Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 486354 (CVE-2013-1442) - <app-emulation/xen-{4.2.3,4.3.1-r1} : multiple vulnerabilities (CVE-2013-{1442,4355,4356,4361,4368,4369,4370,4371,4375,4416,4494,4551,6375,6885})
Summary: <app-emulation/xen-{4.2.3,4.3.1-r1} : multiple vulnerabilities (CVE-2013-{144...
Status: RESOLVED FIXED
Alias: CVE-2013-1442
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B1 [glsa]
Keywords:
Depends on: CVE-2014-1896
Blocks:
  Show dependency tree
 
Reported: 2013-09-28 18:50 UTC by Agostino Sarubbo
Modified: 2014-07-16 16:46 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-09-28 18:50:31 UTC
From ${URL} :


ISSUE DESCRIPTION
=================

When a guest increases the set of extended state components for a vCPU saved/
restored via XSAVE/XRSTOR (to date this can only be the upper halves of YMM
registers, or AMD's LWP state) after already having touched other extended
registers restored via XRSTOR (e.g. floating point or XMM ones) during its
current scheduled CPU quantum, the hypervisor would make those registers
accessible without discarding the values an earlier scheduled vCPU may have
left in them.

IMPACT
======

A malicious domain may be able to leverage this to obtain sensitive information
such as cryptographic keys from another domain.

VULNERABLE SYSTEMS
==================

Xen 4.0 and onwards are vulnerable when run on systems with processors
supporting AVX and/or LWP.  Any kind of guest can exploit the vulnerability.

In Xen 4.0.2 through 4.0.4 as well as in Xen 4.1.x XSAVE support is disabled by
default; therefore systems running these versions are not vulnerable unless
support is explicitly enabled using the "xsave" hypervisor command line option.

Systems using processors supporting neither AVX nor LWP are not vulnerable.

Xen 3.x and earlier are not vulnerable.

MITIGATION
==========

Turning off XSAVE support via the "no-xsave" hypervisor command line option
will avoid the vulnerability.

CREDITS
=======

Jan Beulich discovered this issue.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa62.patch                 Xen 4.2.x, 4.3.x, and unstable
xsa62-4.1.patch             Xen 4.1.x



@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2013-09-30 18:47:00 UTC
XSA 63 (CVE-2013-4355) : http://www.openwall.com/lists/oss-security/2013/09/30/1
XSA 64 (CVE-2013-4356) : http://www.openwall.com/lists/oss-security/2013/09/30/2
XSA 66 (CVE-2013-4361) : http://www.openwall.com/lists/oss-security/2013/09/30/3
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-10-02 03:33:24 UTC
CVE-2013-4361 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4361):
  The fbld instruction emulation in Xen 3.3.x through 4.3.x does not use the
  correct variable for the source effective address, which allows local HVM
  guests to obtain hypervisor stack information by reading the values used by
  the instruction.

CVE-2013-4355 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4355):
  Xen 4.3.x and earlier does not properly handle certain errors, which allows
  local HVM guests to obtain hypervisor stack memory via a (1) port or (2)
  memory mapped I/O write or (3) other unspecified operations related to
  addresses without associated memory.

CVE-2013-1442 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1442):
  Xen 4.0 through 4.3.x, when using AVX or LWP capable CPUs, does not properly
  clear previous data from registers when using an XSAVE or XRSTOR to extend
  the state components of a saved or restored vCPU after touching other
  restored extended registers, which allows local guest OSes to obtain
  sensitive information by reading the registers.
Comment 3 Ian Delaney (RETIRED) gentoo-dev 2013-10-02 17:00:18 UTC
All these do pertain to app-emulation/xen.  
xen-4.3.0-r1 builds fine with the patches added.
xen-4.2 stable misfires with the first patch listed, xsa62.patch, despite listing Xen 4.2.x. I've emailed the xen ML however stabilising 4.3-0-r1 will make the misfire redundant.

There's the matter of the arm KEYWORD to correct first Ago.

testuser@archtester ~/cvsPortage/gentoo-x86/app-emulation/xen $ ls /mnt/gen2/TmpDir/portage/app-emulation/xen-4.3.0-r1/work/xen-4.3.0//xen/arch/

yields

arm  x86.

Seeing you can't boot a xen kernel in an arm proper, is it impossible then to EVER keyword xen arm?  Otherwise I prompted you months ago to add it anyway. From memory I said building it in arm proper or emulator would suffice.
Comment 4 Ian Delaney (RETIRED) gentoo-dev 2013-10-03 07:17:40 UTC
Bug 477654
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-10-16 01:29:21 UTC
CVE-2013-4356 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4356):
  Xen 4.3.x writes hypervisor mappings to certain shadow pagetables when live
  migration is performed on hosts with more than 5TB of RAM, which allows
  local 64-bit PV guests to read or write to invalid memory and cause a denial
  of service (crash).
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2013-10-24 00:10:01 UTC
CVE-2013-4371 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4371):
  Use-after-free vulnerability in the libxl_list_cpupool function in the libxl
  toolstack library in Xen 4.2.x and 4.3.x, when running "under memory
  pressure," returns the original pointer when the realloc function fails,
  which allows local users to cause a denial of service (heap corruption and
  crash) and possibly execute arbitrary code via unspecified vectors.

CVE-2013-4370 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4370):
  The ocaml binding for the xc_vcpu_getaffinity function in Xen 4.2.x and
  4.3.x frees certain memory that may still be intended for use, which allows
  local users to cause a denial of service (heap corruption and crash) and
  possibly execute arbitrary code via unspecified vectors that trigger a (1)
  use-after-free or (2) double free.

CVE-2013-4369 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4369):
  The xlu_vif_parse_rate function in the libxlu library in Xen 4.2.x and 4.3.x
  allows local users to cause a denial of service (NULL pointer dereference)
  by using the "@" character as the VIF rate configuration.

CVE-2013-4368 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4368):
  The outs instruction emulation in Xen 3.1.x, 4.2.x, 4.3.x, and earlier, when
  using FS: or GS: segment override, uses an uninitialized variable as a
  segment base, which allows local 64-bit PV guests to obtain sensitive
  information (hypervisor stack content) via unspecified vectors related to
  stale data in a segment register.
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-10-29 19:13:51 UTC
XSA 72 (CVE-2013-4416) : http://seclists.org/oss-sec/2013/q4/187
Comment 9 Agostino Sarubbo gentoo-dev 2013-11-01 17:08:06 UTC
XSA 73 : http://www.openwall.com/lists/oss-security/2013/11/01/2 (no cve)
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-11-02 11:41:48 UTC
(In reply to Agostino Sarubbo from comment #9)
> XSA 73 : http://www.openwall.com/lists/oss-security/2013/11/01/2 (no cve)

CVE number was assigned, so, small fix 

XSA 73 (CVE-2013-4494) : http://www.openwall.com/lists/oss-security/2013/11/01/2
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2013-11-05 02:34:27 UTC
CVE-2013-4494 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4494):
  Xen before 4.1.x, 4.2.x, and 4.3.x does not take the page_alloc_lock and
  grant_table.lock in the same order, which allows local guest administrators
  with access to multiple vcpus to cause a denial of service (host deadlock)
  via unspecified vectors.

CVE-2013-4416 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4416):
  The Ocaml xenstored implementation (oxenstored) in Xen 4.1.x, 4.2.x, and
  4.3.x allows local guest domains to cause a denial of service (domain
  shutdown) via a large message reply.
Comment 12 Ian Delaney (RETIRED) gentoo-dev 2013-11-06 07:20:19 UTC
Added

files/xen-CVE-2013-4368-XSA-67.patch, files/xen-CVE-2013-4375-XSA-71.patch, files/xen-CVE-2013-4494-XSA-73.patch

since these pertain to app-emulation/xen, However, XSAs 68-70, 72 pertain to xen-tools, therefore it seems to me you either yet again edit the header title or whatever the right term is to incorporate app-emulation/xen-tools OR make a new sec. bug for the xsas cited above under xen-tools.

Re 4.2, what a debacle.  From the upstream maintainer,

===============================================
It (xsa-62.patch) applies to 4.2-stable/staging.

2) Backport the xsave patches as well. 
http://xenbits.xen.org/gitweb/?p=xen.git;a=history;f=xen/arch/x86/xstate.c;hb=12b0ee04a16194f064d5b895a844fcdc6414bfc0
should give you a good idea of the patches. 
http://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=0bda88abe18029c2bbe9dc5d07cc706bd775c9b7
is probably the main patch needed.

3) Rework the security patch yourself using ....

I highly recommend option 2.
===============================================

So it seems there is xen-4.2 and xen-4.2/staging.  Well to me one ought suffice.
xsa patch 62 fails to take and & patch 63 fails to effect a build.  Though I could attempt option 3) I'm really not naturally inclined.  The version 4.2 therefore has not 1, not 2, but 3 issues.

1. The tarball of xen-4.2 appears to no longer suffice. ! !! !
2. To counter this I need backport (or is it import) a number of separate patches. ! !! !
3. Stable 4.2 appears it should not have been made stable by virtue of Bug 486076, exposing a dep on dev-lang/ocaml-4.x.

The validity of Bug 486076 impacts on 4.3 which also requires 
>=dev-lang/ocaml-4.  This makes stabalising of 4.3.x untenable until the 'fixing' of Bug 486076.  I can make a xen-4.2.2-r2.ebuild IF YOU PROMPT with a 'yep go ahead'.  It will have pertinent patches 64-73, given 62 & 63 DON'T WORK, with xsa71-qemu-xen-4.2.patch & xsa73-4.2.patch, otherwise, hang it.

Re issue 2, I am open to suggestions as to how to manage it, otherwise, hang it.

*xen-4.3.0-r2 (06 Nov 2013)

  06 Nov 2013; Ian Delaney <idella4@gentoo.org>
  +files/xen-CVE-2013-4368-XSA-67.patch, +files/xen-CVE-2013-4375-XSA-71.patch,
  +files/xen-CVE-2013-4494-XSA-73.patch, +xen-4.3.0-r2.ebuild,
  xen-4.2.2-r1.ebuild, xen-4.3.0-r1.ebuild:
  Adding more security patches to 4.3.0 from Bug #486354, 4.2.2 excluded again
  for now
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-11-09 08:41:17 UTC
XSA 75 (CVE-2013-4551) : http://seclists.org/oss-sec/2013/q4/249
Comment 14 Agostino Sarubbo gentoo-dev 2013-11-21 12:02:01 UTC
XSA-78 (CVE-2013-6375) : http://www.openwall.com/lists/oss-security/2013/11/20/3
Comment 15 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-11-21 12:03:21 UTC
XSA 78 (CVE-2013-6375) : http://seclists.org/oss-sec/2013/q4/322
Comment 16 Ian Delaney (RETIRED) gentoo-dev 2013-11-22 12:34:17 UTC
testuser@archtester ~/cvsPortage/gentoo-x86/app-emulation/xen $ USE="efi flask xsm" ebuild xen-4.3.0-r3.ebuild clean prepare install

builds fine

4.2, is still a debacle.  I have had no hints from comment 12, so it stays a debacle.  The 4.3.0 is now updated.  Once 4.3.0 is made stable 4.2 can be dropped off the portage map.  4.3 makes for a viable testing xen*.

I asked you in irc inside a minute of your prompt if you'd care to pressure the maintainer of Bug 486076 into some action considering your activity deals totally with making ebuilds stable, and you gave NO reply. He's had just under a month to date.  xen* stabilising is on hold until there is a stable form of ocaml-4 consequent to the resolution of Bug 486076 unless I totally misinterpret exchanges made in the virtualization channel in recent weeks.

*xen-4.3.0-r3 (22 Nov 2013)

  22 Nov 2013; Ian Delaney <idella4@gentoo.org>
  +files/xen-4.3-CVE-2013-6375-XSA-75.patch,
  +files/xen-CVE-2013-6375-XSA-78.patch, +xen-4.3.0-r3.ebuild,
  -xen-4.3.0-r1.ebuild, -xen-4.3.0-r2.ebuild, -xen-4.3.0.ebuild:
  Adding more security patches to 4.3.0 from Bug #486354, drop old
Comment 17 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-12-02 18:29:17 UTC
XSA 82 (CVE-2013-6885) : http://seclists.org/oss-sec/2013/q4/385
Comment 18 Ian Delaney (RETIRED) gentoo-dev 2013-12-06 14:15:02 UTC
 "if you are able to do a rapid bump, I will do a fast stabilization"

good luck with that.

*xen-4.3.0-r4 (06 Dec 2013)
*xen-4.3.1-r1 (06 Dec 2013)

  06 Dec 2013; Ian Delaney <idella4@gentoo.org>
  +files/xen-CVE-2013-6885-XSA-82.patch, +xen-4.3.0-r4.ebuild,
  +xen-4.3.1-r1.ebuild, -xen-4.3.0-r3.ebuild, -xen-4.3.1.ebuild:
  revbumps; add sec XSA-82.patch, remove old
Comment 19 Ian Delaney (RETIRED) gentoo-dev 2013-12-09 11:39:44 UTC
USE ocaml has now been re-masked in or under profiles/eapi-5-files subsequent to prompting by dlan.

Although far the less desired option, this makes xen* once again prone to be stabilised or is it stabilized. whatever.

arch teams, excluding arm because it doesn't yet build, .... stabilise xen-4.3.1-r1.ebuild, xen-tools-4.3.1-r2, xen-pvgrub-4.3.1.ebuild.
Comment 20 Ian Delaney (RETIRED) gentoo-dev 2013-12-09 14:15:21 UTC
Change; revbump of xen-tools makes now for xen-tools-4.3.1-r3.ebuild
Comment 21 Agostino Sarubbo gentoo-dev 2013-12-10 13:34:34 UTC
amd64 stable
Comment 22 Agostino Sarubbo gentoo-dev 2013-12-10 13:35:05 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 23 Yury German Gentoo Infrastructure gentoo-dev 2013-12-11 05:25:27 UTC
glsa filed
Comment 24 Yury German Gentoo Infrastructure gentoo-dev 2013-12-30 05:11:27 UTC
Ping!

Maintainer(s), please drop the vulnerable version.
Comment 25 Yixun Lan archtester gentoo-dev 2014-02-14 10:26:18 UTC
fixed in xen-tools-4.2.3, xen-4.2.3
idella4 hilight me to specially mention that XSA-62, 63 has been solved, see bug #500530 for details
Comment 26 Yury German Gentoo Infrastructure gentoo-dev 2014-05-21 03:20:17 UTC
Arches and Mainter(s), Thank you for your work.

Added to an existing GLSA request.
Comment 27 GLSAMaker/CVETool Bot gentoo-dev 2014-07-16 16:46:26 UTC
This issue was resolved and addressed in
 GLSA 201407-03 at http://security.gentoo.org/glsa/glsa-201407-03.xml
by GLSA coordinator Mikle Kolyada (Zlogene).