Xen project Mailing List

[Xen-users] Xen Security Advisory 101 - information leak via gnttab_setup_table on ARM

To: xen-announce@xxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxx, xen-users@xxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx

From: Xen.org security team <security@xxxxxxx>

Date: Wed, 25 Jun 2014 12:37:20 +0000

Cc: "Xen.org security team" <security@xxxxxxx>

Delivery-date: Wed, 25 Jun 2014 12:37:55 +0000

List-id: Xen user discussion <xen-users.lists.xen.org>

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-101 version 2 information leak via gnttab_setup_table on ARM UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= When initialising an internal data structure on ARM platform Xen was not correctly initialising the memory containing the list of a domain's grant table pages. This list is returned by the GNTTABOP_setup_table subhypercall, leading to an information leak. IMPACT ====== Malicious guest administrators can obtain some of the memory contents of other domains: Up to 8*max_nr_grant_frames bytes of uninitialised memory can be leaked to the calling domain. This memory may have been previously used by either the hypervisor or other guests. The default max_nr_grant_frames is 32, hence by default 256 bytes may be leaked in this way. However this can be overridden via the "gnttab_max_nr_frames" hypervisor command line option. VULNERABLE SYSTEMS ================== Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward. MITIGATION ========== None. CREDITS ======= This issue was discovered by Julien Grall. RESOLUTION ========== Applying the attached patch resolves this issue. xsa101.patch xen-unstable, Xen 4.4.x $ sha256sum xsa101*.patch 12ea475265a0804a3a42f620d7065a7408a5ae4b017c871847424c7247c204e9 xsa101.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTqsJaAAoJEIP+FMlX6CvZ0MkIALeL89QbVy7yAsLQ/JY6HhZA Y61HLh7VX9rwZd2pQJoJC3dSPtMCfeo25yd8ryDB4QEQci5qSk/P5gnBkXMUjDTL PbLHimTvGXdAOI3+TYGC6H/dHfqkMeOr/w9cNuS3GuvmpYGpDnb3iE14x5I+JKJJ JPY1tMwettCU3aWmMd1DHzM3cY2qUxQBPN5Itwev6AjPu9w4eFUBV2/u1CsRIQKT 2UBl7uFPm70MmYAzhr30RHOZRQD70ixFDbs1RH1vQsIbF+J8dTOsuzRd03CwVe4A ib0CUm6Emd8zvnGAFU7WZdY6roIukp/Qk5T4mdtlmFtKXuVfBhlCPuc45cBvwyM= =uOne -----END PGP SIGNATURE-----

Attachment: xsa101.patch
Description: Binary data

_______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx http://lists.xen.org/xen-users

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.