|Summary:||<app-emulation/xen-3.4.2-r4: Host Crash Denial of Service Vulnerability (CVE-2011-2901)|
|Product:||Gentoo Security||Reporter:||Tim Sammut (RETIRED) <underling>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
|Bug Depends on:|
Description Tim Sammut (RETIRED) 2011-10-02 05:19:52 UTC
From the upstream advisory as shared on oss-security at $URL: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2011-2901 / XSA-4 revision no.2 Xen <= 3.3 DoS due to incorrect virtual address validation ISSUE DESCRIPTION ================= The x86_64 __addr_ok() macro intends to ensure that the checked address is either in the positive half of the 48-bit virtual address space, or above the Xen-reserved area. However, the current shift count is off-by-one, allowing full access to the "negative half" too, via certain hypercalls which ignore virtual-address bits [63:48]. Vulnerable hypercalls exist only in very old versions of the hypervisor. VULNERABLE SYSTEMS ================== All systems running a Xen 3.3 or earlier hypervisor with 64-bit PV guests with untrusted administrators are vulnerable. IMPACT ====== A malicious guest administrator on a vulnerable system is able to crash the host. There are no known further exploits but these have not been ruled out. RESOLUTION ========== The attached patch resolves the issue. Alternatively, users may choose to upgrade to a more recent hypervisor PATCHES ======= The following patch resolves this issue. Filename: fix-__addr_ok-limit.patch SHA1: f18bde8d276110451c608a16f577865aa1226b4f SHA256: 2da5aac72e1ac4849c34d38374ae456795905fd9512eef94b48fc31383c21636 This patch should apply cleanly, and fix the problem, for all affected versions of Xen. It is harmless when applied to later hypervisors and will be included in the Xen unstable branch in due course. VERSION HISTORY =============== Analysis following version 1 of this advisory (sent out to the predisclosure list during the embargo period) indicates that the actual DoS vulnerability only exists in very old hypervisors, Xen 3.3 and earlier, contrary to previous reports. This advisory is no longer embargoed. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJOYLq2AAoJEIP+FMlX6CvZLegH/26/oJBkd/WM/yYhXkzlbnIP MxF6Fgy96Omu8poQTanD7g1vEcM0TOLY+Kk3GGsfj4aDdEJ5Nq4ZOW8ooI0VnVcD 7VXQqFsXPxre+eZ6g+G0AsmzdsG45C3qujUTRfGKqzYwXqjWjt9nNsdIy1Mrz8/4 zG1uLDkN0LXnBG2Te4q8ZckYwMq8gFXHHnH35RfQ5Besu6pvJmtK3rFXETdlP12A JjBh7t5jsCfzvYWFQehVp8mJupuftiOBPClmVh4vrvN9gYd5rzEgB4Q9Ioiqz2qT 2bE1zegR8NeOKBOi9xriTU8F530OdFzeWAbo7D5gyEbYdc60eNwbadcgNGLbzMg= =09T8 -----END PGP SIGNATURE----- Subject: XSA-4: xen: correct limit checking in x86_64 version of __addr_ok The x86_64 __addr_ok() macro intends to ensure that the checked address is either in the positive half of the 48-bit virtual address space, or above the Xen-reserved area. However, the current shift count is off-by-one, allowing full access to the "negative half" too. Guests may exploit this to gain access to off-limits ranges. This issue has been assigned CVE-2011-2901. Signed-off-by: Laszlo Ersek <lersek@...hat.com> Signed-off-by: Ian Campbell <ian.campbell@...rix.com> diff --git a/xen/include/asm-x86/x86_64/uaccess.h b/xen/include/asm-x86/x86_64/uaccess.h --- a/xen/include/asm-x86/x86_64/uaccess.h +++ b/xen/include/asm-x86/x86_64/uaccess.h @@ -34,7 +34,7 @@ * non-canonical address (and thus fault) before ever reaching VIRT_START. */ #define __addr_ok(addr) \ - (((unsigned long)(addr) < (1UL<<48)) || \ + (((unsigned long)(addr) < (1UL<<47)) || \ ((unsigned long)(addr) >= HYPERVISOR_VIRT_END)) #define access_ok(addr, size) \
Comment 1 Tim Sammut (RETIRED) 2011-10-02 05:20:44 UTC
@xen, Ian, is our current stable impacted by this issue? Thanks!
Comment 2 Ian Delaney (RETIRED) 2011-10-06 16:39:16 UTC
Tim, yes, stable is xen-3 still. xen-4 is up for stabalisation, but not declared yet (testers seemingly avoiding it!!!). xen-3 will be kept a while. Shall see to getting this patch put in.
Comment 3 Ian Delaney (RETIRED) 2011-10-09 08:59:36 UTC
Created attachment 289309 [details, diff] the security patch in xen-3.4.2-fix-__addr_ok-limit.patch
Comment 4 Ian Delaney (RETIRED) 2011-10-09 09:02:26 UTC
Created attachment 289311 [details, diff] patch to make xen-3.4.2-r4.ebuild
Comment 5 Tony Vroon 2011-10-11 20:25:27 UTC
+*xen-3.4.2-r4 (11 Oct 2011) + + 11 Oct 2011; Tony Vroon <email@example.com> +xen-3.4.2-r4.ebuild, + +files/xen-3.4.2-CVE-2011-1583.patch, + +files/xen-3.4.2-fix-__addr_ok-limit.patch: + Patches by Ian "idella4" Delaney to address security bugs #385319 and + #386371. Arches, please test & mark stable.
Comment 6 Agostino Sarubbo 2011-10-11 22:08:29 UTC
Comment 7 Paweł Hajdan, Jr. (RETIRED) 2011-10-13 21:22:57 UTC
Comment 8 Markos Chandras (RETIRED) 2011-10-15 19:38:27 UTC
amd64 done. Thanks Agostino
Comment 9 Tim Sammut (RETIRED) 2011-10-15 23:45:38 UTC
Thanks, everyone. GLSA Vote: yes.
Comment 10 Stefan Behte (RETIRED) 2012-03-06 01:02:38 UTC
Votes: Yes. GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot 2013-09-30 00:28:52 UTC
This issue was resolved and addressed in GLSA 201309-24 at http://security.gentoo.org/glsa/glsa-201309-24.xml by GLSA coordinator Chris Reffett (creffett).
Comment 12 GLSAMaker/CVETool Bot 2013-10-02 15:03:39 UTC
CVE-2011-2901 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2901): Off-by-one error in the __addr_ok macro in Xen 3.3 and earlier allows local 64 bit PV guest administrators to cause a denial of service (host crash) via unspecified hypercalls that ignore virtual-address bits.