579072 – (CVE-2016-3960) <app-emulation/xen{,tools}-{4.5.2-r6, 4.6.0-r10, 4.6.1-r1}: x86 shadow pagetables - address width overflow - XSA-173 (CVE-2016-3960)

Bug 579072 (CVE-2016-3960) - <app-emulation/xen{,tools}-{4.5.2-r6, 4.6.0-r10, 4.6.1-r1}: x86 shadow pagetables - address width overflow - XSA-173 (CVE-2016-3960)

Summary: <app-emulation/xen{,tools}-{4.5.2-r6, 4.6.0-r10, 4.6.1-r1}: x86 shadow pageta...

Status:	RESOLVED FIXED

Alias:	CVE-2016-3960

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	C3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2016-04-05 05:27 UTC by Yury German
Modified:	2016-11-12 11:57 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Yury German Gentoo Infrastructure

2016-04-05 05:27:34 UTC

Xen Security Advisory XSA-173

             x86 shadow pagetables: address width overflow

              *** EMBARGOED UNTIL 2016-04-18 12:00 UTC ***

ISSUE DESCRIPTION
=================

In the x86 shadow pagetable code, the guest frame number of a
superpage mapping is stored in a 32-bit field.  If a shadowed guest
can cause a superpage mapping of a guest-physical address at or above
2^44 to be shadowed, the top bits of the address will be lost, causing
an assertion failure or NULL dereference later on, in code that
removes the shadow.


IMPACT
======

A HVM guest using shadow pagetables can cause the host to crash.

A PV guest using shadow pagetables (i.e. being migrated) with PV
superpages enabled (which is not the default) can crash the host, or
corrupt hypervisor memory, and so a privilege escalation cannot be
ruled out.


VULNERABLE SYSTEMS
==================

Xen versions from 3.4 onwards are affected.

Only x86 variants of Xen are susceptible.  ARM variants are not
affected.

HVM guests using shadow mode paging can expose this vulnerability.  HVM
guests using Hardware Assisted Paging (HAP) are unaffected.

Systems running PV guests with PV superpages enabled are vulnerable if
those guests undergo live migration.  PV superpages are disabled by
default, so systems are not vulnerable in this way unless
"allowsuperpage" is on the Xen command line.

To discover whether your HVM guests are using HAP, or shadow page
tables: request debug key `q' (from the Xen console, or with
`xl debug-keys q').  This will print (to the console, and visible in
`xl dmesg'), debug information for every domain, containing something
like this:

  (XEN) General information for domain 2:
  (XEN)     refcnt=1 dying=2 pause_count=2
  (XEN)     nr_pages=2 xenheap_pages=0 shared_pages=0 paged_pages=0 dirty_cpus={} max_pages=262400
  (XEN)     handle=ef58ef1a-784d-4e59-8079-42bdee87f219 vm_assist=00000000
  (XEN)     paging assistance: hap refcounts translate external
                               ^^^
The presence of `hap' here indicates that the host is not
vulnerable to this domain.  For an HVM domain the presence of `shadow'
indicates that the domain can exploit the vulnerability.


MITIGATION
==========

Running only PV guests will avoid this vulnerability, unless PV
superpage support is enabled (see above).

Running HVM guests with Hardware Assisted Paging (HAP) enabled will
also avoid this vulnerability.  This is the default mode on hardware
supporting HAP, but can be overridden by hypervisor command line
option and guest configuration setting.  Such overrides ("hap=0" in
either case, with variants like "no-hap" being possible in the
hypervisor command line case) would need to be removed to avoid this
vulnerability.


RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa173-unstable.patch  xen-unstable
xsa173-4.6.patch       Xen 4.6.x
xsa173-4.5.patch       Xen 4.5.x
xsa173-4.4.patch       Xen 4.4.x
xsa173-4.3.patch       Xen 4.3.x

$ sha256sum xsa173*
7cecf050bb52494e1dfbc03ace594ce3d792ecd61def3a32cc6d749b6f04dbc3  xsa173-unstable.patch
1c5b564c076eeb826906701e5f1360872ef011bef83ac6089ef99bea1c877992  xsa173-4.3.patch
37728cb397b8781a6439b9763998c54d1539c838e3690476946ae104666d287f  xsa173-4.4.patch
7ce3c4860fe1b9eda059276e8951149e7da36f8692f60b520dbbfb34e306b5d6  xsa173-4.5.patch
5c61f5e924b29fd2553e78323352f99e4432b60763a5b04ddc4670baf7d9e55c  xsa173-4.6.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

Comment 1 Ian Delaney (RETIRED) gentoo-dev

2016-04-23 10:07:10 UTC

commit 70be44e9eb6b0c1dd98234059f8d9cefb25b29dc
Author: Ian Delaney <idella4@gentoo.org>
Date:   Sat Apr 23 18:03:54 2016 +0800

    app-emulation/xen: revbumps subsequent to addition of xsa sec patches
    
    versions; 4.5.2-r6 4.6.0-r10 4.6.1-r1
    sec patches; xsa 172 173
    
    Gentoo-bug: #579074 #579072
    
commit 90911e349565fc34ba172e2622e2ec29650844be
Author: Ian Delaney <idella4@gentoo.org>
Date:   Sat Apr 23 17:57:23 2016 +0800

    app-emulation/xen-tools: revbumps subsequent to addition of xsa sec patches
    
    versions; 4.5.2-r6 4.6.0-r10 4.6.1-r1
    sec patches; xsa 172 173
    
    Gentoo-bug: #579074 #579072

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2016-11-12 11:57:14 UTC

Long fixed.

GLSA Vote: No.