[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Minios-devel] Fwd: [Xen-devel] Xen Security Advisory 155 (CVE-2015-8550) - paravirtualized drivers incautious about shared memory

---------- Forwarded message ----------
From: Eric Shelton <eshelton@xxxxxxxxx>
Date: Mon, Dec 21, 2015 at 6:10 PM
Subject: Re: [Xen-devel] Xen Security Advisory 155 (CVE-2015-8550) -
paravirtualized drivers incautious about shared memory
To: "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>, Stefano
Stabellini <stefano.stabellini@xxxxxxxxxxxxx>, Samuel Thibault
<samuel.thibault@xxxxxxxxxxxx>, security@xxxxxxx

[also copying minios-devel]

Seeing as "All OSes providing PV backends are susceptible," doesn't
this include MiniOS for QEMU stubdom as well?  Are there patches
available for mini-os/blkfront.c, mini-os/netfront.c, and
mini-os/pcifront.c?  I didn't see anything for this.

Best,
Eric

On Thu, Dec 17, 2015 at 1:36 PM, Xen.org security team <security@xxxxxxx> wrote:
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>             Xen Security Advisory CVE-2015-8550 / XSA-155
>                               version 6
>
>     paravirtualized drivers incautious about shared memory contents
>
> UPDATES IN VERSION 6
> ====================
>
> Correct CREDITS section.
>
> ISSUE DESCRIPTION
> =================
>
> The compiler can emit optimizations in the PV backend drivers which
> can lead to double fetch vulnerabilities. Specifically the shared
> memory between the frontend and backend can be fetched twice (during
> which time the frontend can alter the contents) possibly leading to
> arbitrary code execution in backend.
>
> IMPACT
> ======
>
> Malicious guest administrators can cause denial of service.  If driver
> domains are not in use, the impact can be a host crash, or privilege 
> escalation.
>
> VULNERABLE SYSTEMS
> ==================
>
> Systems running PV or HVM guests are vulnerable.
>
> ARM and x86 systems are vulnerable.
>
> All OSes providing PV backends are susceptible, this includes
> Linux and NetBSD. By default the Linux distributions compile kernels
> with optimizations.
>
> MITIGATION
> ==========
>
> There is no mitigation.
>
> CREDITS
> =======
>
> This issue was discovered by Felix Wilhelm (ERNW Research, KIT /
> Operating Systems Group).
>
> RESOLUTION
> ==========
>
> Applying the appropriate attached patches should fix the problem for
> PV backends.  Note only that PV backends are fixed; PV frontend
> patches will be developed and released (publicly) after the embargo
> date.
>
> Please note that there is a bug in some versions of gcc,
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 which can cause the
> construct used in RING_COPY_REQUEST() to be ineffective in some
> circumstances. We have determined that this is only the case when the
> structure being copied consists purely of bitfields. The Xen PV
> protocols updated here do not use bitfields in this way and therefore
> these patches are not subject to that bug. However authors of third
> party PV protocols should take this into consideration.
>
> Linux v4.4:
> xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch
> xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch
> xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch
> xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch
> xsa155-linux-xsa155-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
> xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch
> xsa155-linux-xsa155-0007-xen-pciback-Save-xen_pci_op-commands-before-processi.patch
> Linux v4.[0,1,2,3]
> All the above patches except #5 will apply, please use:
> xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
> Linux v3.19:
> All the above patches except #5 and #6 will apply, please use:
> xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
> xsa155-linux319-0006-xen-scsiback-safely-copy-requests.patch
>
> qemu-xen:
> xsa155-qemu-qdisk-double-access.patch
> xsa155-qemu-xenfb.patch
>
> qemu-traditional:
> xsa155-qemut-qdisk-double-access.patch
> xsa155-qemut-xenfb.patch
>
> NetBSD 7.0:
> xsa155-netbsd-xsa155-0001-netbsd-xen-Add-RING_COPY_REQUEST.patch
> xsa155-netbsd-xsa155-0002-netbsd-netback-Use-RING_COPY_REQUEST-instead-of-RING.patch
> xsa155-netbsd-xsa155-0003-netbsd-ring-Add-barrier-to-provide-an-compiler-barri.patch
> xsa155-netbsd-xsa155-0004-netbsd-block-only-read-request-operation-from-shared.patch
> xsa155-netbsd-xsa155-0005-netbsd-pciback-Operate-on-local-version-of-xen_pci_o.patch
>
> xen:
> xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch
> xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch
> xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch
>
> xen 4.4:
> All patches except #3 will apply, please use:
> xsa155-xen44-0003-libvchan-Read-prod-cons-only-once.patch
>
> $ sha256sum xsa155*
> d9fbc104ab2ae797971e351ee0e04e7b7e9c7c33385309bb406c7941dc9a33b4  
> xsa155-linux319-xsa155-0006-xen-scsiback-safely-copy-requests.patch
> 590656d83ad7b6052b54659eccb3469658b3942c0dc1366423a66f2f5ac643e1  
> xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
> 2bd18632178e09394c5cd06aded2c14bcc6b6e360ad6e81827d24860fe3e8ca4  
> xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch
> cecdeccb8e2551252c81fc5f164a8298005df714a574a7ba18b84e8ed5f2bb70  
> xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch
> 3916b847243047f0e1053233ade742c14a7f29243584e60bf5db4842a8068855  
> xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch
> 746c8eb0aeb200d76156c88dfbbd49db79f567b88b07eda70f7c7d095721f05a  
> xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch
> 18517a184a02f7441065b8d3423086320ec4c2345c00d551231f7976381767f5  
> xsa155-linux-xsa155-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
> 2e6d556d25b1cc16e71afde665ae3908f4fa8eab7e0d96283fc78400301baf92  
> xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch
> 5e130d8b61906015c6a94f8edd3cce97b172f96a265d97ecf370e7b45125b73d  
> xsa155-linux-xsa155-0007-xen-pciback-Save-xen_pci_op-commands-before-processi.patch
> 08c2d0f95dcc215165afbce623b6972b81dd45b091b5f40017579b00c8612e03  
> xsa155-netbsd-xsa155-0001-netbsd-xen-Add-RING_COPY_REQUEST.patch
> 0a66010f736092f91f70bb0fd220685e4395efef1db6d23a3d1eace31d144f51  
> xsa155-netbsd-xsa155-0002-netbsd-netback-Use-RING_COPY_REQUEST-instead-of-RING.patch
> 5e913a8427cab6b4d384d1246e05116afc301eb117edd838101eb53a82c2f2ff  
> xsa155-netbsd-xsa155-0003-netbsd-ring-Add-barrier-to-provide-an-compiler-barri.patch
> 3b8f14eafaed3a7bc66245753a37af4249acf8129fbedb70653192252dc47dc9  
> xsa155-netbsd-xsa155-0004-netbsd-block-only-read-request-operation-from-shared.patch
> 81ae5fa998243a78dad749fc561be647dc1dc1be799e8f18484fdf0989469705  
> xsa155-netbsd-xsa155-0005-netbsd-pciback-Operate-on-local-version-of-xen_pci_o.patch
> 044ff74fa048df820d528f64f2791ec9cb3940bd313c1179020bd49a6cde2ca3  
> xsa155-qemu-qdisk-double-access.patch
> 1150504589eb7bfa108c80ce63395e57d0e627b12d9201219d968fdd026919a6  
> xsa155-qemut-qdisk-double-access.patch
> 63186246ab6913b54bfef5f09f33e815935ac40ff821c27a3efda62339bbbd5f  
> xsa155-qemut-xenfb.patch
> e53b4ac298648cde79344192d5a58ca8d8724344f5105bec7c09eef095c668f6  
> xsa155-qemu-xenfb.patch
> e52467fcec73bcc86d3e96d06f8ca8085ae56a83d2c42a30c16bc3dc630d8f8a  
> xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch
> eae34c8ccc096ad93a74190506b3d55020a88afb0cc504a3a514590e9fd746fd  
> xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch
> 42780265014085a4221ad32b026214693d751789eb5219e2e83862c0006c66f4  
> xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch
> dfcaddb8a908a4fc1b048a43187e885117e67dc566f5c841037ee366dcd437d1  
> xsa155-xen44-0003-libvchan-Read-prod-cons-only-once.patch
> $
>
> DEPLOYMENT DURING EMBARGO
> =========================
>
> Deployment of the patches and/or mitigations described above (or
> others which are substantially similar) is permitted during the
> embargo, even on public-facing systems with untrusted guest users and
> administrators.
>
> But: Distribution of updated software is prohibited (except to other
> members of the predisclosure list).
>
> Predisclosure list members who wish to deploy significantly different
> patches and/or mitigations, please contact the Xen Project Security
> Team.
>
> (Note: this during-embargo deployment notice is retained in
> post-embargo publicly released Xen Project advisories, even though it
> is then no longer applicable.  This is to enable the community to have
> oversight of the Xen Project Security Team's decisionmaking.)
>
> For more information about permissible uses of embargoed information,
> consult the Xen Project community's agreed Security Policy:
>   http://www.xenproject.org/security-policy.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
>
> iQEcBAEBAgAGBQJWcrpdAAoJEIP+FMlX6CvZ9soIALqQ/GHP6bZn2LqJTD9DIzsm
> zVB4yCPiVfDqHSOq9QNCzBzqpvOX+RhKTzRH1jsZczr8CSnkePxaCrmZgH8SAygB
> hFcF9xJGlJDjs647sgpQmYs++3mgD/57uml7IW/8NX46tXUelVByW7muNgUN2xlm
> kjeD8auJEs+jK1iwpt/hOmYe4moRx3+3ujfgqMCNAWtqZz9D9wM5tao+p6yKYlhM
> u8hSi1V3b7sAbf92mwzpzfpbwdgg25xeHtZ/oJxp/ZY0FhqDEsTxV+h8HjD/Eink
> GwqPS19O77tMmz9fUUTyJDSsU7ayFRI0HyYmXju4eJktJkhXagjAdCSyGky9z5g=
> =FlX2
> -----END PGP SIGNATURE-----

_______________________________________________
Minios-devel mailing list
Minios-devel@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/minios-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.