[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] Xen Security Advisory 55 - Multiple vulnerabilities in libelf PV kernel handling
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-55 version 3 Multiple vulnerabilities in libelf PV kernel handling UPDATES IN VERSION 3 ==================== Fixed patch series provided. These patches have been as thoroughly reviewed as possible and subjected to various regression testing. NOTE REGARDING CVE ================== We have not yet been assigned a CVE number for this issue. ISSUE DESCRIPTION ================= The ELF parser used by the Xen tools to read domains' kernels and construct domains has multiple integer overflows, pointer dereferences based on calculations from unchecked input values, and other problems. IMPACT ====== A malicious PV domain administrator who can specify their own kernel can escalate their privilege to that of the domain construction tools (i.e., normally, to control of the host). Additionally a malicious HVM domain administrator who is able to supply their own firmware ("hvmloader") can do likewise; however we think this would be very unusual and it is unlikely that such configurations exist in production systems. VULNERABLE SYSTEMS ================== All Xen versions are affected. Installations which only allow the use of trustworthy kernels for PV domains are not affected. MITIGATION ========== Ensuring that PV guests use only trustworthy kernels will avoid this problem. RESOLUTION ========== Applying the appropriate attached patch series will resolve this issue. xsa55-4.1/*.patch Xen 4.1.x xsa55-4.2/*.patch Xen 4.2.x xsa55-unstable/*.patch xen-unstable $ sha256sum xsa55-*/*.patch 69fb6ac8ff225f9b9a32a678d71668779030c85468d2e0aa7b646f79214a3499 xsa55-4.1/0001-libelf-abolish-libelf-relocate.c.patch 97a1d35efb01c3fa3c83f6f870cfd7f50cf1b9de1f74174179cd769cc822dbb2 xsa55-4.1/0002-libxc-introduce-xc_dom_seg_to_ptr_pages.patch 5dab0459abe2c3dadb4e73843744fcb0aa9e35cbeb72c397fc55f5ab6ef19c0e xsa55-4.1/0003-libxc-Fix-range-checking-in-xc_dom_pfn_to_ptr-etc.patch 779bcb0941ebeff6000edcf8802e6809d47b13095929579d599351941ded89ca xsa55-4.1/0004-libelf-abolish-elf_sval-and-elf_access_signed.patch 2fbc5d79667fe8f7d353fc2541bd7e732318625639a45c12942f45675c35839f xsa55-4.1/0005-libelf-xc_dom_load_elf_symtab-Do-not-use-syms-uninit.patch c368e8862269007a7b3aceaea0dbd341104ba9e4b3053d165f7e4fca84b5e3c4 xsa55-4.1/0006-libelf-introduce-macros-for-memory-access-and-pointe.patch 85e5be7bf0db23b40c260a06d22ffeabf0b4af96dca3e779ceb9ad94c059459f xsa55-4.1/0007-tools-xcutils-readnotes-adjust-print_l1_mfn_valid_no.patch bb9ee33d65dee7aeccccb345dba11cac844eb516a57f3349dc06f6fdba0c2ba7 xsa55-4.1/0008-libelf-check-nul-terminated-strings-properly.patch 2687aaa03ec0ae6f0252913d1992653f6c665bb11d160430a937a51bd371a3ee xsa55-4.1/0009-libelf-check-all-pointer-accesses.patch 39987f917c5d98e8e5e3f1de38066e6f4a6b9a31c5fcac8ec52d117a0cf24b2f xsa55-4.1/0010-libelf-Check-pointer-references-in-elf_is_elfbinary.patch d8e0f78941ebe07828ba867195305b87fb0d9f210f052d33110d1fc718127876 xsa55-4.1/0011-libelf-Make-all-callers-call-elf_check_broken.patch 21ab34c623df317d2b0eda2f63b26bb150d36643881ad64ec8655772293c418e xsa55-4.1/0012-libelf-use-C99-bool-for-booleans.patch 50aceaf851598b36cc996ddc53a8562b7da3396968f40030e4c45b62eaa71824 xsa55-4.1/0013-libelf-use-only-unsigned-integers.patch f47cc73ca658473e99a92682ebd2783a229550a4f8803bc035023b186f61c893 xsa55-4.1/0014-libxc-Introduce-xc_bitops.h.patch f171661a8de8891012abcb5f41a1d003ad3eebc4de1e2cf9b68e9576df73d340 xsa55-4.1/0015-libelf-check-loops-for-running-away.patch 71d3db55a5d0ea6124e55749d8f58529ebceafa9c223e14553c3b70a8926949c xsa55-4.1/0016-libelf-abolish-obsolete-macros.patch 3443181298891cf942faf7af74c2a2c3498bf8465a5a550780ba4e2c3f336f98 xsa55-4.1/0017-libxc-Add-range-checking-to-xc_dom_binloader.patch 6a2b1a723024d7618d55bcef9316bfae0a5d098d06d0e73b3da25e4d2c13e020 xsa55-4.1/0018-libxc-check-failure-of-xc_dom_-_to_ptr-xc_map_foreig.patch eb94cb56c3e266af9f6160c1eb0b30dd39736cfb29dfc1e5ff006b734e0d5da8 xsa55-4.1/0019-libxc-check-return-values-from-malloc.patch b83cb61f7d85d707d29d395a409248aa7389befa3493e79b19d0ed6dd59de3b1 xsa55-4.1/0020-libxc-range-checks-in-xc_dom_p2m_host-and-_guest.patch 487376464087ff0c5aae7e857eaa1a4feb2092504adc344fca6d68f960403dca xsa55-4.1/0021-libxc-check-blob-size-before-proceeding-in-xc_dom_ch.patch a13a0913a4d9b30bf4fd2a64967bfa838fc53784f9ae3833387034265dcafcf4 xsa55-4.2/0001-libelf-abolish-libelf-relocate.c.patch b7673609a18525f238d411f9b150c90ecf48248542cc95ca969c9a85995768f8 xsa55-4.2/0002-libxc-introduce-xc_dom_seg_to_ptr_pages.patch f5b809eceb7d342bac01f6a204eca7c89e1c62287040d2588b093b9cd0b5be22 xsa55-4.2/0003-libxc-Fix-range-checking-in-xc_dom_pfn_to_ptr-etc.patch 51b5f8a996f0d84c715235b1497e0816a6b31fbeea593b7c14925d11856e48b1 xsa55-4.2/0004-libelf-add-struct-elf_binary-parameter-to-elf_load_i.patch 95324b6aafeb4729b2cf1112b4675dac0afb94e03b625e3bd075daa6d1b6d60d xsa55-4.2/0005-libelf-abolish-elf_sval-and-elf_access_signed.patch 720f5a129f271ca82d59eb17fda287cb54891d75305e8df55c45dcba974d9e75 xsa55-4.2/0006-libelf-move-include-of-asm-guest_access.h-to-top-of-.patch d5d9df42cd7fff7a8c7faf2f795b09752f40265fb5a11089a6050e1c11e3ad95 xsa55-4.2/0007-libelf-xc_dom_load_elf_symtab-Do-not-use-syms-uninit.patch 3e0efa56062f3425cc76519d34f5eb0ea08f434b75de334a3f781249c8ac6532 xsa55-4.2/0008-libelf-introduce-macros-for-memory-access-and-pointe.patch 3df88d7118b07b69c826a00a0f6459f07dba28b3067a167d8087cb3fa9ee12e8 xsa55-4.2/0009-tools-xcutils-readnotes-adjust-print_l1_mfn_valid_no.patch 916536dd4a2a78a094b77fc979108ec8b16f17d76dde63e32cd4c2ae7d6c4e71 xsa55-4.2/0010-libelf-check-nul-terminated-strings-properly.patch 799c45c01b3aadb3728632522da86b1b66550021a48526084bb4bdbaff2aa4da xsa55-4.2/0011-libelf-check-all-pointer-accesses.patch f00ebff829ab73cd16a179014012bc1d4f16acb3becd92a301b8915f5895f75a xsa55-4.2/0012-libelf-Check-pointer-references-in-elf_is_elfbinary.patch 7aac6c8e639a8322c86aa639af30e014c997357810119e240c0b8de485f6016a xsa55-4.2/0013-libelf-Make-all-callers-call-elf_check_broken.patch d9df769e1b6847a84cd85e3909acee85ce71fd3bc84945890d586388bc69cb11 xsa55-4.2/0014-libelf-use-C99-bool-for-booleans.patch cf32b0dfd4ab22d0fe8867259d1aee70d6d148dbc032b9399d91b8348b4b758c xsa55-4.2/0015-libelf-use-only-unsigned-integers.patch 345068acdcf4f974d78d2f579c90c6d74ac3b6ed190eae0f182e5f12ac2c48fb xsa55-4.2/0016-libelf-check-loops-for-running-away.patch 46665bce2e48a945ac25960f5f9459e9b9b5ffdc6284c0e8622d3fa01636c3a0 xsa55-4.2/0017-libelf-abolish-obsolete-macros.patch ef1634ea3ab9d6998009fc0da8e0c4b07a0cf9a141cc17a0c06a1d64c149d0ed xsa55-4.2/0018-libxc-Add-range-checking-to-xc_dom_binloader.patch 4bca58ac49bd56f6defefbfa76cfd0e6d45aabb1641fa9e9f983edbc784a9d89 xsa55-4.2/0019-libxc-check-failure-of-xc_dom_-_to_ptr-xc_map_foreig.patch d497a638760b8014a5b03168a3e75e3d7c5aaab19b6b704dea554868556a29cb xsa55-4.2/0020-libxc-check-return-values-from-malloc.patch ea4ee198dccfd3bf98469ff542c530838c65fe47772af8d7b5178c90e0a529a8 xsa55-4.2/0021-libxc-range-checks-in-xc_dom_p2m_host-and-_guest.patch bbbe00dd78982cf0b15f91a7125c3a402c20be6985350da97ddfb8d886b0cadc xsa55-4.2/0022-libxc-check-blob-size-before-proceeding-in-xc_dom_ch.patch 30451fe900d0ff6a95d7ace7fb6557d6922223fe03b4caf625d73e6a212b0a09 xsa55-4.2/0023-libxc-Better-range-check-in-xc_dom_alloc_segment.patch bbe361b12232597d633b7384d44c803bf8bd902e00fb0042c4badee5738eb442 xsa55-unstable/0001-libelf-abolish-libelf-relocate.c.patch 8bfd58d571573d7699538e3a1676c3b3c162cd5addb77b2e67da5e1eb0c4bc29 xsa55-unstable/0002-libxc-introduce-xc_dom_seg_to_ptr_pages.patch 1eacea14bdd04dbabb49842cc17dcd518e10437056ff45f644df93f5dadad010 xsa55-unstable/0003-libxc-Fix-range-checking-in-xc_dom_pfn_to_ptr-etc.patch fe051647026423a6f7cd265456ff3775dd2ce3ecf1a88e7f2cb73e7b44e14318 xsa55-unstable/0004-libelf-add-struct-elf_binary-parameter-to-elf_load_i.patch 0e8db1f8647f0851a3b65f9aa9fe9e0019da8cb420825f0069908c65329bae56 xsa55-unstable/0005-libelf-abolish-elf_sval-and-elf_access_signed.patch 30bce100004a5fb5dfe0e48a530dcdf153c517a8746cc7bbfd817d11e3552ba4 xsa55-unstable/0006-libelf-move-include-of-asm-guest_access.h-to-top-of-.patch 657b6ee80675ec2479dab7bed30dcecff13e658584e64d21a788b6b18eedd49b xsa55-unstable/0007-libelf-xc_dom_load_elf_symtab-Do-not-use-syms-uninit.patch d810bd76932d3807d679c1c67c028c896331fc4d5c7ba36c8db3971a27c0b4a4 xsa55-unstable/0008-libelf-introduce-macros-for-memory-access-and-pointe.patch 5dd7d25a45f95b06e23b3c806d5f63f92700c693f4637382dded4cd2d60058a2 xsa55-unstable/0009-tools-xcutils-readnotes-adjust-print_l1_mfn_valid_no.patch 9b269e867b1babd684e4c832220d6f58c2db79690b45031ce02f42edc3063c87 xsa55-unstable/0010-libelf-check-nul-terminated-strings-properly.patch f27494f38bdff3b246c886f7892320a1a903b80d18a41c77a3bbaf1356b5824a xsa55-unstable/0011-libelf-check-all-pointer-accesses.patch 97a68c9c5aa15a9d021e9e39d9bd4b5aa99225e81e09627935e43ec0428a442b xsa55-unstable/0012-libelf-Check-pointer-references-in-elf_is_elfbinary.patch a88ce1a20f9d681d66589ac0b95f5e4b70ceb43c84a4c239deb9ebad638d9cd2 xsa55-unstable/0013-libelf-Make-all-callers-call-elf_check_broken.patch b079b775bc19cfbee3794f8ad3e241fdd6de338751f4b7d91ada01fd7eaf6475 xsa55-unstable/0014-libelf-use-C99-bool-for-booleans.patch 6ac80351cab574fdf620471e10015c39d7c95fa7e81d6e64be0ada8e51a5be82 xsa55-unstable/0015-libelf-use-only-unsigned-integers.patch e6479bb97c0d24776aa25ee1d321a79c441b3d4f2420e70802b4b1a35f68e3e4 xsa55-unstable/0016-libelf-check-loops-for-running-away.patch a5962fc8db6228db5e4c22abd4daec86990dbb6ac3f4ba161ce54d45b5370fe4 xsa55-unstable/0017-libelf-abolish-obsolete-macros.patch db2d7d947e273c4f627e912d1100341ede0610e9a58705e8a900504db5a94533 xsa55-unstable/0018-libxc-Add-range-checking-to-xc_dom_binloader.patch cd148e8e2c71f100379c6b28028d236ebb5388540f1d5e171f83a373202c3d77 xsa55-unstable/0019-libxc-check-failure-of-xc_dom_-_to_ptr-xc_map_foreig.patch b1642765be1bc014c464b90301facd658c5685cd4c76ddf5cb83efa25779c100 xsa55-unstable/0020-libxc-check-return-values-from-malloc.patch 55933a56b504b53402774860b7d138bf5bb7f9d910d16b11ce27560642a0007c xsa55-unstable/0021-libxc-range-checks-in-xc_dom_p2m_host-and-_guest.patch 15c7be1cec55974a8c77739bdc1198d7759ef5c78067d04e2102cc6392d99d9c xsa55-unstable/0022-libxc-check-blob-size-before-proceeding-in-xc_dom_ch.patch fbfa57982123b985cf2d772cbad4b012cb3cd2cd535badde7e2011a3eaf407e1 xsa55-unstable/0023-libxc-Better-range-check-in-xc_dom_alloc_segment.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRuzxfAAoJEIP+FMlX6CvZ+OsH/jshJt4c98teo2orONHIfF3X 6s9QYKH53gv2twpW2TVH9KqWa2GFWPDINlpxCEVq/5dq8mntUNZA/DH4xfc6+WkQ TUowT1WcGBrH4flAqVfEPFMoDKuBxG/+70GrOWjUPYPpytKY8HWdTieFNSmNCFhq Lo5uqDM0Ycy1Hbs+kQTWo9kBKywA3fjcEh2W6E5jKq7jP7FOA1tfEh9PwDB+r1YA 9NU09M0nj5OE3xjtwNy+KwvopPPxO0gJJu24y301A3xN/L4lZC/BcxHm9WTR0BzI 22ZTsxKUFBSwtC6Fs1y7jOt1TKcuvFwPeKMp9MgOky0X7XV5Y4dHPzCE7CUI4a4= =UDws -----END PGP SIGNATURE----- Attachment:
xsa55-4.1/0001-libelf-abolish-libelf-relocate.c.patch Attachment:
xsa55-4.1/0002-libxc-introduce-xc_dom_seg_to_ptr_pages.patch Attachment:
xsa55-4.1/0003-libxc-Fix-range-checking-in-xc_dom_pfn_to_ptr-etc.patch Attachment:
xsa55-4.1/0004-libelf-abolish-elf_sval-and-elf_access_signed.patch Attachment:
xsa55-4.1/0005-libelf-xc_dom_load_elf_symtab-Do-not-use-syms-uninit.patch Attachment:
xsa55-4.1/0006-libelf-introduce-macros-for-memory-access-and-pointe.patch Attachment:
xsa55-4.1/0007-tools-xcutils-readnotes-adjust-print_l1_mfn_valid_no.patch Attachment:
xsa55-4.1/0008-libelf-check-nul-terminated-strings-properly.patch Attachment:
xsa55-4.1/0009-libelf-check-all-pointer-accesses.patch Attachment:
xsa55-4.1/0010-libelf-Check-pointer-references-in-elf_is_elfbinary.patch Attachment:
xsa55-4.1/0011-libelf-Make-all-callers-call-elf_check_broken.patch Attachment:
xsa55-4.1/0012-libelf-use-C99-bool-for-booleans.patch Attachment:
xsa55-4.1/0013-libelf-use-only-unsigned-integers.patch Attachment:
xsa55-4.1/0014-libxc-Introduce-xc_bitops.h.patch Attachment:
xsa55-4.1/0015-libelf-check-loops-for-running-away.patch Attachment:
xsa55-4.1/0016-libelf-abolish-obsolete-macros.patch Attachment:
xsa55-4.1/0017-libxc-Add-range-checking-to-xc_dom_binloader.patch Attachment:
xsa55-4.1/0018-libxc-check-failure-of-xc_dom_-_to_ptr-xc_map_foreig.patch Attachment:
xsa55-4.1/0019-libxc-check-return-values-from-malloc.patch Attachment:
xsa55-4.1/0020-libxc-range-checks-in-xc_dom_p2m_host-and-_guest.patch Attachment:
xsa55-4.1/0021-libxc-check-blob-size-before-proceeding-in-xc_dom_ch.patch Attachment:
xsa55-4.2/0001-libelf-abolish-libelf-relocate.c.patch Attachment:
xsa55-4.2/0002-libxc-introduce-xc_dom_seg_to_ptr_pages.patch Attachment:
xsa55-4.2/0003-libxc-Fix-range-checking-in-xc_dom_pfn_to_ptr-etc.patch Attachment:
xsa55-4.2/0004-libelf-add-struct-elf_binary-parameter-to-elf_load_i.patch Attachment:
xsa55-4.2/0005-libelf-abolish-elf_sval-and-elf_access_signed.patch Attachment:
xsa55-4.2/0006-libelf-move-include-of-asm-guest_access.h-to-top-of-.patch Attachment:
xsa55-4.2/0007-libelf-xc_dom_load_elf_symtab-Do-not-use-syms-uninit.patch Attachment:
xsa55-4.2/0008-libelf-introduce-macros-for-memory-access-and-pointe.patch Attachment:
xsa55-4.2/0009-tools-xcutils-readnotes-adjust-print_l1_mfn_valid_no.patch Attachment:
xsa55-4.2/0010-libelf-check-nul-terminated-strings-properly.patch Attachment:
xsa55-4.2/0011-libelf-check-all-pointer-accesses.patch Attachment:
xsa55-4.2/0012-libelf-Check-pointer-references-in-elf_is_elfbinary.patch Attachment:
xsa55-4.2/0013-libelf-Make-all-callers-call-elf_check_broken.patch Attachment:
xsa55-4.2/0014-libelf-use-C99-bool-for-booleans.patch Attachment:
xsa55-4.2/0015-libelf-use-only-unsigned-integers.patch Attachment:
xsa55-4.2/0016-libelf-check-loops-for-running-away.patch Attachment:
xsa55-4.2/0017-libelf-abolish-obsolete-macros.patch Attachment:
xsa55-4.2/0018-libxc-Add-range-checking-to-xc_dom_binloader.patch Attachment:
xsa55-4.2/0019-libxc-check-failure-of-xc_dom_-_to_ptr-xc_map_foreig.patch Attachment:
xsa55-4.2/0020-libxc-check-return-values-from-malloc.patch Attachment:
xsa55-4.2/0021-libxc-range-checks-in-xc_dom_p2m_host-and-_guest.patch Attachment:
xsa55-4.2/0022-libxc-check-blob-size-before-proceeding-in-xc_dom_ch.patch Attachment:
xsa55-4.2/0023-libxc-Better-range-check-in-xc_dom_alloc_segment.patch Attachment:
xsa55-unstable/0001-libelf-abolish-libelf-relocate.c.patch Attachment:
xsa55-unstable/0002-libxc-introduce-xc_dom_seg_to_ptr_pages.patch Attachment:
xsa55-unstable/0003-libxc-Fix-range-checking-in-xc_dom_pfn_to_ptr-etc.patch Attachment:
xsa55-unstable/0004-libelf-add-struct-elf_binary-parameter-to-elf_load_i.patch Attachment:
xsa55-unstable/0005-libelf-abolish-elf_sval-and-elf_access_signed.patch Attachment:
xsa55-unstable/0006-libelf-move-include-of-asm-guest_access.h-to-top-of-.patch Attachment:
xsa55-unstable/0007-libelf-xc_dom_load_elf_symtab-Do-not-use-syms-uninit.patch Attachment:
xsa55-unstable/0008-libelf-introduce-macros-for-memory-access-and-pointe.patch Attachment:
xsa55-unstable/0009-tools-xcutils-readnotes-adjust-print_l1_mfn_valid_no.patch Attachment:
xsa55-unstable/0010-libelf-check-nul-terminated-strings-properly.patch Attachment:
xsa55-unstable/0011-libelf-check-all-pointer-accesses.patch Attachment:
xsa55-unstable/0012-libelf-Check-pointer-references-in-elf_is_elfbinary.patch Attachment:
xsa55-unstable/0013-libelf-Make-all-callers-call-elf_check_broken.patch Attachment:
xsa55-unstable/0014-libelf-use-C99-bool-for-booleans.patch Attachment:
xsa55-unstable/0015-libelf-use-only-unsigned-integers.patch Attachment:
xsa55-unstable/0016-libelf-check-loops-for-running-away.patch Attachment:
xsa55-unstable/0017-libelf-abolish-obsolete-macros.patch Attachment:
xsa55-unstable/0018-libxc-Add-range-checking-to-xc_dom_binloader.patch Attachment:
xsa55-unstable/0019-libxc-check-failure-of-xc_dom_-_to_ptr-xc_map_foreig.patch Attachment:
xsa55-unstable/0020-libxc-check-return-values-from-malloc.patch Attachment:
xsa55-unstable/0021-libxc-range-checks-in-xc_dom_p2m_host-and-_guest.patch Attachment:
xsa55-unstable/0022-libxc-check-blob-size-before-proceeding-in-xc_dom_ch.patch Attachment:
xsa55-unstable/0023-libxc-Better-range-check-in-xc_dom_alloc_segment.patch _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |