Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 519804 (CVE-2014-5147) - <app-emulation/xen-4.4.0-r6: Flaws in handling traps from 32-bit userspace on 64-bit ARM (XSA-102) (CVE-2014-5147)
Summary: <app-emulation/xen-4.4.0-r6: Flaws in handling traps from 32-bit userspace on...
Status: RESOLVED FIXED
Alias: CVE-2014-5147
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-08-13 09:11 UTC by Agostino Sarubbo
Modified: 2015-01-04 21:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-08-13 09:11:25 UTC
From ${URL} :

              Xen Security Advisory CVE-2014-5147 / XSA-102
                              version 3

       Flaws in handling traps from 32-bit userspace on 64-bit ARM

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

When handling a trap from guest mode on ARM, Xen asserts that the
current guest mode must match the domain address width.  This
assertion is false when a guest takes a trap from a 32-bit userspace
running on a 64-bit kernel in a 64-bit domain.

IMPACT
======

Any user in a guest which is running a 64-bit kernel who is able to
spawn a 32-bit process can crash the host.  I.e. an unprivileged guest
user can cause host-wide denial of service.

VULNERABLE SYSTEMS
==================

32-bit ARM systems and and X86 systems are not vulnerable.

64-bit ARM systems which support 32-bit userspace are vulnerable.

Not all 64-bit ARM CPUs support 32-bit userspace in the actual CPU
hardware.  Systems without that hardware support are not vulnerable.

Also, not all 64-bit ARM guest kernels have support for 32-bit
userspace.  Systems without that kernel support are vulnerable to a
malicious guest administrator, but not to an unprivileged guest user.

MITIGATION
==========

On systems where the guest kernel is controlled by the host rather than
guest administrator, running only 32-bit kernels.

On systems where the guest kernel is controlled by the host rather than
guest administrator, running 64-bit kernels with support for 32-bit
userspace disabled (e.g CONFIG_COMPAT=n under Linux) will prevent untrusted
guest users from exploting this issue. However untrusted guest
administrators can still trigger it unless further steps are taken to
prevent them from loading code into the kernel (e.g. by disabling loadable
modules etc) or from using other mechanisms which allow them to run code at
kernel privilege.

CREDITS
=======

This issue was reported as a bug by Riku Voipio, discovered via
Linaro's LAVA testing and was diagnosed as a security issue by Ian
Campbell.

RESOLUTION
==========

Applying the appropriate attached patches resolves these security
issues.

xsa102-unstable-*.patch        xen-unstable
xsa102-4.4-*.patch             Xen 4.4.x


@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Yixun Lan gentoo-dev 2014-08-19 14:19:08 UTC
fixed in app-emulation/xen-4.4.0-r6, vulnerable version has been cleaned. and I'm closing this bug. thanks.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-08-25 19:50:54 UTC
dlan, there need to be a few more things done when closing (like name change, whiteboard change). Just let the security team know and we can handle these, but please do not close the bugs as they no longer show up in searches that all of us have set up.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 21:39:32 UTC
CVE-2014-5147 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5147):
  Xen 4.4.x, when running a 64-bit kernel on an ARM system, does not properly
  handle traps from the guest domain that use a different address width, which
  allows local guest users to cause a denial of service (host crash) via a
  crafted 32-bit process.