[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] Xen Security Advisory 98 - insufficient permissions checks accessing guest memory on ARM
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-98 version 2 insufficient permissions checks accessing guest memory on ARM UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= When accessing guest memory Xen does not correctly perform permissions checks on the (possibly guest provided) virtual address: it only checks that the mapping is readable by the guest, even when writing on behalf of the guest. This allows a guest to write to memory which it should only be able to read. A guest running on a vulnerable system is able to write to memory which should be read-only. This includes supposedly read only foreign mappings established using the grant table mechanism. Such read-only mappings are commonly used as part of the paravirtualised I/O drivers (such as guest disk write and network transmit). In order to exploit this vulnerability the guest must have a mapping of the memory; it does not allow access to arbitrary addresses. In the event that a guest executes code from a page which has been shared read-only with another guest it would be possible to mount a take over attack on that guest. IMPACT ====== A domain which is deliberately exchanging data with another, malicious, domain, may be vulnerable to privilege escalation. The vulnerability depends on the precise behaviour of the victim domain. In a typical configuration this means that, depending on the behaviour of the toolstack or device driver domain, a malicious guest administrator might be able to escalate their privilege to that of the whole host. VULNERABLE SYSTEMS ================== Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward. MITIGATION ========== None. CREDITS ======= This issue was discovered by Julien Grall. RESOLUTION ========== Applying the appropriate pair of attached patches resolves this issue. xsa98-unstable-{01,02}.patch xen-unstable xsa98-4.4-{01,02}.patch Xen 4.4.x $ sha256sum xsa98*.patch 6f63bc2e0a0a39bbd9137513a5d130ae2c78d1fd2ebf9172bf49456f73f0a67b xsa98-4.4-01.patch b338472ecce3c31a55d1a936eebbd4e46cb3ad989b91a64d4b8c5d3ca80d875d xsa98-4.4-02.patch b8535aad5ae969675d59781a81ce0b24491f1abc01aaf36c3620fd7fb6cc84eb xsa98-unstable-01.patch f5e8a93525a8905653da6377097f77681ff8121b973063ff6081e27547ceaa67 xsa98-unstable-02.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTjyK/AAoJEIP+FMlX6CvZfcAIALcaI5AdccPTHVJjTFqAly6A ZJ787YT7utUjaHTuqo+rFn7UkQLfXtqGXoLmxX4I6kTWSasiN89MCUiMMEhAKz/p WAyHPxOgbU/67hE6K6G9Xfon+Oi0NmQyaT8yiq2tgNMA5BT0TLRa1hVP70ixvXGd bC1MTMKLHynrMByK2S7NKt3YZLg0t8yTtCAYQ/BbjiS+2WYA552HEI7xrFPNhZ7Y WMykHUp+G6xBj3E1xxHnuvmixr/8mAgZmfkqLdzb66wUxuxev6ZhACS5JkjFGI8S lFMGZ52W/JiinqxtXs9WPGPiaBmW0+AmfCr6OjMfPsOzeZavrmFMAsz9AUehDag= =96+i -----END PGP SIGNATURE----- Attachment:
xsa98-4.4-01.patch Attachment:
xsa98-4.4-02.patch Attachment:
xsa98-unstable-01.patch Attachment:
xsa98-unstable-02.patch _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |