Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 588780 (CVE-2016-6258)

Summary: <app-emulation/xen{-tools}-4.6.3-r1, <app-emulation/xen-pvgrub-4.6.3: Multiple vulnerabilities (CVE-2016-6258)
Product: Gentoo Security Reporter: Aaron Bauman <bman>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: dlan
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 579074    
Attachments:
Description Flags
xsa182-4.5.patch
none
xsa182-4.6.patch
none
xsa182-unstable.patch
none
xsa183-4.6.patch
none
xsa183-unstable.patch none

Description Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-13 19:32:18 UTC
Xen Security Advisory XSA-182

                x86: Privilege escalation in PV guests

              *** EMBARGOED UNTIL 2016-07-26 12:00 UTC ***

ISSUE DESCRIPTION
=================

The PV pagetable code has fast-paths for making updates to pre-existing
pagetable entries, to skip expensive re-validation in safe cases
(e.g. clearing only Access/Dirty bits).  The bits considered safe were too
broad, and not actually safe.

IMPACT
======

A malicous PV guest administrator can escalate their privilege to that
of the host.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

The vulnerability is only exposed to PV guests on x86 hardware.

The vulnerability is not exposed to x86 HVM guests, or ARM guests.

MITIGATION
==========

Running only HVM guests will avoid this vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa182.patch           xen-unstable, Xen 4.7.x
xsa182-4.6.patch       Xen 4.6.x
xsa182-4.5.patch       Xen 4.5.x, 4.4.x, 4.3.x

$ sha256sum xsa182*
7142b80e6b7bfe28a184774f0ffdfd01b7f7be0fb674392dfcdbfec29a27b0cd  xsa182-unstable.patch
c5747cb25beb8e9a1f1f5427d89b2f90fd47d8e6fc4af9ffbf3878c19015fd9c  xsa182-4.5.patch
bb397629c599427dbef99ce795bc9848b0898af12741db63442abe70f1fe93ae  xsa182-4.6.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
Comment 1 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-13 19:39:14 UTC
Created attachment 440622 [details, diff]
xsa182-4.5.patch
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-13 19:39:53 UTC
Created attachment 440624 [details, diff]
xsa182-4.6.patch
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-13 19:40:25 UTC
Created attachment 440628 [details, diff]
xsa182-unstable.patch
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-13 19:40:50 UTC
Created attachment 440630 [details, diff]
xsa183-4.6.patch
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-13 19:41:11 UTC
Created attachment 440632 [details, diff]
xsa183-unstable.patch
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-13 19:56:51 UTC
Xen Security Advisory XSA-183

    x86: Missing SMAP whitelisting in 32-bit exception / event delivery

              *** EMBARGOED UNTIL 2016-07-26 12:00 UTC ***

ISSUE DESCRIPTION
=================

Supervisor Mode Access Prevention is a hardware feature designed to make
an Operating System more robust, by raising a pagefault rather than
accidentally following a pointer into userspace.  However, legitimate
accesses into userspace require whitelisting, and the exception delivery
mechanism for 32bit PV guests wasn't whitelisted.

IMPACT
======

A malicious 32-bit PV guest kernel can trigger a safety check, crashing
the hypervisor and causing a denial of service to other VMs on the host.

VULNERABLE SYSTEMS
==================

Xen version 4.5 and newer are vulnerable.  Versions 4.4 and older are
not, due to not having software support for SMAP.

The vulnerability is only exposed on x86 hardware supporting the SMAP
feature (Intel Broadwell and later CPUs).  The vulnerability is not
exposed on ARM hardware, or x86 hardware which do not support SMAP.

The vulnerability is only exposed to x86 32bit PV guests.  The
vulnerability is not exposed to 64bit PV guests or HVM guests.

MITIGATION
==========

Running only HVM guests or 64-bit PV guests, avoids the vulnerability.

Disabling SMAP in the hypervisor by booting Xen with "smap=0" on the
command line will avoid this vulnerability.  (Depending on the
circumstances this workaround may pose a small risk of increasing the
impact of other, possibly unknown, vulnerabilities.)

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa183.patch           xen-unstable, 4.7.x
xsa183-4.6.patch       Xen 4.6.x, 4.5.x

$ sha256sum xsa183*
7d349c7c33e3bd7fcbc493a819f1d2007b9c38d4425d9e4ba642e402e007892b  xsa183-unstable.patch
d66d6ae60a1f18e19fe85850b8c8ec1af70eb81635c274a770a2eeda58404c14  xsa183-4.6.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches described above (or others which are
substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.

But: Deployment of the "smap=0" mitigation is NOT permitted (except
where all the affected systems and VMs are administered and used only
by organisations which are members of the Xen Project Security Issues
Predisclosure List).  Specifically, deployment on public cloud systems
is NOT permitted.  This is because this produces a guest-visible
change which could lead to rediscovery of the vulnerability.

And: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
Comment 7 Yixun Lan gentoo-dev 2016-07-14 10:26:45 UTC
@bman, you don't have to attach patches here (may save your time), we've already got via xen upstream's security list
Comment 8 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-14 10:53:42 UTC
(In reply to Yixun Lan from comment #7)
> @bman, you don't have to attach patches here (may save your time), we've
> already got via xen upstream's security list

Thank you.  Kristian informed me as well and I will not attach them in the future.
Comment 9 Yixun Lan gentoo-dev 2016-07-27 01:24:13 UTC
fixed at 
=app-emulation/xen-4.6.3-r1
=app-emulation/xen-4.7.0-r1

btw, there is another XSA-184 which will expire at 2016/07/27 15:00

do you guys want to stable this version? or wait for the next -r2?
Comment 10 Yixun Lan gentoo-dev 2016-07-27 01:32:51 UTC
Arches, please test and mark stable:
=app-emulation/xen-4.6.3-r1
Target keyword only: "amd64" 

=app-emulation/xen-pvgrub-4.6.3
=app-emulation/xen-tools-4.6.3
Target keywords: "amd64 x86"


Notice: I'll bump to =app-emulation/xen-tools-r1 soon (14 hours later)
Comment 11 Yixun Lan gentoo-dev 2016-07-27 18:31:05 UTC
updated, included XSA-184 fix


arches, please test and mark stable:
=app-emulation/xen-4.6.3-r1
Target keyword only: "amd64" 

=app-emulation/xen-pvgrub-4.6.3
=app-emulation/xen-tools-4.6.3-r1
Target keywords: "amd64 x86"
Comment 12 Sergey Popov gentoo-dev 2016-07-27 18:40:39 UTC
Embargo date is passed, making bug publicly visible
Comment 13 Agostino Sarubbo gentoo-dev 2016-07-28 14:51:53 UTC
amd64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2016-07-28 14:56:23 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 15 Yixun Lan gentoo-dev 2016-07-28 16:52:37 UTC
done the cleanup, thanks


commit b640b623d901afc89ac1e47c7dd5f8b94cebcd12
Author: Yixun Lan <dlan@gentoo.org>
Date:   Fri Jul 29 00:48:13 2016 +0800

    app-emulation/xen-pvgrub: drop old
    
    Package-Manager: portage-2.3.0

:100644 100644 9d16eff... 5939f84... M  app-emulation/xen-pvgrub/Manifest
:100644 000000 4e08a30... 0000000... D  app-emulation/xen-pvgrub/files/xen-4-fix_dotconfig-gcc.patch
:100644 000000 f2525ae... 0000000... D  app-emulation/xen-pvgrub/files/xen-4.2.1-externals.patch
:100644 000000 588be74... 0000000... D  app-emulation/xen-pvgrub/files/xen-4.3-fix_dotconfig-gcc.patch
:100644 000000 5bba0fd... 0000000... D  app-emulation/xen-pvgrub/files/xen-4.4-fix_dotconfig-gcc.patch
:100644 000000 33d56db... 0000000... D  app-emulation/xen-pvgrub/files/xen-pvgrub-4-qa.patch
:100644 000000 ea69366... 0000000... D  app-emulation/xen-pvgrub/files/xen-pvgrub-4.2.3-qa.patch
:100644 000000 f5cb3d2... 0000000... D  app-emulation/xen-pvgrub/files/xen-pvgrub-4.3.1-qa.patch
:100644 000000 eb54859... 0000000... D  app-emulation/xen-pvgrub/xen-pvgrub-4.6.0.ebuild
:100644 000000 bf577ad... 0000000... D  app-emulation/xen-pvgrub/xen-pvgrub-4.6.1.ebuild

commit f2ad0b87046b1a0349f702a7126b66c4a360214c
Author: Yixun Lan <dlan@gentoo.org>
Date:   Fri Jul 29 00:44:19 2016 +0800

    app-emulation/xen-tools: drop old vulnerable versions
    
    Gentoo-Bug: 588780
    
    Package-Manager: portage-2.3.0

:100644 100644 f4a828a... c614caa... M  app-emulation/xen-tools/Manifest
:100644 000000 8e879dc... 0000000... D  app-emulation/xen-tools/xen-tools-4.6.0-r10.ebuild
:100644 000000 0ce7a84... 0000000... D  app-emulation/xen-tools/xen-tools-4.6.0-r11.ebuild
:100644 000000 92486da... 0000000... D  app-emulation/xen-tools/xen-tools-4.6.0-r9.ebuild
:100644 000000 ecf2593... 0000000... D  app-emulation/xen-tools/xen-tools-4.6.1-r1.ebuild
:100644 000000 1d23c9f... 0000000... D  app-emulation/xen-tools/xen-tools-4.6.1-r2.ebuild
:100644 000000 1a0afb5... 0000000... D  app-emulation/xen-tools/xen-tools-4.6.1-r3.ebuild
:100644 000000 0b7d40f... 0000000... D  app-emulation/xen-tools/xen-tools-4.6.1-r4.ebuild
:100644 000000 a63bbda... 0000000... D  app-emulation/xen-tools/xen-tools-4.6.1.ebuild
:100644 000000 62d7661... 0000000... D  app-emulation/xen-tools/xen-tools-4.6.3.ebuild
:100644 000000 62d7661... 0000000... D  app-emulation/xen-tools/xen-tools-4.7.0.ebuild

commit 84bf2b9c833cde1fcaa35aa8b59fd86a67d2659b
Author: Yixun Lan <dlan@gentoo.org>
Date:   Fri Jul 29 00:37:03 2016 +0800

    app-emulation/xen: drop old vulnerable versions
    
    Gentoo-Bug: 588780
    
    Package-Manager: portage-2.3.0

:100644 100644 905cd14... 93dc0da... M  app-emulation/xen/Manifest
:100644 000000 c0dbd20... 0000000... D  app-emulation/xen/files/xen-4-fix_dotconfig-gcc.patch
:100644 000000 6e38aaa... 0000000... D  app-emulation/xen/files/xen-4.2-efi.patch
:100644 000000 76ff44a... 0000000... D  app-emulation/xen/files/xen-4.5-efi.patch
:100644 000000 9402472... 0000000... D  app-emulation/xen/xen-4.6.0-r10.ebuild
:100644 000000 04e2f63... 0000000... D  app-emulation/xen/xen-4.6.0-r9.ebuild
:100644 000000 ce56970... 0000000... D  app-emulation/xen/xen-4.6.1-r1.ebuild
:100644 000000 4461a53... 0000000... D  app-emulation/xen/xen-4.6.1-r2.ebuild
:100644 000000 8a514ff... 0000000... D  app-emulation/xen/xen-4.6.1-r3.ebuild
:100644 000000 6277f0c... 0000000... D  app-emulation/xen/xen-4.6.1.ebuild
:100644 000000 97198be... 0000000... D  app-emulation/xen/xen-4.6.3.ebuild
:100644 000000 97198be... 0000000... D  app-emulation/xen/xen-4.7.0.ebuild
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2016-11-15 07:43:35 UTC
This issue was resolved and addressed in
 GLSA 201611-09 at https://security.gentoo.org/glsa/201611-09
by GLSA coordinator Aaron Bauman (b-man).