Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 500536

Summary: <app-emulation/xen-{4.2.3-r1,4.3.1-r5}: integer overflow in XSM/FLASK calls (XSA-84) (CVE-2014-{1891,1892,1893,1894})
Product: Gentoo Security Reporter: Chris Reffett (RETIRED) <creffett>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: idella4, xen
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://seclists.org/oss-sec/2014/q1/266
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Chris Reffett (RETIRED) gentoo-dev Security 2014-02-06 16:57:17 UTC
From ${URL}:

ISSUE DESCRIPTION
=================

The FLASK_{GET,SET}BOOL, FLASK_USER and FLASK_CONTEXT_TO_SID
suboperations of the flask hypercall are vulnerable to an integer
overflow on the input size. The hypercalls attempt to allocate a
buffer which is 1 larger than this size and is therefore vulnerable to
integer overflow and an attempt to allocate then access a zero byte
buffer.

Xen 3.3 through 4.1, while not affected by the above overflow, have a
different overflow issue on FLASK_{GET,SET}BOOL and expose unreasonably
large memory allocation to aribitrary guests.

Xen 3.2 (and presumably earlier) exhibit both problems, with the
overflow issue being present for more than just the suboperations
listed above.

The FLASK_GETBOOL op is available to all domains.

The FLASK_SETBOOL op is only available to domains which are granted
access via the Flask policy.  However the permissions check is
performed only after running the vulnerable code and the vulnerability
via this subop is exposed to all domains.

The FLASK_USER and FLASK_CONTEXT_TO_SID ops are only available to
domains which are granted access via the Flask policy.

IMPACT
======

Attempting to access the result of a zero byte allocation results in
a processor fault leading to a denial of service.

Patches available at http://xenbits.xen.org/xsa/advisory-84.html
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-04-28 19:34:55 UTC
CVE-2014-1894 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1894):
  Multiple integer overflows in unspecified suboperations in the flask
  hypercall in Xen 3.2.x and earlier, when XSM is enabled, allow local users
  to cause a denial of service (processor fault) via unspecified vectors, a
  different vulnerability than CVE-2014-1891, CVE-2014-1892, and
  CVE-2014-1893.

CVE-2014-1893 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1893):
  Multiple integer overflows in the (1) FLASK_GETBOOL and (2) FLASK_SETBOOL
  suboperations in the flask hypercall in Xen 4.1.x, 3.3.x, 3.2.x, and
  earlier, when XSM is enabled, allow local users to cause a denial of service
  (processor fault) via unspecified vectors, a different vulnerability than
  CVE-2014-1891, CVE-2014-1892, and CVE-2014-1894.

CVE-2014-1892 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1892):
  Xen 3.3 through 4.1, when XSM is enabled, allows local users to cause a
  denial of service via vectors related to a "large memory allocation," a
  different vulnerability than CVE-2014-1891, CVE-2014-1893, and
  CVE-2014-1894.

CVE-2014-1891 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1891):
  Multiple integer overflows in the (1) FLASK_GETBOOL, (2) FLASK_SETBOOL, (3)
  FLASK_USER, and (4) FLASK_CONTEXT_TO_SID suboperations in the flask
  hypercall in Xen 4.3.x, 4.2.x, 4.1.x, 3.2.x, and earlier, when XSM is
  enabled, allow local users to cause a denial of service (processor fault)
  via unspecified vectors, a different vulnerability than CVE-2014-1892,
  CVE-2014-1893, and CVE-2014-1894.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-05-21 03:33:45 UTC
Fixed as part of Bug 500530.

Adding to existing GLSA.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-07-16 16:46:48 UTC
This issue was resolved and addressed in
 GLSA 201407-03 at http://security.gentoo.org/glsa/glsa-201407-03.xml
by GLSA coordinator Mikle Kolyada (Zlogene).