aXRoIHRoZSBh dHRyYWN0aXZlIHRhcmdldCBjaXJydXNfc3JjcHRyIChjdXJyZW50IGNpcnJ1 c19ibHRidWYgd3JpdGUKcG9zaXRpb24pIGJlaW5nIGxvY2F0ZWQgcmlnaHQg YWZ0ZXIgY2lycnVzX2JsdGJ1ZiBpbiBDaXJydXNWR0FTdGF0ZS4KCkR1ZSB0 byBjaXJydXMgZW11bGF0aW9uIHdyaXRpbmcgY2lycnVzX2JsdGJ1ZiBieXRl d2lzZSB0aGUgYXR0YWNrZXIKaGFzbid0IGZ1bGwgY29udHJvbCBvdmVyIGNp cnJ1c19zcmNwdHIgdGhvdWdoLCBvbmx5IG9uZSBieXRlIGNhbiBiZQpjaGFu Z2VkLiAgT25jZSB0aGUgZmlyc3QgYnl0ZSBoYXMgYmVlbiBtb2RpZmllZCBm dXJ0aGVyIHdyaXRlcyBsYW5kCmVsc2V3aGVyZS4KClsgVGhpcyBpcyBDVkUt MjAxNy0yNjIwIC8gWFNBLTIwOSAgLSBJYW4gSmFja3NvbiBdCgpSZXBvcnRl ZC1ieTogR2VyZCBIb2ZmbWFubiA8Z2hvZmZtYW5AcmVkaGF0LmNvbT4KU2ln bmVkLW9mZi1ieTogR2VyZCBIb2ZmbWFubiA8a3JheGVsQHJlZGhhdC5jb20+ Ci0tLQogaHcvZGlzcGxheS9jaXJydXNfdmdhLmMgfCA4ICsrKysrKysrCiAx IGZpbGUgY2hhbmdlZCwgOCBpbnNlcnRpb25zKCspCgpkaWZmIC0tZ2l0IGEv aHcvZGlzcGxheS9jaXJydXNfdmdhLmMgYi9ody9kaXNwbGF5L2NpcnJ1c192 Z2EuYwppbmRleCAwZTQ3Y2Y4Li5hMDkzZGM4IDEwMDY0NAotLS0gYS9ody9k aXNwbGF5L2NpcnJ1c192Z2EuYworKysgYi9ody9kaXNwbGF5L2NpcnJ1c192 Z2EuYwpAQCAtODk5LDYgKzg5OSwxMCBAQCBzdGF0aWMgaW50IGNpcnJ1c19i aXRibHRfY3B1dG92aWRlbyhDaXJydXNWR0FTdGF0ZSAqIHMpCiB7CiAgICAg aW50IHc7CiAKKyAgICBpZiAoYmxpdF9pc191bnNhZmUocywgdHJ1ZSkpIHsK KyAgICAgICAgcmV0dXJuIDA7CisgICAgfQorCiAgICAgcy0+Y2lycnVzX2Js dF9tb2RlICY9IH5DSVJSVVNfQkxUTU9ERV9NRU1TWVNTUkM7CiAgICAgcy0+ Y2lycnVzX3NyY3B0ciA9ICZzLT5jaXJydXNfYmx0YnVmWzBdOwogICAgIHMt PmNpcnJ1c19zcmNwdHJfZW5kID0gJnMtPmNpcnJ1c19ibHRidWZbMF07CkBA IC05MjQsNiArOTI4LDEwIEBAIHN0YXRpYyBpbnQgY2lycnVzX2JpdGJsdF9j cHV0b3ZpZGVvKENpcnJ1c1ZHQVN0YXRlICogcykKIAl9CiAgICAgICAgIHMt PmNpcnJ1c19zcmNjb3VudGVyID0gcy0+Y2lycnVzX2JsdF9zcmNwaXRjaCAq IHMtPmNpcnJ1c19ibHRfaGVpZ2h0OwogICAgIH0KKworICAgIC8qIHRoZSBi bGl0X2lzX3Vuc2FmZSBjYWxsIGFib3ZlIHNob3VsZCBjYXRjaCB0aGlzICov CisgICAgYXNzZXJ0KHMtPmNpcnJ1c19ibHRfc3JjcGl0Y2ggPD0gQ0lSUlVT X0JMVEJVRlNJWkUpOworCiAgICAgcy0+Y2lycnVzX3NyY3B0ciA9IHMtPmNp cnJ1c19ibHRidWY7CiAgICAgcy0+Y2lycnVzX3NyY3B0cl9lbmQgPSBzLT5j aXJydXNfYmx0YnVmICsgcy0+Y2lycnVzX2JsdF9zcmNwaXRjaDsKICAgICBj aXJydXNfdXBkYXRlX21lbW9yeV9hY2Nlc3Mocyk7Ci0tIAoxLjguMy4xCgo= --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Thu Feb 23 15:53:55 2017 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 23 Feb 2017 15:53:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cgvhK-0006lr-Rr; Thu, 23 Feb 2017 15:52:50 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cgvhJ-0006lf-V5; Thu, 23 Feb 2017 15:52:50 +0000 Received: from [85.158.139.211] by server-10.bemta-5.messagelabs.com id 61/6B-12424-1550FA85; Thu, 23 Feb 2017 15:52:49 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrGKsWRWlGSWpSXmKPExsWS0XRdVTeAdX2 EwZuzjBa3brYyWyz5uJjFYtXVA6wOzB5Hd/9mCmCMYs3MS8qvSGDNWH3DqmBJfsXdV5fZGhgn ZHYxcnEICRxnlLh8cAc7hLOIUeLQ4Z/MXYycHMwCrhI39m1mg7AVJS7ca2ABsXkFBCVOznwCZ ksIaErcebOKHcQWESiS2HnuJZjNJqAnMffsJCaIXh2Jl/tXg9nCAmUSpxe9Z4KYYyYx5/MhsP ksAqoSR1t+sU1g5JmFZPUsJKtnIVk9i5EDKK4psX6XPoQpLbH8HwdEtbzE9rdzmCFsR4l7j58 zQdh2Em8W/mSHmTil+yGUXSNx7fRCFgi7UmLZtnms2NQc27wNrub09vvMyGoWMPKvYtQoTi0q Sy3SNbTUSyrKTM8oyU3MzNE1NDDVy00tLk5MT81JTCrWS87P3cQIjLd6BgbGHYyP+v0OMUpyM CmJ8j67uC5CiC8pP6UyI7E4I76oNCe1+BCjDAeHkgTvTOb1EUKCRanpqRVpmTnAyIdJS3DwKI nwtoGkeYsLEnOLM9MhUqcYLTlapu98w8Rxq2EPkPzVdeANkxBLXn5eqpQ47yqQBgGQhozSPLh xsOR0iVFWSpiXkYGBQYinILUoN7MEVf4VozgHo5Iw71+QKTyZeSVwW18BHcQEdJCl81qQg0oS EVJSDYyiW0yCY2dZxhwWcLm+vE3f5g3TXNnI3zrHfUR3ey9KVvDSbvSNiiiNflIWof4uUdB/X cwCFuudtR8XBwpON3veOUMj34Xb+PQRnfIdh+85dxRffrBVSihH9diN5QwXT8R+nHvD+WKX3q dT849Zys87Plm1XlSTxY4vsWIRk6Pw04rn8pIPFiixFGckGmoxFxUnAgDKvUq4SQMAAA== X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-4.tower-206.messagelabs.com!1487865166!86544132!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.2.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 45508 invoked from network); 23 Feb 2017 15:52:47 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-4.tower-206.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 23 Feb 2017 15:52:47 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cgvh1-0007QR-Up; Thu, 23 Feb 2017 15:52:31 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1cgvh1-00026E-Rs; Thu, 23 Feb 2017 15:52:31 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Thu, 23 Feb 2017 15:52:31 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 209 (CVE-2017-2620) - cirrus_bitblt_cputovideo does not check if memory region is safe X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2017-2620 / XSA-209 version 4 cirrus_bitblt_cputovideo does not check if memory region is safe UPDATES IN VERSION 4 ==================== Include a prerequisite patch for qemu-upstream, correct statement regarding the availability of a qemu-traditional patch. ISSUE DESCRIPTION ================= In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo fails to check wethehr the specified memory region is safe. IMPACT ====== A malicious guest administrator can cause an out of bounds memory write, very likely exploitable as a privilege escalation. VULNERABLE SYSTEMS ================== Versions of qemu shipped with all Xen versions are vulnerable. Xen systems running on x86 with HVM guests, with the qemu process running in dom0 are vulnerable. Only guests provided with the "cirrus" emulated video card can exploit the vulnerability. The non-default "stdvga" emulated video card is not vulnerable. (With xl the emulated video card is controlled by the "stdvga=" and "vga=" domain configuration options.) ARM systems are not vulnerable. Systems using only PV guests are not vulnerable. For VMs whose qemu process is running in a stub domain, a successful attacker will only gain the privileges of that stubdom, which should be only over the guest itself. Both upstream-based versions of qemu (device_model_version="qemu-xen") and `traditional' qemu (device_model_version="qemu-xen-traditional") are vulnerable. MITIGATION ========== Running only PV guests will avoid the issue. Running HVM guests with the device model in a stubdomain will mitigate the issue. Changing the video card emulation to stdvga (stdvga=1, vga="stdvga", in the xl domain configuration) will avoid the vulnerability. CREDITS ======= This issue was discovered by Gerd Hoffmann of Red Hat. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa209-qemuu/*.patch qemu-xen, qemu upstream xsa209-qemut.patch qemu-xen-traditional $ sha256sum xsa209* xsa209*/* 167af9ed7163fa7cf4abb52f865290ced3163c7684151bdc1324eb5e534faf13 xsa209-qemut.patch e698b73d8de24af0fe33968a43561e5e1d094f4caf2443caa447b552677d2683 xsa209-qemuu/0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch 50c60e45151ef2265cce4f92b204e9fd75f8bc8952f097e77ab4fe1c1446bc98 xsa209-qemuu/0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. However, deployment of the "stdvga" mitigation (changing the video card emulation to stdvga) is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because this produces a guest-visible change which will indicate which component contains the vulnerability. Additionally, distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYrwN/AAoJEIP+FMlX6CvZQoQIAK9UiN9VwXv1I0E7X1TL2TjE P9SNXkI5wKiwCq22pbz9pjBO//ia3M5UoxpDMwaMAQzn9bEThHnki8x2njRxIEF7 frxm6B8DpHLCoRHiqgwi018JHLLcSbr+KQrZqBns1j5BfOF0in89A8cgBmQrziyX bj9853Q8dHSUNW1vi8vZkMacIwxMCg4sBLjSRUoqiWmoyfU6XodRwZ3LoglsofTj /jk/G5OiitqXDBPzvclPRddQ53xiN9eN3fV8IdG6QpX6F+C2qQVDyS8kAqqFmmm6 Vn6yl9UxrmP0OmvQ5CgUw8GWQoY3OqObjiPgfNUdbN+CLjdhdGfF3kGuYIniqd4= =I92f -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa209-qemut.patch" Content-Disposition: attachment; filename="xsa209-qemut.patch" Content-Transfer-Encoding: base64 RnJvbTogR2VyZCBIb2ZmbWFubiA8a3JheGVsQHJlZGhhdC5jb20+ClN1Ympl Y3Q6IFtQQVRDSCAzLzNdIGNpcnJ1czogYWRkIGJsaXRfaXNfdW5zYWZlIGNh bGwgdG8gY2lycnVzX2JpdGJsdF9jcHV0b3ZpZGVvCgpDSVJSVVNfQkxUTU9E RV9NRU1TWVNTUkMgYmxpdHMgZG8gTk9UIGNoZWNrIGJsaXQgZGVzdGluYXRp b24KYW5kIGJsaXQgd2lkdGgsIGF0IGFsbC4gIE9vcHMuICBGaXggaXQuCgpT ZWN1cml0eSBpbXBhY3Q6IGhpZ2guCgpUaGUgbWlzc2luZyBibGl0IGRlc3Rp bmF0aW9uIGNoZWNrIGFsbG93cyB0byB3cml0ZSB0byBob3N0IG1lbW9yeS4K QmFzaWNhbGx5IHNhbWUgYXMgQ1ZFLTIwMTQtODEwNiBmb3IgdGhlIG90aGVy IGJsaXQgdmFyaWFudHMuCgpUaGUgbWlzc2luZyBibGl0IHdpZHRoIGNoZWNr IGFsbG93cyB0byBvdmVyZmxvdyBjaXJydXNfYmx0YnVmLAp3aXRoIHRoZSBh dHRyYWN0aXZlIHRhcmdldCBjaXJydXNfc3JjcHRyIChjdXJyZW50IGNpcnJ1 c19ibHRidWYgd3JpdGUKcG9zaXRpb24pIGJlaW5nIGxvY2F0ZWQgcmlnaHQg YWZ0ZXIgY2lycnVzX2JsdGJ1ZiBpbiBDaXJydXNWR0FTdGF0ZS4KCkR1ZSB0 byBjaXJydXMgZW11bGF0aW9uIHdyaXRpbmcgY2lycnVzX2JsdGJ1ZiBieXRl d2lzZSB0aGUgYXR0YWNrZXIKaGFzbid0IGZ1bGwgY29udHJvbCBvdmVyIGNp cnJ1c19zcmNwdHIgdGhvdWdoLCBvbmx5IG9uZSBieXRlIGNhbiBiZQpjaGFu Z2VkLiAgT25jZSB0aGUgZmlyc3QgYnl0ZSBoYXMgYmVlbiBtb2RpZmllZCBm dXJ0aGVyIHdyaXRlcyBsYW5kCmVsc2V3aGVyZS4KClsgVGhpcyBpcyBDVkUt MjAxNy0yNjIwIC8gWFNBLTIwOSAgLSBJYW4gSmFja3NvbiBdCgpGaXhlZCBj b21waWxhdGlvbiBieSByZW1vdmluZyBleHRyYSBwYXJhbWV0ZXIgdG8gYmxp dF9pc191bnNhZmUuIC1pd2oKClJlcG9ydGVkLWJ5OiBHZXJkIEhvZmZtYW5u IDxnaG9mZm1hbkByZWRoYXQuY29tPgpTaWduZWQtb2ZmLWJ5OiBHZXJkIEhv ZmZtYW5uIDxrcmF4ZWxAcmVkaGF0LmNvbT4KU2lnbmVkLW9mZi1ieTogSWFu IEphY2tzb24gPGlhbi5qYWNrc29uQGV1LmNpdHJpeC5jb20+Ci0tLQpkaWZm IC0tZ2l0IGEvaHcvY2lycnVzX3ZnYS5jIGIvaHcvY2lycnVzX3ZnYS5jCmlu ZGV4IGU2YzM4OTMuLjQ1ZmFjYjYgMTAwNjQ0Ci0tLSBhL2h3L2NpcnJ1c192 Z2EuYworKysgYi9ody9jaXJydXNfdmdhLmMKQEAgLTkwMCw2ICs5MDAsMTAg QEAgc3RhdGljIGludCBjaXJydXNfYml0Ymx0X2NwdXRvdmlkZW8oQ2lycnVz VkdBU3RhdGUgKiBzKQogewogICAgIGludCB3OwogCisgICAgaWYgKGJsaXRf aXNfdW5zYWZlKHMpKSB7CisgICAgICAgIHJldHVybiAwOworICAgIH0KKwog ICAgIHMtPmNpcnJ1c19ibHRfbW9kZSAmPSB+Q0lSUlVTX0JMVE1PREVfTUVN U1lTU1JDOwogICAgIHMtPmNpcnJ1c19zcmNwdHIgPSAmcy0+Y2lycnVzX2Js dGJ1ZlswXTsKICAgICBzLT5jaXJydXNfc3JjcHRyX2VuZCA9ICZzLT5jaXJy dXNfYmx0YnVmWzBdOwpAQCAtOTI1LDYgKzkyOSwxMCBAQCBzdGF0aWMgaW50 IGNpcnJ1c19iaXRibHRfY3B1dG92aWRlbyhDaXJydXNWR0FTdGF0ZSAqIHMp CiAJfQogICAgICAgICBzLT5jaXJydXNfc3JjY291bnRlciA9IHMtPmNpcnJ1 c19ibHRfc3JjcGl0Y2ggKiBzLT5jaXJydXNfYmx0X2hlaWdodDsKICAgICB9 CisKKyAgICAvKiB0aGUgYmxpdF9pc191bnNhZmUgY2FsbCBhYm92ZSBzaG91 bGQgY2F0Y2ggdGhpcyAqLworICAgIGFzc2VydChzLT5jaXJydXNfYmx0X3Ny Y3BpdGNoIDw9IENJUlJVU19CTFRCVUZTSVpFKTsKKwogICAgIHMtPmNpcnJ1 c19zcmNwdHIgPSBzLT5jaXJydXNfYmx0YnVmOwogICAgIHMtPmNpcnJ1c19z cmNwdHJfZW5kID0gcy0+Y2lycnVzX2JsdGJ1ZiArIHMtPmNpcnJ1c19ibHRf c3JjcGl0Y2g7CiAgICAgY2lycnVzX3VwZGF0ZV9tZW1vcnlfYWNjZXNzKHMp Owo= --=separator Content-Type: application/octet-stream; name="xsa209-qemuu/0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch" Content-Disposition: attachment; filename="xsa209-qemuu/0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch" Content-Transfer-Encoding: base64 RnJvbSA1MmI3ZjQzYzhmYTE4NWFiODU2YmNhYWNkYTdhYmM5YTZmYzA3Zjg0 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBCcnVjZSBSb2dlcnMg PGJyb2dlcnNAc3VzZS5jb20+CkRhdGU6IFR1ZSwgMjEgRmViIDIwMTcgMTA6 NTQ6MzggLTA4MDAKU3ViamVjdDogW1BBVENIIDEvMl0gZGlzcGxheTogY2ly cnVzOiBpZ25vcmUgc291cmNlIHBpdGNoIHZhbHVlIGFzIG5lZWRlZCBpbgog YmxpdF9pc191bnNhZmUKCkNvbW1pdCA0Mjk5YjkwIGFkZGVkIGEgY2hlY2sg d2hpY2ggaXMgdG9vIGJyb2FkLCBnaXZlbiB0aGF0IHRoZSBzb3VyY2UKcGl0 Y2ggdmFsdWUgaXMgbm90IHJlcXVpcmVkIHRvIGJlIGluaXRpYWxpemVkIGZv ciBzb2xpZCBmaWxsIG9wZXJhdGlvbnMuClRoaXMgcGF0Y2ggcmVmaW5lcyB0 aGUgYmxpdF9pc191bnNhZmUoKSBjaGVjayB0byBpZ25vcmUgc291cmNlIHBp dGNoIGluCnRoYXQgY2FzZS4gQWZ0ZXIgYXBwbHlpbmcgdGhlIGFib3ZlIGNv bW1pdCBhcyBhIHNlY3VyaXR5IHBhdGNoLCB3ZQpub3RpY2VkIHRoZSBTTEVT IDExIFNQNCBndWVzdCBndWkgZmFpbGVkIHRvIGluaXRpYWxpemUgcHJvcGVy bHkuCgpTaWduZWQtb2ZmLWJ5OiBCcnVjZSBSb2dlcnMgPGJyb2dlcnNAc3Vz ZS5jb20+Ck1lc3NhZ2UtaWQ6IDIwMTcwMTA5MjAzNTIwLjU2MTktMS1icm9n ZXJzQHN1c2UuY29tClNpZ25lZC1vZmYtYnk6IEdlcmQgSG9mZm1hbm4gPGty YXhlbEByZWRoYXQuY29tPgotLS0KIGh3L2Rpc3BsYXkvY2lycnVzX3ZnYS5j IHwgMTEgKysrKysrKy0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA3IGluc2VydGlv bnMoKyksIDQgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvaHcvZGlzcGxh eS9jaXJydXNfdmdhLmMgYi9ody9kaXNwbGF5L2NpcnJ1c192Z2EuYwppbmRl eCA3YmYzNzA3Li4zNGE2OTAwIDEwMDY0NAotLS0gYS9ody9kaXNwbGF5L2Np cnJ1c192Z2EuYworKysgYi9ody9kaXNwbGF5L2NpcnJ1c192Z2EuYwpAQCAt Mjg4LDcgKzI4OCw3IEBAIHN0YXRpYyBib29sIGJsaXRfcmVnaW9uX2lzX3Vu c2FmZShzdHJ1Y3QgQ2lycnVzVkdBU3RhdGUgKnMsCiAgICAgcmV0dXJuIGZh bHNlOwogfQogCi1zdGF0aWMgYm9vbCBibGl0X2lzX3Vuc2FmZShzdHJ1Y3Qg Q2lycnVzVkdBU3RhdGUgKnMpCitzdGF0aWMgYm9vbCBibGl0X2lzX3Vuc2Fm ZShzdHJ1Y3QgQ2lycnVzVkdBU3RhdGUgKnMsIGJvb2wgZHN0X29ubHkpCiB7 CiAgICAgLyogc2hvdWxkIGJlIHRoZSBjYXNlLCBzZWUgY2lycnVzX2JpdGJs dF9zdGFydCAqLwogICAgIGFzc2VydChzLT5jaXJydXNfYmx0X3dpZHRoID4g MCk7CkBAIC0zMDIsNiArMzAyLDkgQEAgc3RhdGljIGJvb2wgYmxpdF9pc191 bnNhZmUoc3RydWN0IENpcnJ1c1ZHQVN0YXRlICpzKQogICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgcy0+Y2lycnVzX2JsdF9kc3RhZGRyICYgcy0+ Y2lycnVzX2FkZHJfbWFzaykpIHsKICAgICAgICAgcmV0dXJuIHRydWU7CiAg ICAgfQorICAgIGlmIChkc3Rfb25seSkgeworICAgICAgICByZXR1cm4gZmFs c2U7CisgICAgfQogICAgIGlmIChibGl0X3JlZ2lvbl9pc191bnNhZmUocywg cy0+Y2lycnVzX2JsdF9zcmNwaXRjaCwKICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIHMtPmNpcnJ1c19ibHRfc3JjYWRkciAmIHMtPmNpcnJ1c19h ZGRyX21hc2spKSB7CiAgICAgICAgIHJldHVybiB0cnVlOwpAQCAtNjY3LDcg KzY3MCw3IEBAIHN0YXRpYyBpbnQgY2lycnVzX2JpdGJsdF9jb21tb25fcGF0 dGVybmNvcHkoQ2lycnVzVkdBU3RhdGUgKiBzLAogCiAgICAgZHN0ID0gcy0+ dmdhLnZyYW1fcHRyICsgKHMtPmNpcnJ1c19ibHRfZHN0YWRkciAmIHMtPmNp cnJ1c19hZGRyX21hc2spOwogCi0gICAgaWYgKGJsaXRfaXNfdW5zYWZlKHMp KQorICAgIGlmIChibGl0X2lzX3Vuc2FmZShzLCBmYWxzZSkpCiAgICAgICAg IHJldHVybiAwOwogCiAgICAgKCpzLT5jaXJydXNfcm9wKSAocywgZHN0LCBz cmMsCkBAIC02ODUsNyArNjg4LDcgQEAgc3RhdGljIGludCBjaXJydXNfYml0 Ymx0X3NvbGlkZmlsbChDaXJydXNWR0FTdGF0ZSAqcywgaW50IGJsdF9yb3Ap CiB7CiAgICAgY2lycnVzX2ZpbGxfdCByb3BfZnVuYzsKIAotICAgIGlmIChi bGl0X2lzX3Vuc2FmZShzKSkgeworICAgIGlmIChibGl0X2lzX3Vuc2FmZShz LCB0cnVlKSkgewogICAgICAgICByZXR1cm4gMDsKICAgICB9CiAgICAgcm9w X2Z1bmMgPSBjaXJydXNfZmlsbFtyb3BfdG9faW5kZXhbYmx0X3JvcF1dW3Mt PmNpcnJ1c19ibHRfcGl4ZWx3aWR0aCAtIDFdOwpAQCAtNzg0LDcgKzc4Nyw3 IEBAIHN0YXRpYyB2b2lkIGNpcnJ1c19kb19jb3B5KENpcnJ1c1ZHQVN0YXRl ICpzLCBpbnQgZHN0LCBpbnQgc3JjLCBpbnQgdywgaW50IGgpCiAKIHN0YXRp YyBpbnQgY2lycnVzX2JpdGJsdF92aWRlb3RvdmlkZW9fY29weShDaXJydXNW R0FTdGF0ZSAqIHMpCiB7Ci0gICAgaWYgKGJsaXRfaXNfdW5zYWZlKHMpKQor ICAgIGlmIChibGl0X2lzX3Vuc2FmZShzLCBmYWxzZSkpCiAgICAgICAgIHJl dHVybiAwOwogCiAgICAgY2lycnVzX2RvX2NvcHkocywgcy0+Y2lycnVzX2Js dF9kc3RhZGRyIC0gcy0+dmdhLnN0YXJ0X2FkZHIsCi0tIAoyLjEuNAoK --=separator Content-Type: application/octet-stream; name="xsa209-qemuu/0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch" Content-Disposition: attachment; filename="xsa209-qemuu/0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch" Content-Transfer-Encoding: base64 RnJvbSAxNTI2OGY5MWZiZTc1YjM4YTg1MWM0NThhZWY3NGU2OTNkNjQ2ZWE1 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBHZXJkIEhvZmZtYW5u IDxrcmF4ZWxAcmVkaGF0LmNvbT4KRGF0ZTogVHVlLCAyMSBGZWIgMjAxNyAx MDo1NDo1OSAtMDgwMApTdWJqZWN0OiBbUEFUQ0ggMi8yXSBjaXJydXM6IGFk ZCBibGl0X2lzX3Vuc2FmZSBjYWxsIHRvCiBjaXJydXNfYml0Ymx0X2NwdXRv dmlkZW8KCkNJUlJVU19CTFRNT0RFX01FTVNZU1NSQyBibGl0cyBkbyBOT1Qg Y2hlY2sgYmxpdCBkZXN0aW5hdGlvbgphbmQgYmxpdCB3aWR0aCwgYXQgYWxs LiAgT29wcy4gIEZpeCBpdC4KClNlY3VyaXR5IGltcGFjdDogaGlnaC4KClRo ZSBtaXNzaW5nIGJsaXQgZGVzdGluYXRpb24gY2hlY2sgYWxsb3dzIHRvIHdy aXRlIHRvIGhvc3QgbWVtb3J5LgpCYXNpY2FsbHkgc2FtZSBhcyBDVkUtMjAx NC04MTA2IGZvciB0aGUgb3RoZXIgYmxpdCB2YXJpYW50cy4KClRoZSBtaXNz aW5nIGJsaXQgd2lkdGggY2hlY2sgYWxsb3dzIHRvIG92ZXJmbG93IGNpcnJ1 c19ibHRidWYsCndpdGggdGhlIGF0dHJhY3RpdmUgdGFyZ2V0IGNpcnJ1c19z cmNwdHIgKGN1cnJlbnQgY2lycnVzX2JsdGJ1ZiB3cml0ZQpwb3NpdGlvbikg YmVpbmcgbG9jYXRlZCByaWdodCBhZnRlciBjaXJydXNfYmx0YnVmIGluIENp cnJ1c1ZHQVN0YXRlLgoKRHVlIHRvIGNpcnJ1cyBlbXVsYXRpb24gd3JpdGlu ZyBjaXJydXNfYmx0YnVmIGJ5dGV3aXNlIHRoZSBhdHRhY2tlcgpoYXNuJ3Qg ZnVsbCBjb250cm9sIG92ZXIgY2lycnVzX3NyY3B0ciB0aG91Z2gsIG9ubHkg b25lIGJ5dGUgY2FuIGJlCmNoYW5nZWQuICBPbmNlIHRoZSBmaXJzdCBieXRl IGhhcyBiZWVuIG1vZGlmaWVkIGZ1cnRoZXIgd3JpdGVzIGxhbmQKZWxzZXdo ZXJlLgoKWyBUaGlzIGlzIENWRS0yMDE3LTI2MjAgLyBYU0EtMjA5ICAtIElh biBKYWNrc29uIF0KClJlcG9ydGVkLWJ5OiBHZXJkIEhvZmZtYW5uIDxnaG9m Zm1hbkByZWRoYXQuY29tPgpTaWduZWQtb2ZmLWJ5OiBHZXJkIEhvZmZtYW5u IDxrcmF4ZWxAcmVkaGF0LmNvbT4KLS0tCiBody9kaXNwbGF5L2NpcnJ1c192 Z2EuYyB8IDggKysrKysrKysKIDEgZmlsZSBjaGFuZ2VkLCA4IGluc2VydGlv bnMoKykKCmRpZmYgLS1naXQgYS9ody9kaXNwbGF5L2NpcnJ1c192Z2EuYyBi L2h3L2Rpc3BsYXkvY2lycnVzX3ZnYS5jCmluZGV4IDM0YTY5MDAuLjU5MDEy NTAgMTAwNjQ0Ci0tLSBhL2h3L2Rpc3BsYXkvY2lycnVzX3ZnYS5jCisrKyBi L2h3L2Rpc3BsYXkvY2lycnVzX3ZnYS5jCkBAIC04NjUsNiArODY1LDEwIEBA IHN0YXRpYyBpbnQgY2lycnVzX2JpdGJsdF9jcHV0b3ZpZGVvKENpcnJ1c1ZH QVN0YXRlICogcykKIHsKICAgICBpbnQgdzsKIAorICAgIGlmIChibGl0X2lz X3Vuc2FmZShzLCB0cnVlKSkgeworICAgICAgICByZXR1cm4gMDsKKyAgICB9 CisKICAgICBzLT5jaXJydXNfYmx0X21vZGUgJj0gfkNJUlJVU19CTFRNT0RF X01FTVNZU1NSQzsKICAgICBzLT5jaXJydXNfc3JjcHRyID0gJnMtPmNpcnJ1 c19ibHRidWZbMF07CiAgICAgcy0+Y2lycnVzX3NyY3B0cl9lbmQgPSAmcy0+ Y2lycnVzX2JsdGJ1ZlswXTsKQEAgLTg5MCw2ICs4OTQsMTAgQEAgc3RhdGlj IGludCBjaXJydXNfYml0Ymx0X2NwdXRvdmlkZW8oQ2lycnVzVkdBU3RhdGUg KiBzKQogCX0KICAgICAgICAgcy0+Y2lycnVzX3NyY2NvdW50ZXIgPSBzLT5j aXJydXNfYmx0X3NyY3BpdGNoICogcy0+Y2lycnVzX2JsdF9oZWlnaHQ7CiAg ICAgfQorCisgICAgLyogdGhlIGJsaXRfaXNfdW5zYWZlIGNhbGwgYWJvdmUg c2hvdWxkIGNhdGNoIHRoaXMgKi8KKyAgICBhc3NlcnQocy0+Y2lycnVzX2Js dF9zcmNwaXRjaCA8PSBDSVJSVVNfQkxUQlVGU0laRSk7CisKICAgICBzLT5j aXJydXNfc3JjcHRyID0gcy0+Y2lycnVzX2JsdGJ1ZjsKICAgICBzLT5jaXJy dXNfc3JjcHRyX2VuZCA9IHMtPmNpcnJ1c19ibHRidWYgKyBzLT5jaXJydXNf Ymx0X3NyY3BpdGNoOwogICAgIGNpcnJ1c191cGRhdGVfbWVtb3J5X2FjY2Vz cyhzKTsKLS0gCjIuMS40Cgo= --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Thu Feb 23 15:53:55 2017 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 23 Feb 2017 15:53:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cgvhK-0006lr-Rr; Thu, 23 Feb 2017 15:52:50 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cgvhJ-0006lf-V5; Thu, 23 Feb 2017 15:52:50 +0000 Received: from [85.158.139.211] by server-10.bemta-5.messagelabs.com id 61/6B-12424-1550FA85; Thu, 23 Feb 2017 15:52:49 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrGKsWRWlGSWpSXmKPExsWS0XRdVTeAdX2 EwZuzjBa3brYyWyz5uJjFYtXVA6wOzB5Hd/9mCmCMYs3MS8qvSGDNWH3DqmBJfsXdV5fZGhgn ZHYxcnEICRxnlLh8cAc7hLOIUeLQ4Z/MXYycHMwCrhI39m1mg7AVJS7ca2ABsXkFBCVOznwCZ ksIaErcebOKHcQWESiS2HnuJZjNJqAnMffsJCaIXh2Jl/tXg9nCAmUSpxe9Z4KYYyYx5/MhsP ksAqoSR1t+sU1g5JmFZPUsJKtnIVk9i5EDKK4psX6XPoQpLbH8HwdEtbzE9rdzmCFsR4l7j58 zQdh2Em8W/mSHmTil+yGUXSNx7fRCFgi7UmLZtnms2NQc27wNrub09vvMyGoWMPKvYtQoTi0q Sy3SNbTUSyrKTM8oyU3MzNE1NDDVy00tLk5MT81JTCrWS87P3cQIjLd6BgbGHYyP+v0OMUpyM CmJ8j67uC5CiC8pP6UyI7E4I76oNCe1+BCjDAeHkgTvTOb1EUKCRanpqRVpmTnAyIdJS3DwKI nwtoGkeYsLEnOLM9MhUqcYLTlapu98w8Rxq2EPkPzVdeANkxBLXn5eqpQ47yqQBgGQhozSPLh xsOR0iVFWSpiXkYGBQYinILUoN7MEVf4VozgHo5Iw71+QKTyZeSVwW18BHcQEdJCl81qQg0oS EVJSDYyiW0yCY2dZxhwWcLm+vE3f5g3TXNnI3zrHfUR3ey9KVvDSbvSNiiiNflIWof4uUdB/X cwCFuudtR8XBwpON3veOUMj34Xb+PQRnfIdh+85dxRffrBVSihH9diN5QwXT8R+nHvD+WKX3q dT849Zys87Plm1XlSTxY4vsWIRk6Pw04rn8pIPFiixFGckGmoxFxUnAgDKvUq4SQMAAA== X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-4.tower-206.messagelabs.com!1487865166!86544132!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.2.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 45508 invoked from network); 23 Feb 2017 15:52:47 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-4.tower-206.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 23 Feb 2017 15:52:47 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cgvh1-0007QR-Up; Thu, 23 Feb 2017 15:52:31 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1cgvh1-00026E-Rs; Thu, 23 Feb 2017 15:52:31 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Thu, 23 Feb 2017 15:52:31 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 209 (CVE-2017-2620) - cirrus_bitblt_cputovideo does not check if memory region is safe X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2017-2620 / XSA-209 version 4 cirrus_bitblt_cputovideo does not check if memory region is safe UPDATES IN VERSION 4 ==================== Include a prerequisite patch for qemu-upstream, correct statement regarding the availability of a qemu-traditional patch. ISSUE DESCRIPTION ================= In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo fails to check wethehr the specified memory region is safe. IMPACT ====== A malicious guest administrator can cause an out of bounds memory write, very likely exploitable as a privilege escalation. VULNERABLE SYSTEMS ================== Versions of qemu shipped with all Xen versions are vulnerable. Xen systems running on x86 with HVM guests, with the qemu process running in dom0 are vulnerable. Only guests provided with the "cirrus" emulated video card can exploit the vulnerability. The non-default "stdvga" emulated video card is not vulnerable. (With xl the emulated video card is controlled by the "stdvga=" and "vga=" domain configuration options.) ARM systems are not vulnerable. Systems using only PV guests are not vulnerable. For VMs whose qemu process is running in a stub domain, a successful attacker will only gain the privileges of that stubdom, which should be only over the guest itself. Both upstream-based versions of qemu (device_model_version="qemu-xen") and `traditional' qemu (device_model_version="qemu-xen-traditional") are vulnerable. MITIGATION ========== Running only PV guests will avoid the issue. Running HVM guests with the device model in a stubdomain will mitigate the issue. Changing the video card emulation to stdvga (stdvga=1, vga="stdvga", in the xl domain configuration) will avoid the vulnerability. CREDITS ======= This issue was discovered by Gerd Hoffmann of Red Hat. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa209-qemuu/*.patch qemu-xen, qemu upstream xsa209-qemut.patch qemu-xen-traditional $ sha256sum xsa209* xsa209*/* 167af9ed7163fa7cf4abb52f865290ced3163c7684151bdc1324eb5e534faf13 xsa209-qemut.patch e698b73d8de24af0fe33968a43561e5e1d094f4caf2443caa447b552677d2683 xsa209-qemuu/0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch 50c60e45151ef2265cce4f92b204e9fd75f8bc8952f097e77ab4fe1c1446bc98 xsa209-qemuu/0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. However, deployment of the "stdvga" mitigation (changing the video card emulation to stdvga) is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because this produces a guest-visible change which will indicate which component contains the vulnerability. Additionally, distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYrwN/AAoJEIP+FMlX6CvZQoQIAK9UiN9VwXv1I0E7X1TL2TjE P9SNXkI5wKiwCq22pbz9pjBO//ia3M5UoxpDMwaMAQzn9bEThHnki8x2njRxIEF7 frxm6B8DpHLCoRHiqgwi018JHLLcSbr+KQrZqBns1j5BfOF0in89A8cgBmQrziyX bj9853Q8dHSUNW1vi8vZkMacIwxMCg4sBLjSRUoqiWmoyfU6XodRwZ3LoglsofTj /jk/G5OiitqXDBPzvclPRddQ53xiN9eN3fV8IdG6QpX6F+C2qQVDyS8kAqqFmmm6 Vn6yl9UxrmP0OmvQ5CgUw8GWQoY3OqObjiPgfNUdbN+CLjdhdGfF3kGuYIniqd4= =I92f -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa209-qemut.patch" Content-Disposition: attachment; filename="xsa209-qemut.patch" Content-Transfer-Encoding: base64 RnJvbTogR2VyZCBIb2ZmbWFubiA8a3JheGVsQHJlZGhhdC5jb20+ClN1Ympl Y3Q6IFtQQVRDSCAzLzNdIGNpcnJ1czogYWRkIGJsaXRfaXNfdW5zYWZlIGNh bGwgdG8gY2lycnVzX2JpdGJsdF9jcHV0b3ZpZGVvCgpDSVJSVVNfQkxUTU9E RV9NRU1TWVNTUkMgYmxpdHMgZG8gTk9UIGNoZWNrIGJsaXQgZGVzdGluYXRp b24KYW5kIGJsaXQgd2lkdGgsIGF0IGFsbC4gIE9vcHMuICBGaXggaXQuCgpT ZWN1cml0eSBpbXBhY3Q6IGhpZ2guCgpUaGUgbWlzc2luZyBibGl0IGRlc3Rp bmF0aW9uIGNoZWNrIGFsbG93cyB0byB3cml0ZSB0byBob3N0IG1lbW9yeS4K QmFzaWNhbGx5IHNhbWUgYXMgQ1ZFLTIwMTQtODEwNiBmb3IgdGhlIG90aGVy IGJsaXQgdmFyaWFudHMuCgpUaGUgbWlzc2luZyBibGl0IHdpZHRoIGNoZWNr IGFsbG93cyB0byBvdmVyZmxvdyBjaXJydXNfYmx0YnVmLAp3aXRoIHRoZSBh dHRyYWN0aXZlIHRhcmdldCBjaXJydXNfc3JjcHRyIChjdXJyZW50IGNpcnJ1 c19ibHRidWYgd3JpdGUKcG9zaXRpb24pIGJlaW5nIGxvY2F0ZWQgcmlnaHQg YWZ0ZXIgY2lycnVzX2JsdGJ1ZiBpbiBDaXJydXNWR0FTdGF0ZS4KCkR1ZSB0 byBjaXJydXMgZW11bGF0aW9uIHdyaXRpbmcgY2lycnVzX2JsdGJ1ZiBieXRl d2lzZSB0aGUgYXR0YWNrZXIKaGFzbid0IGZ1bGwgY29udHJvbCBvdmVyIGNp cnJ1c19zcmNwdHIgdGhvdWdoLCBvbmx5IG9uZSBieXRlIGNhbiBiZQpjaGFu Z2VkLiAgT25jZSB0aGUgZmlyc3QgYnl0ZSBoYXMgYmVlbiBtb2RpZmllZCBm dXJ0aGVyIHdyaXRlcyBsYW5kCmVsc2V3aGVyZS4KClsgVGhpcyBpcyBDVkUt MjAxNy0yNjIwIC8gWFNBLTIwOSAgLSBJYW4gSmFja3NvbiBdCgpGaXhlZCBj b21waWxhdGlvbiBieSByZW1vdmluZyBleHRyYSBwYXJhbWV0ZXIgdG8gYmxp dF9pc191bnNhZmUuIC1pd2oKClJlcG9ydGVkLWJ5OiBHZXJkIEhvZmZtYW5u IDxnaG9mZm1hbkByZWRoYXQuY29tPgpTaWduZWQtb2ZmLWJ5OiBHZXJkIEhv ZmZtYW5uIDxrcmF4ZWxAcmVkaGF0LmNvbT4KU2lnbmVkLW9mZi1ieTogSWFu IEphY2tzb24gPGlhbi5qYWNrc29uQGV1LmNpdHJpeC5jb20+Ci0tLQpkaWZm IC0tZ2l0IGEvaHcvY2lycnVzX3ZnYS5jIGIvaHcvY2lycnVzX3ZnYS5jCmlu ZGV4IGU2YzM4OTMuLjQ1ZmFjYjYgMTAwNjQ0Ci0tLSBhL2h3L2NpcnJ1c192 Z2EuYworKysgYi9ody9jaXJydXNfdmdhLmMKQEAgLTkwMCw2ICs5MDAsMTAg QEAgc3RhdGljIGludCBjaXJydXNfYml0Ymx0X2NwdXRvdmlkZW8oQ2lycnVz VkdBU3RhdGUgKiBzKQogewogICAgIGludCB3OwogCisgICAgaWYgKGJsaXRf aXNfdW5zYWZlKHMpKSB7CisgICAgICAgIHJldHVybiAwOworICAgIH0KKwog ICAgIHMtPmNpcnJ1c19ibHRfbW9kZSAmPSB+Q0lSUlVTX0JMVE1PREVfTUVN U1lTU1JDOwogICAgIHMtPmNpcnJ1c19zcmNwdHIgPSAmcy0+Y2lycnVzX2Js dGJ1ZlswXTsKICAgICBzLT5jaXJydXNfc3JjcHRyX2VuZCA9ICZzLT5jaXJy dXNfYmx0YnVmWzBdOwpAQCAtOTI1LDYgKzkyOSwxMCBAQCBzdGF0aWMgaW50 IGNpcnJ1c19iaXRibHRfY3B1dG92aWRlbyhDaXJydXNWR0FTdGF0ZSAqIHMp CiAJfQogICAgICAgICBzLT5jaXJydXNfc3JjY291bnRlciA9IHMtPmNpcnJ1 c19ibHRfc3JjcGl0Y2ggKiBzLT5jaXJydXNfYmx0X2hlaWdodDsKICAgICB9 CisKKyAgICAvKiB0aGUgYmxpdF9pc191bnNhZmUgY2FsbCBhYm92ZSBzaG91 bGQgY2F0Y2ggdGhpcyAqLworICAgIGFzc2VydChzLT5jaXJydXNfYmx0X3Ny Y3BpdGNoIDw9IENJUlJVU19CTFRCVUZTSVpFKTsKKwogICAgIHMtPmNpcnJ1 c19zcmNwdHIgPSBzLT5jaXJydXNfYmx0YnVmOwogICAgIHMtPmNpcnJ1c19z cmNwdHJfZW5kID0gcy0+Y2lycnVzX2JsdGJ1ZiArIHMtPmNpcnJ1c19ibHRf c3JjcGl0Y2g7CiAgICAgY2lycnVzX3VwZGF0ZV9tZW1vcnlfYWNjZXNzKHMp Owo= --=separator Content-Type: application/octet-stream; name="xsa209-qemuu/0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch" Content-Disposition: attachment; filename="xsa209-qemuu/0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch" Content-Transfer-Encoding: base64 RnJvbSA1MmI3ZjQzYzhmYTE4NWFiODU2YmNhYWNkYTdhYmM5YTZmYzA3Zjg0 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBCcnVjZSBSb2dlcnMg PGJyb2dlcnNAc3VzZS5jb20+CkRhdGU6IFR1ZSwgMjEgRmViIDIwMTcgMTA6 NTQ6MzggLTA4MDAKU3ViamVjdDogW1BBVENIIDEvMl0gZGlzcGxheTogY2ly cnVzOiBpZ25vcmUgc291cmNlIHBpdGNoIHZhbHVlIGFzIG5lZWRlZCBpbgog YmxpdF9pc191bnNhZmUKCkNvbW1pdCA0Mjk5YjkwIGFkZGVkIGEgY2hlY2sg d2hpY2ggaXMgdG9vIGJyb2FkLCBnaXZlbiB0aGF0IHRoZSBzb3VyY2UKcGl0 Y2ggdmFsdWUgaXMgbm90IHJlcXVpcmVkIHRvIGJlIGluaXRpYWxpemVkIGZv ciBzb2xpZCBmaWxsIG9wZXJhdGlvbnMuClRoaXMgcGF0Y2ggcmVmaW5lcyB0 aGUgYmxpdF9pc191bnNhZmUoKSBjaGVjayB0byBpZ25vcmUgc291cmNlIHBp dGNoIGluCnRoYXQgY2FzZS4gQWZ0ZXIgYXBwbHlpbmcgdGhlIGFib3ZlIGNv bW1pdCBhcyBhIHNlY3VyaXR5IHBhdGNoLCB3ZQpub3RpY2VkIHRoZSBTTEVT IDExIFNQNCBndWVzdCBndWkgZmFpbGVkIHRvIGluaXRpYWxpemUgcHJvcGVy bHkuCgpTaWduZWQtb2ZmLWJ5OiBCcnVjZSBSb2dlcnMgPGJyb2dlcnNAc3Vz ZS5jb20+Ck1lc3NhZ2UtaWQ6IDIwMTcwMTA5MjAzNTIwLjU2MTktMS1icm9n ZXJzQHN1c2UuY29tClNpZ25lZC1vZmYtYnk6IEdlcmQgSG9mZm1hbm4gPGty YXhlbEByZWRoYXQuY29tPgotLS0KIGh3L2Rpc3BsYXkvY2lycnVzX3ZnYS5j IHwgMTEgKysrKysrKy0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA3IGluc2VydGlv bnMoKyksIDQgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvaHcvZGlzcGxh eS9jaXJydXNfdmdhLmMgYi9ody9kaXNwbGF5L2NpcnJ1c192Z2EuYwppbmRl eCA3YmYzNzA3Li4zNGE2OTAwIDEwMDY0NAotLS0gYS9ody9kaXNwbGF5L2Np cnJ1c192Z2EuYworKysgYi9ody9kaXNwbGF5L2NpcnJ1c192Z2EuYwpAQCAt Mjg4LDcgKzI4OCw3IEBAIHN0YXRpYyBib29sIGJsaXRfcmVnaW9uX2lzX3Vu c2FmZShzdHJ1Y3QgQ2lycnVzVkdBU3RhdGUgKnMsCiAgICAgcmV0dXJuIGZh bHNlOwogfQogCi1zdGF0aWMgYm9vbCBibGl0X2lzX3Vuc2FmZShzdHJ1Y3Qg Q2lycnVzVkdBU3RhdGUgKnMpCitzdGF0aWMgYm9vbCBibGl0X2lzX3Vuc2Fm ZShzdHJ1Y3QgQ2lycnVzVkdBU3RhdGUgKnMsIGJvb2wgZHN0X29ubHkpCiB7 CiAgICAgLyogc2hvdWxkIGJlIHRoZSBjYXNlLCBzZWUgY2lycnVzX2JpdGJs dF9zdGFydCAqLwogICAgIGFzc2VydChzLT5jaXJydXNfYmx0X3dpZHRoID4g MCk7CkBAIC0zMDIsNiArMzAyLDkgQEAgc3RhdGljIGJvb2wgYmxpdF9pc191 bnNhZmUoc3RydWN0IENpcnJ1c1ZHQVN0YXRlICpzKQogICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgcy0+Y2lycnVzX2JsdF9kc3RhZGRyICYgcy0+ Y2lycnVzX2FkZHJfbWFzaykpIHsKICAgICAgICAgcmV0dXJuIHRydWU7CiAg ICAgfQorICAgIGlmIChkc3Rfb25seSkgeworICAgICAgICByZXR1cm4gZmFs c2U7CisgICAgfQogICAgIGlmIChibGl0X3JlZ2lvbl9pc191bnNhZmUocywg cy0+Y2lycnVzX2JsdF9zcmNwaXRjaCwKICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIHMtPmNpcnJ1c19ibHRfc3JjYWRkciAmIHMtPmNpcnJ1c19h ZGRyX21hc2spKSB7CiAgICAgICAgIHJldHVybiB0cnVlOwpAQCAtNjY3LDcg KzY3MCw3IEBAIHN0YXRpYyBpbnQgY2lycnVzX2JpdGJsdF9jb21tb25fcGF0 dGVybmNvcHkoQ2lycnVzVkdBU3RhdGUgKiBzLAogCiAgICAgZHN0ID0gcy0+ dmdhLnZyYW1fcHRyICsgKHMtPmNpcnJ1c19ibHRfZHN0YWRkciAmIHMtPmNp cnJ1c19hZGRyX21hc2spOwogCi0gICAgaWYgKGJsaXRfaXNfdW5zYWZlKHMp KQorICAgIGlmIChibGl0X2lzX3Vuc2FmZShzLCBmYWxzZSkpCiAgICAgICAg IHJldHVybiAwOwogCiAgICAgKCpzLT5jaXJydXNfcm9wKSAocywgZHN0LCBz cmMsCkBAIC02ODUsNyArNjg4LDcgQEAgc3RhdGljIGludCBjaXJydXNfYml0 Ymx0X3NvbGlkZmlsbChDaXJydXNWR0FTdGF0ZSAqcywgaW50IGJsdF9yb3Ap CiB7CiAgICAgY2lycnVzX2ZpbGxfdCByb3BfZnVuYzsKIAotICAgIGlmIChi bGl0X2lzX3Vuc2FmZShzKSkgeworICAgIGlmIChibGl0X2lzX3Vuc2FmZShz LCB0cnVlKSkgewogICAgICAgICByZXR1cm4gMDsKICAgICB9CiAgICAgcm9w X2Z1bmMgPSBjaXJydXNfZmlsbFtyb3BfdG9faW5kZXhbYmx0X3JvcF1dW3Mt PmNpcnJ1c19ibHRfcGl4ZWx3aWR0aCAtIDFdOwpAQCAtNzg0LDcgKzc4Nyw3 IEBAIHN0YXRpYyB2b2lkIGNpcnJ1c19kb19jb3B5KENpcnJ1c1ZHQVN0YXRl ICpzLCBpbnQgZHN0LCBpbnQgc3JjLCBpbnQgdywgaW50IGgpCiAKIHN0YXRp YyBpbnQgY2lycnVzX2JpdGJsdF92aWRlb3RvdmlkZW9fY29weShDaXJydXNW R0FTdGF0ZSAqIHMpCiB7Ci0gICAgaWYgKGJsaXRfaXNfdW5zYWZlKHMpKQor ICAgIGlmIChibGl0X2lzX3Vuc2FmZShzLCBmYWxzZSkpCiAgICAgICAgIHJl dHVybiAwOwogCiAgICAgY2lycnVzX2RvX2NvcHkocywgcy0+Y2lycnVzX2Js dF9kc3RhZGRyIC0gcy0+dmdhLnN0YXJ0X2FkZHIsCi0tIAoyLjEuNAoK --=separator Content-Type: application/octet-stream; name="xsa209-qemuu/0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch" Content-Disposition: attachment; filename="xsa209-qemuu/0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch" Content-Transfer-Encoding: base64 RnJvbSAxNTI2OGY5MWZiZTc1YjM4YTg1MWM0NThhZWY3NGU2OTNkNjQ2ZWE1 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBHZXJkIEhvZmZtYW5u IDxrcmF4ZWxAcmVkaGF0LmNvbT4KRGF0ZTogVHVlLCAyMSBGZWIgMjAxNyAx MDo1NDo1OSAtMDgwMApTdWJqZWN0OiBbUEFUQ0ggMi8yXSBjaXJydXM6IGFk ZCBibGl0X2lzX3Vuc2FmZSBjYWxsIHRvCiBjaXJydXNfYml0Ymx0X2NwdXRv dmlkZW8KCkNJUlJVU19CTFRNT0RFX01FTVNZU1NSQyBibGl0cyBkbyBOT1Qg Y2hlY2sgYmxpdCBkZXN0aW5hdGlvbgphbmQgYmxpdCB3aWR0aCwgYXQgYWxs LiAgT29wcy4gIEZpeCBpdC4KClNlY3VyaXR5IGltcGFjdDogaGlnaC4KClRo ZSBtaXNzaW5nIGJsaXQgZGVzdGluYXRpb24gY2hlY2sgYWxsb3dzIHRvIHdy aXRlIHRvIGhvc3QgbWVtb3J5LgpCYXNpY2FsbHkgc2FtZSBhcyBDVkUtMjAx NC04MTA2IGZvciB0aGUgb3RoZXIgYmxpdCB2YXJpYW50cy4KClRoZSBtaXNz aW5nIGJsaXQgd2lkdGggY2hlY2sgYWxsb3dzIHRvIG92ZXJmbG93IGNpcnJ1 c19ibHRidWYsCndpdGggdGhlIGF0dHJhY3RpdmUgdGFyZ2V0IGNpcnJ1c19z cmNwdHIgKGN1cnJlbnQgY2lycnVzX2JsdGJ1ZiB3cml0ZQpwb3NpdGlvbikg YmVpbmcgbG9jYXRlZCByaWdodCBhZnRlciBjaXJydXNfYmx0YnVmIGluIENp cnJ1c1ZHQVN0YXRlLgoKRHVlIHRvIGNpcnJ1cyBlbXVsYXRpb24gd3JpdGlu ZyBjaXJydXNfYmx0YnVmIGJ5dGV3aXNlIHRoZSBhdHRhY2tlcgpoYXNuJ3Qg ZnVsbCBjb250cm9sIG92ZXIgY2lycnVzX3NyY3B0ciB0aG91Z2gsIG9ubHkg b25lIGJ5dGUgY2FuIGJlCmNoYW5nZWQuICBPbmNlIHRoZSBmaXJzdCBieXRl IGhhcyBiZWVuIG1vZGlmaWVkIGZ1cnRoZXIgd3JpdGVzIGxhbmQKZWxzZXdo ZXJlLgoKWyBUaGlzIGlzIENWRS0yMDE3LTI2MjAgLyBYU0EtMjA5ICAtIElh biBKYWNrc29uIF0KClJlcG9ydGVkLWJ5OiBHZXJkIEhvZmZtYW5uIDxnaG9m Zm1hbkByZWRoYXQuY29tPgpTaWduZWQtb2ZmLWJ5OiBHZXJkIEhvZmZtYW5u IDxrcmF4ZWxAcmVkaGF0LmNvbT4KLS0tCiBody9kaXNwbGF5L2NpcnJ1c192 Z2EuYyB8IDggKysrKysrKysKIDEgZmlsZSBjaGFuZ2VkLCA4IGluc2VydGlv bnMoKykKCmRpZmYgLS1naXQgYS9ody9kaXNwbGF5L2NpcnJ1c192Z2EuYyBi L2h3L2Rpc3BsYXkvY2lycnVzX3ZnYS5jCmluZGV4IDM0YTY5MDAuLjU5MDEy NTAgMTAwNjQ0Ci0tLSBhL2h3L2Rpc3BsYXkvY2lycnVzX3ZnYS5jCisrKyBi L2h3L2Rpc3BsYXkvY2lycnVzX3ZnYS5jCkBAIC04NjUsNiArODY1LDEwIEBA IHN0YXRpYyBpbnQgY2lycnVzX2JpdGJsdF9jcHV0b3ZpZGVvKENpcnJ1c1ZH QVN0YXRlICogcykKIHsKICAgICBpbnQgdzsKIAorICAgIGlmIChibGl0X2lz X3Vuc2FmZShzLCB0cnVlKSkgeworICAgICAgICByZXR1cm4gMDsKKyAgICB9 CisKICAgICBzLT5jaXJydXNfYmx0X21vZGUgJj0gfkNJUlJVU19CTFRNT0RF X01FTVNZU1NSQzsKICAgICBzLT5jaXJydXNfc3JjcHRyID0gJnMtPmNpcnJ1 c19ibHRidWZbMF07CiAgICAgcy0+Y2lycnVzX3NyY3B0cl9lbmQgPSAmcy0+ Y2lycnVzX2JsdGJ1ZlswXTsKQEAgLTg5MCw2ICs4OTQsMTAgQEAgc3RhdGlj IGludCBjaXJydXNfYml0Ymx0X2NwdXRvdmlkZW8oQ2lycnVzVkdBU3RhdGUg KiBzKQogCX0KICAgICAgICAgcy0+Y2lycnVzX3NyY2NvdW50ZXIgPSBzLT5j aXJydXNfYmx0X3NyY3BpdGNoICogcy0+Y2lycnVzX2JsdF9oZWlnaHQ7CiAg ICAgfQorCisgICAgLyogdGhlIGJsaXRfaXNfdW5zYWZlIGNhbGwgYWJvdmUg c2hvdWxkIGNhdGNoIHRoaXMgKi8KKyAgICBhc3NlcnQocy0+Y2lycnVzX2Js dF9zcmNwaXRjaCA8PSBDSVJSVVNfQkxUQlVGU0laRSk7CisKICAgICBzLT5j aXJydXNfc3JjcHRyID0gcy0+Y2lycnVzX2JsdGJ1ZjsKICAgICBzLT5jaXJy dXNfc3JjcHRyX2VuZCA9IHMtPmNpcnJ1c19ibHRidWYgKyBzLT5jaXJydXNf Ymx0X3NyY3BpdGNoOwogICAgIGNpcnJ1c191cGRhdGVfbWVtb3J5X2FjY2Vz cyhzKTsKLS0gCjIuMS40Cgo= --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Thu Feb 23 16:29:39 2017 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 23 Feb 2017 16:29:39 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cgwFr-0002Gn-Ia; Thu, 23 Feb 2017 16:28:31 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cgwFr-0002GV-4O; Thu, 23 Feb 2017 16:28:31 +0000 Received: from [85.158.137.68] by server-3.bemta-3.messagelabs.com id 0B/6D-14551-EAD0FA85; Thu, 23 Feb 2017 16:28:30 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrBIsWRWlGSWpSXmKPExsWS0XRdVXct7/o Ig5kzZSxu3WxltljycTGLxaqrB1gdmD2O7v7NFMAYxZqZl5RfkcCa8XPLDMaCS5oVx0/1szQw vlPtYuTiEBI4ziix/GoXG4SziFFiatdFli5GTg5mAVeJG/s2s0HYihIX7jWAxXkFBCVOznwCZ ksIaErcebOKHcQWESiS2HnuJZjNJqAnMffsJCaIXh2Jl/tXg9nCAsESeyZOZYSYYybRem0GM4 jNIqAqMf3pMuYJjDyzkKyehWT1LCSrZzFyAMU1Jdbv0ocwpSWW/+OAqJaX2P52DjOEbS3xu+U LM0SJhcST2VYwA6d0P2RfwMi5ilGjOLWoLLVI18hYL6koMz2jJDcxM0fX0MBYLze1uDgxPTUn MalYLzk/dxMjMLzrGRgYdzD27fU7xCjJwaQkyvvs4roIIb6k/JTKjMTijPii0pzU4kOMMhwcS hK8V3nWRwgJFqWmp1akZeYAIw0mLcHBoyTCuw0kzVtckJhbnJkOkTrFaMzRMn3nGyaOX10H3j AJseTl56VKifMuBikVACnNKM2DGwRLAJcYZaWEeRkZGBiEeApSi3IzS1DlXzGKczAqCfNuBpn Ck5lXArfvFdApTECnWDqvBTmlJBEhJdXA6KoVfbFmSqTknq0H3K9I1jFc/xG0zYf7ZEJE6ISI Teanm9/5JW+6dF+L00w5VVE7+6bZrg0vtny6dfT899JfMn0bGtV01+QInXt0NoFrToz3hdqMB n1lz7R750om11s+bQo/eT7+9ae4lxyZBxtlpPy/c9gZnnh1Y+43lWL1UyqqktmVKSuLlViKMx INtZiLihMBJbbpDvsCAAA= X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-15.tower-31.messagelabs.com!1487867308!83096947!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 9.2.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 17896 invoked from network); 23 Feb 2017 16:28:29 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-15.tower-31.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 23 Feb 2017 16:28:29 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cgwFe-0000RR-Sd; Thu, 23 Feb 2017 16:28:18 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1cgwFe-0005Mf-Pk; Thu, 23 Feb 2017 16:28:18 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Thu, 23 Feb 2017 16:28:18 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 210 - arm: memory corruption when freeing p2m pages X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-210 arm: memory corruption when freeing p2m pages ISSUE DESCRIPTION ================= When freeing pages used for stage-2 page tables, the freeing routine failed to remove these pages from an internally managed list they were put on during allocation. The same list node elements are also used by the hypervisor's page allocator. Subsequent manipulation of ARM's private P2M list could therefore corrupt the lists maintained by the page allocator. The buggy code is exposed to guests via the XENMEM_decrease_reservation hypercall. IMPACT ====== A malicious or buggy guest may corrupt hypervisor state, commonly leading to a host crash (Denial of Service). Privilege escalation or information leaks cannot be excluded. VULNERABLE SYSTEMS ================== Only Xen version 4.8 is affected. Xen versions 4.7 and earlier are not vulnerable. Only ARM systems are vulnerable. X86 based systems are not vulnerable. MITIGATION ========== There is no known mitigation. NOTE REGARDING LACK OF EMBARGO ============================== The issue was discussed publicly before being recognized as a security issue. RESOLUTION ========== Applying the attached patch resolves this issue. xsa210.patch xen-unstable, Xen 4.8.x $ sha256sum xsa210* 10e26c017c916dcac261c6a3c92656831f0ad037f792940e6faf6905c6e23861 xsa210.patch $ CREDITS ======= The initial bug was discovered by Vijay Kilari of Cavium and the security aspect was diagnosed by Julien Grall of ARM. DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYrw2aAAoJEIP+FMlX6CvZuw4H/34z2io/65h2RLDL3bx4w//A nWNcrceKrxyvtZmTss56RHrUeiOOKOeuCXWMx5CSihBcSRXqyZa79IDul9t1b7fB m6NUPerILGueF3uOYTRUvvSiWKWRzVPOCgqSxlCmd7YTrkjHZkq/x2Gb9Acj3hrl yE0fFdD/hTIN9wZtHWY+gTIXMIGHBJ4/xieZeYZvylbnmu9nDC0WIupTExonWqie sG0DICl+eKJMt3ioSzaGd9117Xk1P7JWvcr7MJQvzn/2VDTG2TjC4kZE1iDHHVPz +txQh2G2Luf+jX5VQSqWnlv7I9zuGlqYEpAMQacjrLzGejuqPSC2kbzliOEoCaE= =1k3w -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa210.patch" Content-Disposition: attachment; filename="xsa210.patch" Content-Transfer-Encoding: base64 RnJvbTogSnVsaWVuIEdyYWxsIDxqdWxpZW4uZ3JhbGxAYXJtLmNvbT4KU3Vi amVjdDogYXJtL3AybTogcmVtb3ZlIHRoZSBwYWdlIGZyb20gcDJtLT5wYWdl cyBsaXN0IGJlZm9yZSBmcmVlaW5nIGl0CgpUaGUgcDJtIGNvZGUgaXMgdXNp bmcgdGhlIHBhZ2UgbGlzdCBmaWVsZCB0byBsaW5rIGFsbCB0aGUgcGFnZXMg dXNlZApmb3IgdGhlIHN0YWdlLTIgcGFnZSB0YWJsZXMuIFRoZSBwYWdlIGlz IGFkZGVkIGludG8gdGhlIHAybS0+cGFnZXMKbGlzdCBqdXN0IGFmdGVyIHRo ZSBhbGxvY2F0aW9uIGJ1dCBuZXZlciByZW1vdmVkIGZyb20gdGhlIGxpc3Qu CgpUaGUgcGFnZSBsaXN0IGZpZWxkIGlzIGFsc28gdXNlZCBieSB0aGUgYWxs b2NhdG9yLCBub3QgcmVtb3ZpbmcgbWF5CnJlc3VsdCBhIGxhdGVyIFhlbiBj cmFzaCBkdWUgdG8gaW5jb25zaXN0ZW5jeSAoc2VlIFsxXSkuCgpUaGlzIGJ1 ZyB3YXMgaW50cm9kdWNlZCBieSB0aGUgcmV3b3JraW5nIG9mIHAybSBjb2Rl IGluIGNvbW1pdCAyZWYzZTM2ZWM3CiJ4ZW4vYXJtOiBwMm06IEludHJvZHVj ZSBwMm1fc2V0X2VudHJ5IGFuZCBfX3AybV9zZXRfZW50cnkiLgoKWzFdIGh0 dHBzOi8vbGlzdHMueGVucHJvamVjdC5vcmcvYXJjaGl2ZXMvaHRtbC94ZW4t ZGV2ZWwvMjAxNy0wMi9tc2cwMDUyNC5odG1sCgpSZXBvcnRlZC1ieTogVmlq YXlhIEt1bWFyIEsgPFZpamF5YS5LdW1hckBjYXZpdW0uY29tPgpTaWduZWQt b2ZmLWJ5OiBKdWxpZW4gR3JhbGwgPGp1bGllbi5ncmFsbEBhcm0uY29tPgpS ZXZpZXdlZC1ieTogU3RlZmFubyBTdGFiZWxsaW5pIDxzc3RhYmVsbGluaUBr ZXJuZWwub3JnPgoKLS0tIGEveGVuL2FyY2gvYXJtL3AybS5jCisrKyBiL3hl bi9hcmNoL2FybS9wMm0uYwpAQCAtNjYwLDYgKzY2MCw3IEBAIHN0YXRpYyB2 b2lkIHAybV9mcmVlX2VudHJ5KHN0cnVjdCBwMm1fZG9tYWluICpwMm0sCiAg ICAgdW5zaWduZWQgaW50IGk7CiAgICAgbHBhZV90ICp0YWJsZTsKICAgICBt Zm5fdCBtZm47CisgICAgc3RydWN0IHBhZ2VfaW5mbyAqcGc7CiAKICAgICAv KiBOb3RoaW5nIHRvIGRvIGlmIHRoZSBlbnRyeSBpcyBpbnZhbGlkLiAqLwog ICAgIGlmICggIXAybV92YWxpZChlbnRyeSkgKQpAQCAtNjk3LDcgKzY5OCwx MCBAQCBzdGF0aWMgdm9pZCBwMm1fZnJlZV9lbnRyeShzdHJ1Y3QgcDJtX2Rv bWFpbiAqcDJtLAogICAgIG1mbiA9IF9tZm4oZW50cnkucDJtLmJhc2UpOwog ICAgIEFTU0VSVChtZm5fdmFsaWQobWZuX3gobWZuKSkpOwogCi0gICAgZnJl ZV9kb21oZWFwX3BhZ2UobWZuX3RvX3BhZ2UobWZuX3gobWZuKSkpOworICAg IHBnID0gbWZuX3RvX3BhZ2UobWZuX3gobWZuKSk7CisKKyAgICBwYWdlX2xp c3RfZGVsKHBnLCAmcDJtLT5wYWdlcyk7CisgICAgZnJlZV9kb21oZWFwX3Bh Z2UocGcpOwogfQogCiBzdGF0aWMgYm9vbCBwMm1fc3BsaXRfc3VwZXJwYWdl KHN0cnVjdCBwMm1fZG9tYWluICpwMm0sIGxwYWVfdCAqZW50cnksCg== --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Thu Feb 23 16:29:39 2017 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 23 Feb 2017 16:29:39 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cgwFr-0002Gn-Ia; Thu, 23 Feb 2017 16:28:31 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cgwFr-0002GV-4O; Thu, 23 Feb 2017 16:28:31 +0000 Received: from [85.158.137.68] by server-3.bemta-3.messagelabs.com id 0B/6D-14551-EAD0FA85; Thu, 23 Feb 2017 16:28:30 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrBIsWRWlGSWpSXmKPExsWS0XRdVXct7/o Ig5kzZSxu3WxltljycTGLxaqrB1gdmD2O7v7NFMAYxZqZl5RfkcCa8XPLDMaCS5oVx0/1szQw vlPtYuTiEBI4ziix/GoXG4SziFFiatdFli5GTg5mAVeJG/s2s0HYihIX7jWAxXkFBCVOznwCZ ksIaErcebOKHcQWESiS2HnuJZjNJqAnMffsJCaIXh2Jl/tXg9nCAsESeyZOZYSYYybRem0GM4 jNIqAqMf3pMuYJjDyzkKyehWT1LCSrZzFyAMU1Jdbv0ocwpSWW/+OAqJaX2P52DjOEbS3xu+U LM0SJhcST2VYwA6d0P2RfwMi5ilGjOLWoLLVI18hYL6koMz2jJDcxM0fX0MBYLze1uDgxPTUn MalYLzk/dxMjMLzrGRgYdzD27fU7xCjJwaQkyvvs4roIIb6k/JTKjMTijPii0pzU4kOMMhwcS hK8V3nWRwgJFqWmp1akZeYAIw0mLcHBoyTCuw0kzVtckJhbnJkOkTrFaMzRMn3nGyaOX10H3j AJseTl56VKifMuBikVACnNKM2DGwRLAJcYZaWEeRkZGBiEeApSi3IzS1DlXzGKczAqCfNuBpn Ck5lXArfvFdApTECnWDqvBTmlJBEhJdXA6KoVfbFmSqTknq0H3K9I1jFc/xG0zYf7ZEJE6ISI Teanm9/5JW+6dF+L00w5VVE7+6bZrg0vtny6dfT899JfMn0bGtV01+QInXt0NoFrToz3hdqMB n1lz7R750om11s+bQo/eT7+9ae4lxyZBxtlpPy/c9gZnnh1Y+43lWL1UyqqktmVKSuLlViKMx INtZiLihMBJbbpDvsCAAA= X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-15.tower-31.messagelabs.com!1487867308!83096947!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 9.2.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 17896 invoked from network); 23 Feb 2017 16:28:29 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-15.tower-31.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 23 Feb 2017 16:28:29 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cgwFe-0000RR-Sd; Thu, 23 Feb 2017 16:28:18 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1cgwFe-0005Mf-Pk; Thu, 23 Feb 2017 16:28:18 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Thu, 23 Feb 2017 16:28:18 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 210 - arm: memory corruption when freeing p2m pages X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-210 arm: memory corruption when freeing p2m pages ISSUE DESCRIPTION ================= When freeing pages used for stage-2 page tables, the freeing routine failed to remove these pages from an internally managed list they were put on during allocation. The same list node elements are also used by the hypervisor's page allocator. Subsequent manipulation of ARM's private P2M list could therefore corrupt the lists maintained by the page allocator. The buggy code is exposed to guests via the XENMEM_decrease_reservation hypercall. IMPACT ====== A malicious or buggy guest may corrupt hypervisor state, commonly leading to a host crash (Denial of Service). Privilege escalation or information leaks cannot be excluded. VULNERABLE SYSTEMS ================== Only Xen version 4.8 is affected. Xen versions 4.7 and earlier are not vulnerable. Only ARM systems are vulnerable. X86 based systems are not vulnerable. MITIGATION ========== There is no known mitigation. NOTE REGARDING LACK OF EMBARGO ============================== The issue was discussed publicly before being recognized as a security issue. RESOLUTION ========== Applying the attached patch resolves this issue. xsa210.patch xen-unstable, Xen 4.8.x $ sha256sum xsa210* 10e26c017c916dcac261c6a3c92656831f0ad037f792940e6faf6905c6e23861 xsa210.patch $ CREDITS ======= The initial bug was discovered by Vijay Kilari of Cavium and the security aspect was diagnosed by Julien Grall of ARM. DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYrw2aAAoJEIP+FMlX6CvZuw4H/34z2io/65h2RLDL3bx4w//A nWNcrceKrxyvtZmTss56RHrUeiOOKOeuCXWMx5CSihBcSRXqyZa79IDul9t1b7fB m6NUPerILGueF3uOYTRUvvSiWKWRzVPOCgqSxlCmd7YTrkjHZkq/x2Gb9Acj3hrl yE0fFdD/hTIN9wZtHWY+gTIXMIGHBJ4/xieZeYZvylbnmu9nDC0WIupTExonWqie sG0DICl+eKJMt3ioSzaGd9117Xk1P7JWvcr7MJQvzn/2VDTG2TjC4kZE1iDHHVPz +txQh2G2Luf+jX5VQSqWnlv7I9zuGlqYEpAMQacjrLzGejuqPSC2kbzliOEoCaE= =1k3w -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa210.patch" Content-Disposition: attachment; filename="xsa210.patch" Content-Transfer-Encoding: base64 RnJvbTogSnVsaWVuIEdyYWxsIDxqdWxpZW4uZ3JhbGxAYXJtLmNvbT4KU3Vi amVjdDogYXJtL3AybTogcmVtb3ZlIHRoZSBwYWdlIGZyb20gcDJtLT5wYWdl cyBsaXN0IGJlZm9yZSBmcmVlaW5nIGl0CgpUaGUgcDJtIGNvZGUgaXMgdXNp bmcgdGhlIHBhZ2UgbGlzdCBmaWVsZCB0byBsaW5rIGFsbCB0aGUgcGFnZXMg dXNlZApmb3IgdGhlIHN0YWdlLTIgcGFnZSB0YWJsZXMuIFRoZSBwYWdlIGlz IGFkZGVkIGludG8gdGhlIHAybS0+cGFnZXMKbGlzdCBqdXN0IGFmdGVyIHRo ZSBhbGxvY2F0aW9uIGJ1dCBuZXZlciByZW1vdmVkIGZyb20gdGhlIGxpc3Qu CgpUaGUgcGFnZSBsaXN0IGZpZWxkIGlzIGFsc28gdXNlZCBieSB0aGUgYWxs b2NhdG9yLCBub3QgcmVtb3ZpbmcgbWF5CnJlc3VsdCBhIGxhdGVyIFhlbiBj cmFzaCBkdWUgdG8gaW5jb25zaXN0ZW5jeSAoc2VlIFsxXSkuCgpUaGlzIGJ1 ZyB3YXMgaW50cm9kdWNlZCBieSB0aGUgcmV3b3JraW5nIG9mIHAybSBjb2Rl IGluIGNvbW1pdCAyZWYzZTM2ZWM3CiJ4ZW4vYXJtOiBwMm06IEludHJvZHVj ZSBwMm1fc2V0X2VudHJ5IGFuZCBfX3AybV9zZXRfZW50cnkiLgoKWzFdIGh0 dHBzOi8vbGlzdHMueGVucHJvamVjdC5vcmcvYXJjaGl2ZXMvaHRtbC94ZW4t ZGV2ZWwvMjAxNy0wMi9tc2cwMDUyNC5odG1sCgpSZXBvcnRlZC1ieTogVmlq YXlhIEt1bWFyIEsgPFZpamF5YS5LdW1hckBjYXZpdW0uY29tPgpTaWduZWQt b2ZmLWJ5OiBKdWxpZW4gR3JhbGwgPGp1bGllbi5ncmFsbEBhcm0uY29tPgpS ZXZpZXdlZC1ieTogU3RlZmFubyBTdGFiZWxsaW5pIDxzc3RhYmVsbGluaUBr ZXJuZWwub3JnPgoKLS0tIGEveGVuL2FyY2gvYXJtL3AybS5jCisrKyBiL3hl bi9hcmNoL2FybS9wMm0uYwpAQCAtNjYwLDYgKzY2MCw3IEBAIHN0YXRpYyB2 b2lkIHAybV9mcmVlX2VudHJ5KHN0cnVjdCBwMm1fZG9tYWluICpwMm0sCiAg ICAgdW5zaWduZWQgaW50IGk7CiAgICAgbHBhZV90ICp0YWJsZTsKICAgICBt Zm5fdCBtZm47CisgICAgc3RydWN0IHBhZ2VfaW5mbyAqcGc7CiAKICAgICAv KiBOb3RoaW5nIHRvIGRvIGlmIHRoZSBlbnRyeSBpcyBpbnZhbGlkLiAqLwog ICAgIGlmICggIXAybV92YWxpZChlbnRyeSkgKQpAQCAtNjk3LDcgKzY5OCwx MCBAQCBzdGF0aWMgdm9pZCBwMm1fZnJlZV9lbnRyeShzdHJ1Y3QgcDJtX2Rv bWFpbiAqcDJtLAogICAgIG1mbiA9IF9tZm4oZW50cnkucDJtLmJhc2UpOwog ICAgIEFTU0VSVChtZm5fdmFsaWQobWZuX3gobWZuKSkpOwogCi0gICAgZnJl ZV9kb21oZWFwX3BhZ2UobWZuX3RvX3BhZ2UobWZuX3gobWZuKSkpOworICAg IHBnID0gbWZuX3RvX3BhZ2UobWZuX3gobWZuKSk7CisKKyAgICBwYWdlX2xp c3RfZGVsKHBnLCAmcDJtLT5wYWdlcyk7CisgICAgZnJlZV9kb21oZWFwX3Bh Z2UocGcpOwogfQogCiBzdGF0aWMgYm9vbCBwMm1fc3BsaXRfc3VwZXJwYWdl KHN0cnVjdCBwMm1fZG9tYWluICpwMm0sIGxwYWVfdCAqZW50cnksCg== --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Tue Feb 28 15:24:50 2017 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 28 Feb 2017 15:24:50 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cijcp-0000Eg-AS; Tue, 28 Feb 2017 15:23:39 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cijLm-00064f-3h; Tue, 28 Feb 2017 15:06:02 +0000 Received: from [193.109.254.147] by server-6.bemta-6.messagelabs.com id 58/C7-15112-9D195B85; Tue, 28 Feb 2017 15:06:01 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrBIsWRWlGSWpSXmKPExsWyU9JRQvf6xK0 RBrsXm1v8WZxoMXtjG7MDk8fhD1dYAhijWDPzkvIrElgzZk46yV7wi7liz6d57A2Mq5i7GDk5 JAT8JPoal4PZbAI6EkuPzmfqYuTiEBGYzihx5MhLRpCEsICGxM9LB9lBbBEBXYmXxw9D2XoSl 3d0gdWwCKhK/Fy8mQ3E5hVwl9jR+AYsziggK/GlcTXYAmYBcYlbT0AWgCwWkFiy5zzUEaISLx //Y4WwDSS2Lt3HAlGvI7Fg9yc2CFtbYtnC18wQ8wUlTs58wjKBUWAWkrGzkLTMQtIyC0nLAka WVYwaxalFZalFukameklFmekZJbmJmTm6hgZmermpxcWJ6ak5iUnFesn5uZsYgeHLAAQ7GFct CDzEKMnBpCTKm5W8NUKILyk/pTIjsTgjvqg0J7X4EKMMB4eSBO+OCUA5waLU9NSKtMwcYCTBp CU4eJREeDtA0rzFBYm5xZnpEKlTjMYcc2bvfsPEceP4gTdMQix5+XmpUuK8b0FKBUBKM0rz4A bBIvwSo6yUMC8j0GlCPAWpRbmZJajyrxjFORiVhHkfgUzhycwrgdv3CugUJqBTXqiAnVKSiJC SamDUfbZTMn/9j62Mmx1OJwsZH38w86ZY2YrTn+7OWmK8wmSqW15rthVrVsX88/f4jDn5J/0+ fHpZcNJHvpbU7dumzVCZFu05YaHp/soq/ckmfY6P56X/Cb4vmS0Y6c/7Uz5UJjku3bXvHdfky PXXDV9Z7Ni0O9tjYVaBEVNls1N0zastx+VeOp9WYinOSDTUYi4qTgQAubH++usCAAA= X-Env-Sender: prvs=225fd040a=Paul.Durrant@citrix.com X-Msg-Ref: server-15.tower-27.messagelabs.com!1488294359!36445239!1 X-Originating-IP: [185.25.65.24] X-SpamReason: No, hits=0.0 required=7.0 tests=received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 9.2.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 28444 invoked from network); 28 Feb 2017 15:05:59 -0000 Received: from smtp.eu.citrix.com (HELO SMTP.EU.CITRIX.COM) (185.25.65.24) by server-15.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 28 Feb 2017 15:05:59 -0000 X-IronPort-AV: E=Sophos;i="5.35,220,1484006400"; d="scan'208";a="41585402" From: Paul Durrant To: "'xen-announce@lists.xenproject.org'" , "win-pv-devel@lists.xenproject.org" Thread-Topic: Windows PV Drivers 8.2 Released Thread-Index: AdKR05HuoZTfSMSeSOeF9Myj5hbe0Q== Date: Tue, 28 Feb 2017 15:03:58 +0000 Message-ID: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted MIME-Version: 1.0 X-Mailman-Approved-At: Tue, 28 Feb 2017 15:23:38 +0000 Subject: [Xen-announce] Windows PV Drivers 8.2 Released X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" QWxsLAoKVG9kYXkgSSB0YWdnZWQsIGJ1aWx0IGFuZCBzaWduZWQgdGhlIDguMi4wIHJlbGVhc2Ug b2YgYWxsIHRoZSBYZW4gUHJvamVjdCBXaW5kb3dzIFBWIGRyaXZlcnMuIFRoZXkgY2FuIG5vdyBi ZSBkb3dubG9hZGVkIGZyb20gaHR0cDovL3hlbmJpdHMueGVuLm9yZy9wdmRyaXZlcnMvd2luLzgu Mi4wLiBTaG9ydGx5LCBhIGxpbmsgZnJvbSB0aGUgcHJvamVjdCBmcm9udCBwYWdlIHdpbGwgYmUg YWRkZWQuCgpCZSBhd2FyZSB0aGF0IHRoZSBiaW5hcmllcyBhcmUgU0hBLTI1NiBzaWduZWQgYW5k IHRodXMsIGZvciBXaW5kb3dzIDcgYW5kIFdpbmRvd3MgU2VydmVyIDIwMDggUjIgaW5zdGFsbGF0 aW9ucyBwbGVhc2UgbWFrZSBzdXJlIHlvdSBoYXZlIHJlYWQgaHR0cHM6Ly90ZWNobmV0Lm1pY3Jv c29mdC5jb20vZW4tdXMvbGlicmFyeS9zZWN1cml0eS8zMDMzOTI5P2Y9MjU1Jk1TUFBFcnJvcj0t MjE0NzIxNzM5Ni4KCiAgUmVnYXJkcywKCiAgICBQYXVsCgpfX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fXwpYZW4tYW5ub3VuY2UgbWFpbGluZyBsaXN0Clhlbi1h bm5vdW5jZUBsaXN0cy54ZW4ub3JnCmh0dHBzOi8vbGlzdHMueGVuLm9yZy94ZW4tYW5ub3VuY2U= From xen-announce-bounces@lists.xen.org Tue Feb 28 15:24:50 2017 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 28 Feb 2017 15:24:50 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cijcp-0000Eg-AS; Tue, 28 Feb 2017 15:23:39 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cijLm-00064f-3h; Tue, 28 Feb 2017 15:06:02 +0000 Received: from [193.109.254.147] by server-6.bemta-6.messagelabs.com id 58/C7-15112-9D195B85; Tue, 28 Feb 2017 15:06:01 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrBIsWRWlGSWpSXmKPExsWyU9JRQvf6xK0 RBrsXm1v8WZxoMXtjG7MDk8fhD1dYAhijWDPzkvIrElgzZk46yV7wi7liz6d57A2Mq5i7GDk5 JAT8JPoal4PZbAI6EkuPzmfqYuTiEBGYzihx5MhLRpCEsICGxM9LB9lBbBEBXYmXxw9D2XoSl 3d0gdWwCKhK/Fy8mQ3E5hVwl9jR+AYsziggK/GlcTXYAmYBcYlbT0AWgCwWkFiy5zzUEaISLx //Y4WwDSS2Lt3HAlGvI7Fg9yc2CFtbYtnC18wQ8wUlTs58wjKBUWAWkrGzkLTMQtIyC0nLAka WVYwaxalFZalFukameklFmekZJbmJmTm6hgZmermpxcWJ6ak5iUnFesn5uZsYgeHLAAQ7GFct CDzEKMnBpCTKm5W8NUKILyk/pTIjsTgjvqg0J7X4EKMMB4eSBO+OCUA5waLU9NSKtMwcYCTBp CU4eJREeDtA0rzFBYm5xZnpEKlTjMYcc2bvfsPEceP4gTdMQix5+XmpUuK8b0FKBUBKM0rz4A bBIvwSo6yUMC8j0GlCPAWpRbmZJajyrxjFORiVhHkfgUzhycwrgdv3CugUJqBTXqiAnVKSiJC SamDUfbZTMn/9j62Mmx1OJwsZH38w86ZY2YrTn+7OWmK8wmSqW15rthVrVsX88/f4jDn5J/0+ fHpZcNJHvpbU7dumzVCZFu05YaHp/soq/ckmfY6P56X/Cb4vmS0Y6c/7Uz5UJjku3bXvHdfky PXXDV9Z7Ni0O9tjYVaBEVNls1N0zastx+VeOp9WYinOSDTUYi4qTgQAubH++usCAAA= X-Env-Sender: prvs=225fd040a=Paul.Durrant@citrix.com X-Msg-Ref: server-15.tower-27.messagelabs.com!1488294359!36445239!1 X-Originating-IP: [185.25.65.24] X-SpamReason: No, hits=0.0 required=7.0 tests=received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 9.2.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 28444 invoked from network); 28 Feb 2017 15:05:59 -0000 Received: from smtp.eu.citrix.com (HELO SMTP.EU.CITRIX.COM) (185.25.65.24) by server-15.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 28 Feb 2017 15:05:59 -0000 X-IronPort-AV: E=Sophos;i="5.35,220,1484006400"; d="scan'208";a="41585402" From: Paul Durrant To: "'xen-announce@lists.xenproject.org'" , "win-pv-devel@lists.xenproject.org" Thread-Topic: Windows PV Drivers 8.2 Released Thread-Index: AdKR05HuoZTfSMSeSOeF9Myj5hbe0Q== Date: Tue, 28 Feb 2017 15:03:58 +0000 Message-ID: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted MIME-Version: 1.0 X-Mailman-Approved-At: Tue, 28 Feb 2017 15:23:38 +0000 Subject: [Xen-announce] Windows PV Drivers 8.2 Released X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" QWxsLAoKVG9kYXkgSSB0YWdnZWQsIGJ1aWx0IGFuZCBzaWduZWQgdGhlIDguMi4wIHJlbGVhc2Ug b2YgYWxsIHRoZSBYZW4gUHJvamVjdCBXaW5kb3dzIFBWIGRyaXZlcnMuIFRoZXkgY2FuIG5vdyBi ZSBkb3dubG9hZGVkIGZyb20gaHR0cDovL3hlbmJpdHMueGVuLm9yZy9wdmRyaXZlcnMvd2luLzgu Mi4wLiBTaG9ydGx5LCBhIGxpbmsgZnJvbSB0aGUgcHJvamVjdCBmcm9udCBwYWdlIHdpbGwgYmUg YWRkZWQuCgpCZSBhd2FyZSB0aGF0IHRoZSBiaW5hcmllcyBhcmUgU0hBLTI1NiBzaWduZWQgYW5k IHRodXMsIGZvciBXaW5kb3dzIDcgYW5kIFdpbmRvd3MgU2VydmVyIDIwMDggUjIgaW5zdGFsbGF0 aW9ucyBwbGVhc2UgbWFrZSBzdXJlIHlvdSBoYXZlIHJlYWQgaHR0cHM6Ly90ZWNobmV0Lm1pY3Jv c29mdC5jb20vZW4tdXMvbGlicmFyeS9zZWN1cml0eS8zMDMzOTI5P2Y9MjU1Jk1TUFBFcnJvcj0t MjE0NzIxNzM5Ni4KCiAgUmVnYXJkcywKCiAgICBQYXVsCgpfX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fXwpYZW4tYW5ub3VuY2UgbWFpbGluZyBsaXN0Clhlbi1h bm5vdW5jZUBsaXN0cy54ZW4ub3JnCmh0dHBzOi8vbGlzdHMueGVuLm9yZy94ZW4tYW5ub3VuY2U=