Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 522576 (CVE-2014-6268) - <app-emulation/xen-4.4.1-r1: Mishandling of uninitialised FIFO-based event channel control blocks (XSA-107) (CVE-2014-6268)
Summary: <app-emulation/xen-4.4.1-r1: Mishandling of uninitialised FIFO-based event ch...
Status: RESOLVED FIXED
Alias: CVE-2014-6268
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-09-11 13:07 UTC by Agostino Sarubbo
Modified: 2014-09-12 12:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-09-11 13:07:46 UTC
From ${URL} :

            Xen Security Advisory CVE-2014-6268 / XSA-107
                              version 2

    Mishandling of uninitialised FIFO-based event channel control blocks

UPDATES IN VERSION 2
====================

CVE assigned.

ISSUE DESCRIPTION
=================

When using the FIFO-based event channels, there are no checks for the
existence of a control block when binding an event or moving it to a
different VCPU.  This is because events may be bound when the ABI is
in 2-level mode (e.g., by the toolstack before the domain is started).

The guest may trigger a Xen crash in evtchn_fifo_set_pending() if:

  a) the event is bound to a VCPU without a control block; or
  b) VCPU 0 does not have a control block.

In case (a), Xen will crash when looking up the current queue.  In
(b), Xen will crash when looking up the old queue (which defaults to a
queue on VCPU 0).

IMPACT
======

A buggy or malicious guest can crash the host.

VULNERABLE SYSTEMS
==================

Xen 4.4 and onward are vulnerable.

MITIGATION
==========

None.

CREDITS
=======

This issue was originally reported by Vitaly Kuznetsov at Red Hat and
diagnosed as a security issue by David Vrabel at Citrix.

NOTE REGARDING LACK OF EMBARGO
==============================

This bug was publicly reported on xen-devel, before it was appreciated
that there was a security problem.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa107-unstable.patch        xen-unstable
xsa107-4.4.patch             Xen 4.4.x



@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Yixun Lan archtester gentoo-dev 2014-09-11 13:42:55 UTC
+*xen-4.4.1-r1 (11 Sep 2014)
+
+  11 Sep 2014; Yixun Lan <dlan@gentoo.org> -xen-4.4.1.ebuild,
+  +xen-4.4.1-r1.ebuild:
+  fix security bug 522576

i'll do the clean-up later, include xen, xen-tools, xen-pvgrub..
Comment 2 Yixun Lan archtester gentoo-dev 2014-09-12 02:41:37 UTC
done the cleanup, affected version has been removed.