Xen project Mailing List

Re: [Xen-devel] Xen Security Advisory 99 - unexpected pitfall in xenaccess API

To: Andres Lagar Cavilla <andres@xxxxxxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxx, security@xxxxxxx, xen-announce@xxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx

From: Steven Haigh <netwiz@xxxxxxxxx>

Date: Tue, 17 Jun 2014 23:24:52 +1000

Delivery-date: Tue, 17 Jun 2014 13:25:39 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

Openpgp: id=7A7D31DC

On 17/06/14 23:13, Andres Lagar Cavilla wrote: > Xen Security Advisory XSA-99 > version 2 > > unexpected pitfall in xenaccess API > > UPDATES IN VERSION 2 > ==================== > > Public Release. > > Added note regarding CVE. > > ISSUE DESCRIPTION > ================= > > A test/example program, for exercising the Xen memaccess API, does not > take all necessary precautions against hostile guest behaviour. > > As a result, software developers using it as an example or template > might have written and deployed vulnerable code. > >> How? > >> I've looked at the patch. It's the refactor proposed in a separate >> thread by Dushyant Behl, lifted up a level. Obviously useful, +2. > >> But fundamentally, how is this a vulnerability? Since the dawn of time >> guests can poke at the qemu and PV frontend rings. So self DoS, check. >> But, privilege escalation? > >> Is this predicated on the potential (lack of) software quality of the >> xenaccess backends? That's a fair argument, but a different story. > >> I am puzzled how this is an XSA that addresses "privilege escalation". Also note: [netwiz@dev xen-4.2.4]$ patch -p1 < ../xsa-99.patch patching file tools/libxc/xc_mem_access.c Hunk #1 succeeded at 24 with fuzz 2. patching file tools/libxc/xc_mem_event.c patching file tools/libxc/xenctrl.h Hunk #1 succeeded at 1907 (offset -116 lines). Hunk #2 succeeded at 1933 with fuzz 2 (offset -116 lines). patching file tools/tests/xen-access/xen-access.c Hunk #1 succeeded at 233 (offset 10 lines). Hunk #2 succeeded at 254 (offset 10 lines). Hunk #3 succeeded at 269 (offset 10 lines). Hunk #4 FAILED at 293. 1 out of 4 hunks FAILED -- saving rejects to file tools/tests/xen-access/xen-access.c.rej In a nutshell, it doesn't apply cleanly either... -- Steven Haigh Email: netwiz@xxxxxxxxx Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.