Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 385319 (CVE-2011-2901)

Summary: <app-emulation/xen-3.4.2-r4: Host Crash Denial of Service Vulnerability (CVE-2011-2901)
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: idella4, xen
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2011/09/02/2
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 386371    
Attachments:
Description Flags
the security patch in xen-3.4.2-fix-__addr_ok-limit.patch
none
patch to make xen-3.4.2-r4.ebuild none

Description Tim Sammut (RETIRED) gentoo-dev 2011-10-02 05:19:52 UTC
From the upstream advisory as shared on oss-security at $URL:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2011-2901 / XSA-4
                        revision no.2
        Xen <= 3.3 DoS due to incorrect virtual address validation

ISSUE DESCRIPTION
=================

The x86_64 __addr_ok() macro intends to ensure that the checked
address is either in the positive half of the 48-bit virtual address
space, or above the Xen-reserved area. However, the current shift
count is off-by-one, allowing full access to the "negative half" too,
via certain hypercalls which ignore virtual-address bits [63:48].
Vulnerable hypercalls exist only in very old versions of the
hypervisor.

VULNERABLE SYSTEMS
==================

All systems running a Xen 3.3 or earlier hypervisor with 64-bit PV
guests with untrusted administrators are vulnerable.

IMPACT
======

A malicious guest administrator on a vulnerable system is able to
crash the host.

There are no known further exploits but these have not been ruled out.

RESOLUTION
==========

The attached patch resolves the issue.

Alternatively, users may choose to upgrade to a more recent hypervisor

PATCHES
=======

The following patch resolves this issue.

Filename: fix-__addr_ok-limit.patch
SHA1: f18bde8d276110451c608a16f577865aa1226b4f
SHA256: 2da5aac72e1ac4849c34d38374ae456795905fd9512eef94b48fc31383c21636

This patch should apply cleanly, and fix the problem, for all affected
versions of Xen.

It is harmless when applied to later hypervisors and will be included
in the Xen unstable branch in due course.

VERSION HISTORY
===============

Analysis following version 1 of this advisory (sent out to the
predisclosure list during the embargo period) indicates that the
actual DoS vulnerability only exists in very old hypervisors, Xen 3.3
and earlier, contrary to previous reports.

This advisory is no longer embargoed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJOYLq2AAoJEIP+FMlX6CvZLegH/26/oJBkd/WM/yYhXkzlbnIP
MxF6Fgy96Omu8poQTanD7g1vEcM0TOLY+Kk3GGsfj4aDdEJ5Nq4ZOW8ooI0VnVcD
7VXQqFsXPxre+eZ6g+G0AsmzdsG45C3qujUTRfGKqzYwXqjWjt9nNsdIy1Mrz8/4
zG1uLDkN0LXnBG2Te4q8ZckYwMq8gFXHHnH35RfQ5Besu6pvJmtK3rFXETdlP12A
JjBh7t5jsCfzvYWFQehVp8mJupuftiOBPClmVh4vrvN9gYd5rzEgB4Q9Ioiqz2qT
2bE1zegR8NeOKBOi9xriTU8F530OdFzeWAbo7D5gyEbYdc60eNwbadcgNGLbzMg=
=09T8
-----END PGP SIGNATURE-----

Subject: XSA-4: xen: correct limit checking in x86_64 version of __addr_ok

The x86_64 __addr_ok() macro intends to ensure that the checked
address is either in the positive half of the 48-bit virtual address
space, or above the Xen-reserved area. However, the current shift
count is off-by-one, allowing full access to the "negative half"
too. Guests may exploit this to gain access to off-limits ranges.

This issue has been assigned CVE-2011-2901.

Signed-off-by: Laszlo Ersek <lersek@...hat.com>
Signed-off-by: Ian Campbell <ian.campbell@...rix.com>

diff --git a/xen/include/asm-x86/x86_64/uaccess.h b/xen/include/asm-x86/x86_64/uaccess.h
--- a/xen/include/asm-x86/x86_64/uaccess.h
+++ b/xen/include/asm-x86/x86_64/uaccess.h
@@ -34,7 +34,7 @@
  * non-canonical address (and thus fault) before ever reaching VIRT_START.
  */
 #define __addr_ok(addr) \
-    (((unsigned long)(addr) < (1UL<<48)) || \
+    (((unsigned long)(addr) < (1UL<<47)) || \
      ((unsigned long)(addr) >= HYPERVISOR_VIRT_END))
 
 #define access_ok(addr, size) \
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-10-02 05:20:44 UTC
@xen, Ian, is our current stable impacted by this issue? Thanks!
Comment 2 Ian Delaney (RETIRED) gentoo-dev 2011-10-06 16:39:16 UTC
Tim,

yes, stable is xen-3 still.  xen-4 is up for stabalisation, but not declared yet (testers seemingly avoiding it!!!).
xen-3 will be kept a while.  Shall see to getting this patch put in.
Comment 3 Ian Delaney (RETIRED) gentoo-dev 2011-10-09 08:59:36 UTC
Created attachment 289309 [details, diff]
the security patch in xen-3.4.2-fix-__addr_ok-limit.patch
Comment 4 Ian Delaney (RETIRED) gentoo-dev 2011-10-09 09:02:26 UTC
Created attachment 289311 [details, diff]
patch to make xen-3.4.2-r4.ebuild
Comment 5 Tony Vroon gentoo-dev 2011-10-11 20:25:27 UTC
+*xen-3.4.2-r4 (11 Oct 2011)
+
+  11 Oct 2011; Tony Vroon <chainsaw@gentoo.org> +xen-3.4.2-r4.ebuild,
+  +files/xen-3.4.2-CVE-2011-1583.patch,
+  +files/xen-3.4.2-fix-__addr_ok-limit.patch:
+  Patches by Ian "idella4" Delaney to address security bugs #385319 and
+  #386371.

Arches, please test & mark stable.
Comment 6 Agostino Sarubbo gentoo-dev 2011-10-11 22:08:29 UTC
amd64 ok
Comment 7 PaweĊ‚ Hajdan, Jr. (RETIRED) gentoo-dev 2011-10-13 21:22:57 UTC
x86 stable
Comment 8 Markos Chandras (RETIRED) gentoo-dev 2011-10-15 19:38:27 UTC
amd64 done. Thanks Agostino
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2011-10-15 23:45:38 UTC
Thanks, everyone. GLSA Vote: yes.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2012-03-06 01:02:38 UTC
Votes: Yes. GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2013-09-30 00:28:52 UTC
This issue was resolved and addressed in
 GLSA 201309-24 at http://security.gentoo.org/glsa/glsa-201309-24.xml
by GLSA coordinator Chris Reffett (creffett).
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2013-10-02 15:03:39 UTC
CVE-2011-2901 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2901):
  Off-by-one error in the __addr_ok macro in Xen 3.3 and earlier allows local
  64 bit PV guest administrators to cause a denial of service (host crash) via
  unspecified hypercalls that ignore virtual-address bits.