[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] are Xen 3.1.0 kernels CVE-2007-4573 vulnerable

Steven C. Timm, Ph.D  (630) 840-8525
timm@xxxxxxxx  http://home.fnal.gov/~timm/
Fermilab Computing Division, Scientific Computing Facilities,
Grid Facilities Department, FermiGrid Services Group, Assistant Group Leader.

On Fri, 5 Oct 2007, Mark Williamson wrote:

I guess what I am really trying to get at is the following:
What, if anything, of the Xen code base is built into
the kernel rpms that redhat 5 and friends distribute as kernel-xen
(for instance, kernel-xen-2.6.18-8.1.14.el5, just released
to patch the vulnerability that started this thread).
Is there anything that's version specific?  Is there anything
that ties it to xen 3.0.3?  How can I look at the kernel config
files and tell the difference, if necessary?

For a long time, Xen, dom0's kernel and the dom0 tools had to be compiled from
the same source tree in order to work together.  Some time after Xen 3.0.3,
(the 3.0.4 release if I recall correctly) the dom0 kernel was decoupled from
this, so that from that point on you could use any released dom0 kernel with
any subsequent version of Xen and the tools.  However, you will not
necessarily get full functionality unless you use a new enough dom0 kernel.

In short: that kernel probably needs to be matched with a 3.0.3 Xen and tools
in order for things to work properly.

So is it your opinion that the solution proposed earlier in this thread, namely slapping the xen 3.1.0 hypervisor tarball into the source tree for redhat's kernel-xen in place of the xen 3.0.3 tarball, may not work?

I am not necessarily tied to running redhat-like 2.6.18 kernel variants
(which of course incorporate a lot of patches from much higher versions
of the kernel).  I'm just trying to find a model where I can
have an underlying redhat-like distro and still have some sort of
clear patching path for the kernel..preferably without having to do all the building of kernels
from source myself.  And I am trying to figure out what other
people like myself are doing--namely those who need to keep
Xen 3.1.0 plus some kind of redhat working together and security-patched.
Is there anyone on this list who has such a setup working at the moment?

It may be slightly off-topic for this list, but do the people who
are paying the cash to Xensource for the enterprise edition get
these kind of patches or do they have the same dilemma?

I'm learning a lot from this discussion and appreciate everyone's help, but hopefully someone can point me to a solution of the form "here is
what I did and it works" rather than "maybe this will work."

Steve Timm

I went and got the kernels from xensource that were compiled with
xen 3.1.0 because people on this list told me that this was required
to do what I wanted to do, namely 64bit dom0 plus 32bit PAE domU's.

I think that was probably me :-)

I understand that a xen 3.0.3-compiled kernel could be a domU in this
setup but not a dom0.  Is this understanding wrong?

It definitely couldn't be a dom0.

Actually, a 3.0.3 kernel quite possibly wouldn't boot in 32-bit mode on a
64-bit Xen from the 3.1 release.  That's because of a fix that hadn't yet
been pushed at release time - when 3.1 came out, your 32-bit compat mode
kernel needed to be a recent one or it wouldn't work.  The compatibility for
older kernels was added later, so it'll be in xen-unstable and I guess it'll
probably be in 3.1.1.

Sorry for getting bogged down in a confusing sea of version numbers here.
It's partly because the interfaces keep changing, and because which
interfaces can change is also changing :-)

I'm not sure I'm in a very good state to be coherent, so I'll stop here.  If I
don't make sense, please ask more questions.


Dave: Just a question. What use is a unicyle with no seat?  And no pedals!
Mark: To answer a question with a question: What use is a skateboard?
Dave: Skateboards have wheels.
Mark: My wheel has a wheel!

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.