From ${URL} : Xen Security Advisory CVE-2014-5147 / XSA-102 version 3 Flaws in handling traps from 32-bit userspace on 64-bit ARM UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= When handling a trap from guest mode on ARM, Xen asserts that the current guest mode must match the domain address width. This assertion is false when a guest takes a trap from a 32-bit userspace running on a 64-bit kernel in a 64-bit domain. IMPACT ====== Any user in a guest which is running a 64-bit kernel who is able to spawn a 32-bit process can crash the host. I.e. an unprivileged guest user can cause host-wide denial of service. VULNERABLE SYSTEMS ================== 32-bit ARM systems and and X86 systems are not vulnerable. 64-bit ARM systems which support 32-bit userspace are vulnerable. Not all 64-bit ARM CPUs support 32-bit userspace in the actual CPU hardware. Systems without that hardware support are not vulnerable. Also, not all 64-bit ARM guest kernels have support for 32-bit userspace. Systems without that kernel support are vulnerable to a malicious guest administrator, but not to an unprivileged guest user. MITIGATION ========== On systems where the guest kernel is controlled by the host rather than guest administrator, running only 32-bit kernels. On systems where the guest kernel is controlled by the host rather than guest administrator, running 64-bit kernels with support for 32-bit userspace disabled (e.g CONFIG_COMPAT=n under Linux) will prevent untrusted guest users from exploting this issue. However untrusted guest administrators can still trigger it unless further steps are taken to prevent them from loading code into the kernel (e.g. by disabling loadable modules etc) or from using other mechanisms which allow them to run code at kernel privilege. CREDITS ======= This issue was reported as a bug by Riku Voipio, discovered via Linaro's LAVA testing and was diagnosed as a security issue by Ian Campbell. RESOLUTION ========== Applying the appropriate attached patches resolves these security issues. xsa102-unstable-*.patch xen-unstable xsa102-4.4-*.patch Xen 4.4.x @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
fixed in app-emulation/xen-4.4.0-r6, vulnerable version has been cleaned. and I'm closing this bug. thanks.
dlan, there need to be a few more things done when closing (like name change, whiteboard change). Just let the security team know and we can handle these, but please do not close the bugs as they no longer show up in searches that all of us have set up.
CVE-2014-5147 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5147): Xen 4.4.x, when running a 64-bit kernel on an ARM system, does not properly handle traps from the guest domain that use a different address width, which allows local guest users to cause a denial of service (host crash) via a crafted 32-bit process.