Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 530980 (CVE-2014-8866) - <app-emulation/xen-{4.2.5-r3,4.3.3-r3,4.4.1-r4}: multiple vulnerabilties (CVE-2014-{8866,8867})
Summary: <app-emulation/xen-{4.2.5-r3,4.3.3-r3,4.4.1-r4}: multiple vulnerabilties (CVE...
Status: RESOLVED FIXED
Alias: CVE-2014-8866
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-28 11:58 UTC by Agostino Sarubbo
Modified: 2015-04-11 20:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-11-28 11:58:57 UTC
From http://www.openwall.com/lists/oss-security/2014/11/27/13:

            Xen Security Advisory CVE-2014-8866 / XSA-111
                              version 3

   Excessive checking in compatibility mode hypercall argument translation

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The hypercall argument translation needed for 32-bit guests running on
64-bit hypervisors performs checks on the final register state.  These
checks cover all registers potentially holding hypercall arguments,
not just the ones actually doing so for the hypercall being processed,
since the code was originally intended for use only by PV guests.

While this is not a problem for PV guests (as they can't enter 64-bit
mode and hence can't alter the high halves of any of the registers),
the subsequent reuse of the same functionality for HVM guests exposed
those checks to values (specifically, unexpected values for the high
halves of registers not holding hypercall arguments) controlled by
guest software.

IMPACT
======

A buggy or malicious HVM guest can crash the host.

VULNERABLE SYSTEMS
==================

Xen 3.3 and onward are vulnerable.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

MITIGATION
==========

Running only PV guests will avoid this issue.

There is no mitigation available for HVM guests on any version of Xen
so far released by xenproject.org.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa111-unstable.patch        xen-unstable, Xen 4.4.x
xsa111-4.3.patch             Xen 4.3.x
xsa111-4.2.patch             Xen 4.2.x



From http://www.openwall.com/lists/oss-security/2014/11/27/14:

            Xen Security Advisory CVE-2014-8867 / XSA-112
                              version 5

  Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor

UPDATES IN VERSION 5
====================

Public release.

ISSUE DESCRIPTION
=================

Acceleration support for the "REP MOVS" instruction, when the first
iteration accesses memory mapped I/O emulated internally in the
hypervisor, incorrectly assumes that the whole range accessed is
handled by the same hypervisor sub-component.

IMPACT
======

A buggy or malicious HVM guest can crash the host.

VULNERABLE SYSTEMS
==================

Xen versions from at least 3.2.x onwards are vulnerable on x86 systems.
Older versions have not been inspected.  ARM systems are not vulnerable.

MITIGATION
==========

Running only PV guests will avoid this issue.

There is no mitigation available for HVM guests.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa112-unstable.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x
xsa112-4.2.patch             Xen 4.2.x



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yixun Lan gentoo-dev 2014-12-19 06:54:32 UTC
fixed in xen-4.2.5-r3, xen-4.3.3-r3, xen-4.4.1-r4, see bug 532030
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 21:42:11 UTC
CVE-2014-8867 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8867):
  The acceleration support for the "REP MOVS" instruction in Xen 4.4.x, 3.2.x,
  and earlier lacks properly bounds checking for memory mapped I/O (MMIO)
  emulated in the hypervisor, which allows local HVM guests to cause a denial
  of service (host crash) via unspecified vectors.

CVE-2014-8866 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8866):
  The compatibility mode hypercall argument translation in Xen 3.3.x through
  4.4.x, when running on a 64-bit hypervisor, allows local 32-bit HVM guests
  to cause a denial of service (host crash) via vectors involving altering the
  high halves of registers while in 64-bit mode.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2015-04-05 03:42:40 UTC
Maintainer(s), Thank you for you for cleanup.

Added to an existing GLSA Request.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2015-04-11 20:37:50 UTC
This issue was resolved and addressed in
 GLSA 201504-04 at https://security.gentoo.org/glsa/201504-04
by GLSA coordinator Yury German (BlueKnight).