Xen Security Advisory XSA-167 PV superpage functionality missing sanity checks *** EMBARGOED UNTIL 2016-01-20 12:00 UTC *** ISSUE DESCRIPTION ================= The PV superpage functionality lacks certain validity checks on data being passed to the hypervisor by guests. This is the case for the page identifier (MFN) passed to MMUEXT_MARK_SUPER and MMUEXT_UNMARK_SUPER sub-ops of the HYPERVISOR_mmuext_op hypercall as well as for various forms of page table updates. IMPACT ====== Use of the feature, which is disabled by default, may have unknown effects, ranging from information leaks through Denial of Service to privilege escalation. VULNERABLE SYSTEMS ================== Only systems which enable the PV superpage feature are affected. That is, only systems with an `allowsuperpage' setting on the hypervisor command line. Note that in Xen 4.0.x and 3.4.x the option is named `allowhugepage'. Xen versions 3.4.0, 3.4.1, and from 4.1 onwards are affected. Only x86 systems are affected. Only PV guests can exploit the vulnerability. MITIGATION ========== Running only HVM guests will avoid this issue. Not enabling PV superpage support (by omitting the `allowsuperpage' or `allowhugepage' hypervisor command line options) will avoid exposing the issue. CREDITS ======= This issue was discovered by the 360 Marvel Team. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa167.patch xen-unstable, Xen 4.6.x, 4.5.x xsa167-4.4.patch Xen 4.4.x, 4.3.x $ sha256sum xsa167* 92dda6ba2de63062b8c2377d4d4228ee01a726c2fd126dfc9c9cb790a80db643 xsa167.patch 4c72916f233287ea512fb7041c3c0bbc170205e7d58711f3a7977cae3c2dbf1f xsa167-4.4.patch 2613559c98909f3c93688a7f0d4979d5fdad4e46bf7f46a5d73c669620d7ac88 xsa167-4.6.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. However deployment of the SUPERPAGE DISABLEMENT MITIGATION is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because disabling PV superpage support is visible to guests, so such deployment could lead to the rediscovery of the vulnerability. Deployment of the mitigation is permitted only AFTER the embargo ends. Also: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html
Updated resolution to be precise in patch naming Almost: xsa167.patch xen-unstable xsa167-4.6.patch Xen 4.6.x, 4.5.x xsa167-4.4.patch Xen 4.4.x, 4.3.x Will be fixed in next version sent out.
Public release
commit 355e4fcbd3f83ef4b3d435e843503033d1a8c3b8 Author: Ian Delaney <idella4@gentoo.org> Date: Thu Jan 21 22:07:07 2016 +0800 app-emulation/xen: revbumps to vns. 4.5.2-r4 4.6.0-r8 wrt gentoo security bug. patches added; xsa 167-4.6, xsa168 Purging of led version to await stabilsation of revbumped vns. Gentoo bug: #571556, #571552
Arches please stabilise Arches =app-emulation/xen-4.5.2-r4 amd64 arm =app-emulation/xen-4.6.0-r8 amd64 arm =app-emulation/xen-tools-4.5.2-r4 amd64 arm x86 =app-emulation/xen-tools-4.6.0-r7 amd64 arm x86 The irregularity here is that xen-tools is still to be set stable for the first time. I have no insight into how or way there is difficulty or delay in that, but if there is I have had no such notification. I will await full stabilisation for clearing vulnerable version This can serve for #571556
Need also include commit dd9ecb826db3250e60c35d188804cb16cf0a6dde Author: Ian Delaney <idella4@gentoo.org> Date: Thu Jan 21 22:03:25 2016 +0800 app-emulation/xen-tools: revbumps to vns. 4.5.2-r4 4.6.0-r7 wrt gentoo security bug. patches added; xsa 167-4.6, xsa168 Purging of led version to await stabilsation of revbumped vns. Gentoo bug: #571556, #571552
amd64 stable
x86 stable
Added to existing GLSA.
This issue was resolved and addressed in GLSA 201604-03 at https://security.gentoo.org/glsa/201604-03 by GLSA coordinator Yury German (BlueKnight).
