Xen Security Advisory CVE-2016-7094 / XSA-187 version 3 x86 HVM: Overflow of sh_ctxt->seg_reg[] ISSUE DESCRIPTION ================= x86 HVM guests running with shadow paging use a subset of the x86 emulator to handle the guest writing to its own pagetables. There are situations a guest can provoke which result in exceeding the space allocated for internal state. IMPACT ====== A malicious HVM guest administrator can cause Xen to fail a bug check, causing a denial of service to the host. VULNERABLE SYSTEMS ================== All versions of Xen are vulnerable. The vulnerability is only exposed to HVM guests on x86 hardware, which are configured to run with shadow paging. The vulnerability is not exposed to x86 PV guests, x86 HVM guests running with hardware assisted paging, or ARM guests. x86 HVM guests run in HAP mode by default on modern CPUs. To discover whether your HVM guests are using HAP, or shadow page tables: request debug key `q' (from the Xen console, or with `xl debug-keys q'). This will print (to the console, and visible in `xl dmesg'), debug information for every domain, containing something like this: (XEN) General information for domain 2: (XEN) refcnt=1 dying=2 pause_count=2 (XEN) nr_pages=2 xenheap_pages=0 shared_pages=0 paged_pages=0 dirty_cpus={} max_pages=262400 (XEN) handle=ef58ef1a-784d-4e59-8079-42bdee87f219 vm_assist=00000000 (XEN) paging assistance: hap refcounts translate external ^^^ The presence of `hap' here indicates that the host is not vulnerable to this domain. For an HVM domain the presence of `shadow' indicates that the domain can exploit the vulnerability. MITIGATION ========== Running only PV guests will avoid this vulnerability. On hardware which supports Hardware Assisted Paging, configuring the guests to not run with shadow paging will avoid this vulnerability. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the first patch will resolve this issue. The second patch provides additional assurance that the vulnerability is truly eliminated and that there are no related problems. If hotpatching, applying only the first patch is recommended since the second patch is awkward for hotpatching. If deploying new builds, applying both patches is recommended. ______________________________ Xen Security Advisory CVE-2016-7092 / XSA-185 version 3 x86: Disallow L3 recursive pagetable for 32-bit PV guests UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= On real hardware, a 32-bit PAE guest must leave the USER and RW bit clear in L3 pagetable entries, but the pagetable walk behaves as if they were set. (The L3 entries are cached in processor registers, and don't actually form part of the pagewalk.) When running a 32-bit PV guest on a 64-bit Xen, Xen must always OR in the USER and RW bits for L3 updates for the guest to observe architectural behaviour. This is unsafe in combination with recursive pagetables. As there is no way to construct an L3 recursive pagetable in native 32-bit PAE mode, disallow this option in 32-bit PV guests. IMPACT ====== A malicious 32-bit PV guest administrator can escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== All versions of Xen are vulnerable. Only 64-bit builds of the hypervisor are vulnerable. For Xen 4.3 and earlier, 32-bit builds of the hypervisor are not vulnerable. The vulnerability is only exposed to 32-bit PV guests on x86 hardware. The vulnerability is not exposed to 64-bit PV guests, x86 HVM guests, or ARM guests. MITIGATION ========== Running only 64-bit PV or HVM guests will avoid this vulnerability. CREDITS ======= This issue was found in parallel by multiple discoverers, who each disclosed it to the Xen Project Security Team. The first report to us was made by Jérémie Boutoille of Quarkslab. The second report, one working day later, by Shangcong Luan of Alibaba Cloud. RESOLUTION ========== Applying the attached patch resolves this issue. xsa185.patch xen-unstable - Xen 4.4 $ sha256sum xsa185* 3328a1953ecdf4de35462ea8396b0927171d718e95f73a87a7f651427bd8f8b4 xsa18 ______________________________ Xen Security Advisory CVE-2016-7093 / XSA-186 version 4 x86: Mishandling of instruction pointer truncation during emulation UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= When emulating HVM instructions, Xen uses a small i-cache for fetches from guest memory. The code that handles cache misses does not check if the address from which it fetched lies within the cache before blindly writing to it. As such it is possible for the guest to overwrite hypervisor memory. It is currently believed that the only way to trigger this bug is to use the way that Xen currently incorrectly wraps CS:IP in 16 bit modes. The included patch prevents such wrapping. IMPACT ====== A malicious HVM guest administrator can escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== Xen versions 4.7.0 and later are vulnerable. Xen releases 4.6.3 and 4.5.3 are vulnerable. Xen releases 4.6.0 to 4.6.2 inclusive are NOT vulnerable. Xen releases 4.5.2 and earlier are NOT vulnerable. The vulnerability is only exposed to HVM guests on x86 hardware. The vulnerability is not exposed to x86 PV guests, or ARM guests. MITIGATION ========== Running only PV guests will avoid this vulnerability. CREDITS ======= This issue was discovered by Brian Marcotte. RESOLUTION ========== Applying the first patch will resolve the issue.
fixed in tree =app-emulation/xen-4.6.3-r2 =app-emulation/xen-4.7.0-r2 commit 1a7685105711a4c1c8899a717d128a569e63e608 Author: Yixun Lan <dlan@gentoo.org> Date: Fri Sep 9 09:16:47 2016 +0800 app-emulation/xen: security bump, XSA-185/186/187 Package-Manager: portage-2.3.0 :100644 100644 93dc0da... 94e76a9... M app-emulation/xen/Manifest :000000 100644 00000000.. 5773cce... A app-emulation/xen/xen-4.6.3-r2.ebuild :000000 100644 00000000.. 5773cce... A app-emulation/xen/xen-4.7.0-r2.ebuild
Arches, please test and mark stable: =app-emulation/xen-4.6.3-r2 Target keyword only: "amd64"
amd64 stable. Maintainer(s), please cleanup. Security, please vote.
Arches, Thank you for your work. Added to an existing GLSA Request. Maintainer(s), please drop the vulnerable version(s). Version: 4.6.3-r1
Maintainer(s), Thank you for cleanup!
This issue was resolved and addressed in GLSA 201611-09 at https://security.gentoo.org/glsa/201611-09 by GLSA coordinator Aaron Bauman (b-man).