From ${URL} : Xen Security Advisory XSA-95 version 2 input handling vulnerabilities loading guest kernel on ARM UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= When loading a 32-bit ARM guest kernel the Xen tools did not correctly validate the length of the kernel against the actual image size. This would then lead to an overrun on the input buffer when loading the kernel into guest RAM. Furthermore when checking a 32-bit guest kernel for an appended DTB, the Xen tools were prone to additional overruns also leading to an overrun on the input buffer when loading the kernel into guest RAM. Also, the tools would access a field in the putative DTB header without checking for its alignment. When loading a 64-bit ARM guest kernel the tools similarly did not fully validate the requested load addresses, possibly leading to an overrun on the input buffer when loading the kernel into guest RAM. IMPACT ====== An attacker who can control the kernel used to boot a guest can exploit these issues. Exploiting the overflow issues allows information which follows the guest kernel in the toolstack address space to be copied into the guest's memory, constituting an information leak. Alternatively either the overflow or alignment issues could be used to crash the toolstack process, leading to a denial of service. VULNERABLE SYSTEMS ================== ARM systems are vulnerable from Xen 4.4 onwards. MITIGATION ========== Ensuring that guests use only trustworthy kernels will avoid this problem. CREDITS ======= This issue was discovered by Thomas Leonard. RESOLUTION ========== Applying the attached patch resolves this issue. xsa95.patch xen-unstable, Xen 4.4.x @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Thanks for reporting, now we are tracking upstream's stable branch for security issue. And current, there is no XSA-95 patches committed, so let's wait for while. also, I'd plan to request to stabilize 4.3.2-r2, 4.2.4-r2 (will CC in another bug)
+*xen-tools-4.4.0-r3 (14 May 2014) + + 14 May 2014; Yixun Lan <dlan@gentoo.org> -xen-tools-4.4.0-r2.ebuild, + +xen-tools-4.4.0-r3.ebuild: + upstream patches bump, fix security bug #510312
Closing as noglsa.
CVE-2014-3717 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3717): Xen 4.4.x does not properly validate the load address for 64-bit ARM guest kernels, which allows local users to read system memory or cause a denial of service (crash) via a crafted kernel, which triggers a buffer overflow. CVE-2014-3716 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3716): Xen 4.4.x does not properly check alignment, which allows local users to cause a denial of service (crash) via an unspecified field in a DTB header in a 32-bit guest kernel. CVE-2014-3715 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3715): Buffer overflow in Xen 4.4.x allows local users to read system memory or cause a denial of service (crash) via a crafted 32-bit guest kernel, related to searching for an appended DTB. CVE-2014-3714 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3714): The ARM image loading functionality in Xen 4.4.x does not properly validate kernel length, which allows local users to read system memory or cause a denial of service (crash) via a crafted 32-bit ARM guest kernel in an image, which triggers a buffer overflow.
