Xen Security Advisory XSA-128 Potential unintended writes to host MSI message data field via qemu *** EMBARGOED UNTIL 2015-06-02 12:00 UTC *** ISSUE DESCRIPTION ================= Logic is in place to avoid writes to certain host config space fields when the guest must nevertheless be able to access their virtual counterparts. A bug in how this logic deals with accesses spanning multiple fields allows the guest to write to the host MSI message data field. While generally the writes write back the values previously read, their value in config space may have got changed by the host between the qemu read and write. In such a case host side interrupt handling could become confused, possibly losing interrupts or allowing spurious interrupt injection into other guests. IMPACT ====== Certain untrusted guest administrators may be able to confuse host side interrupt handling, leading to a Denial of Service. Xen Security Advisory XSA-129 PCI MSI mask bits inadvertently exposed to guests *** EMBARGOED UNTIL 2015-06-02 12:00 UTC *** ISSUE DESCRIPTION ================= The mask bits optionally available in the PCI MSI capability structure are used by the hypervisor to occasionally suppress interrupt delivery. Unprivileged guests were, however, nevertheless allowed direct control of these bits. IMPACT ====== Interrupts may be observed by Xen at unexpected times, which may lead to a host crash and therefore a Denial of Service. VULNERABLE SYSTEMS ================== Xen versions 3.3 and onwards are vulnerable due to supporting PCI pass-through. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only HVM guests with their device model run in Dom0 can take advantage of this vulnerability. Only HVM guests which have been granted access to physical PCI devices (`PCI passthrough') can take advantage of this vulnerability. Furthermore, the vulnerability is only applicable when the passed-through PCI devices are MSI-capable. (Most modern devices are.) MITIGATION ========== This issue can be avoided by not assigning MSI capable PCI devices to untrusted HVM guests. This issue can also be avoided by only using PV guests. It can also be avoided by configuring HVM guests with their device model run in a separate (stub) domain. (When using xl, this can be requested with "device_model_stubdomain_override=1" in the domain configuration file.) RESOLUTION ========== Applying the appropriate attached patch resolves this issue. VULNERABLE SYSTEMS ================== Xen versions 3.3 and onwards are vulnerable due to supporting PCI pass-through. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only HVM guests with their device model run in Dom0 can take advantage of this vulnerability. Only HVM guests which have been granted access to physical PCI devices (`PCI passthrough') can take advantage of this vulnerability. Furthermore, the vulnerability is only applicable when the passed-through PCI devices are MSI-capable. (Most modern devices are.) MITIGATION ========== This issue can be avoided by not assigning MSI capable PCI devices to untrusted HVM guests. This issue can also be avoided by only using PV guests. It can also be avoided by configuring HVM guests with their device model run in a separate (stub) domain. (When using xl, this can be requested with "device_model_stubdomain_override=1" in the domain configuration file.) RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Xen Security Advisory XSA-130 Guest triggerable qemu MSI-X pass-through error messages *** EMBARGOED UNTIL 2015-06-02 12:00 UTC *** ISSUE DESCRIPTION ================= Device model code dealing with guest PCI MSI-X interrupt management activities logs messages on certain (supposedly) invalid guest operations. IMPACT ====== A buggy or malicious guest repeatedly invoking such operations may result in the host disk to fill up, possibly leading to a Denial of Service. VULNERABLE SYSTEMS ================== Xen versions 3.3 and onwards are vulnerable due to supporting PCI pass-through. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only HVM guests with their device model run in Dom0 can take advantage of this vulnerability. Only HVM guests which have been granted access to physical PCI devices (`PCI passthrough') can take advantage of this vulnerability. Furthermore, the vulnerability is only applicable when the passed-through PCI devices are MSI-X capable. (Many modern devices are.) MITIGATION ========== This issue can be avoided by not assigning MSI-X capable PCI devices to untrusted HVM guests. This issue can also be avoided by only using PV guests. It can also be avoided by configuring HVM guests with their device model run in a separate (stub) domain. (When using xl, this can be requested with "device_model_stubdomain_override=1" in the domain configuration file.) RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Xen Security Advisory XSA-131 Unmediated PCI register access in qemu *** EMBARGOED UNTIL 2015-06-02 12:00 UTC *** ISSUE DESCRIPTION ================= Qemu allows guests to not only read, but also write all parts of the PCI config space (but not extended config space) of passed through PCI devices not explicitly dealt with for (partial) emulation purposes. IMPACT ====== Since the effect depends on the specific purpose of the the config space field, it's not possbile to give a general statement about the exact impact on the host or other guests. Privilege escalation, host crash (Denial of Service), and leaked information all cannot be excluded. VULNERABLE SYSTEMS ================== Xen versions 3.3 and onwards are vulnerable due to supporting PCI pass-through. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only HVM guests with their device model run in Dom0 can take advantage of this vulnerability. Only HVM guests which have been granted access to physical PCI devices (`PCI passthrough') can take advantage of this vulnerability. MITIGATION ========== This issue can be avoided by not assigning PCI devices to untrusted HVM guests. This issue can also be avoided by only using PV guests. It can also be avoided by configuring HVM guests with their device model run in a separate (stub) domain. (When using xl, this can be requested with "device_model_stubdomain_override=1" in the domain configuration file.) RESOLUTION ========== Applying the appropriate attached patch resolves this issue. DEPLOYMENT DURING EMBARGO ========================= Deployment of patches or migitations is NOT permitted (except on systems used and administered only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployent on public cloud systems is NOT permitted. This is because the altered PCI config space access behavior is visible to guests. Deployment is permitted only AFTER the embargo ends. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html
The patches have been sent to dlan by OpenPGP encrypted mail.
Now public, lifting restriction
bumped in tree +*xen-tools-4.5.0-r5 (03 Jun 2015) +*xen-tools-4.4.2-r3 (03 Jun 2015) +*xen-tools-4.2.5-r6 (03 Jun 2015) Arches, please test and mark stable: =app-emulation/xen-tools-4.2.5-r6 Target keywords Both : "amd64 x86" =app-emulation/xen-tools-4.4.2-r3 Target keywords Only: "amd64"
change title, since all patches apply to qemu-xen qemu-xen-traditinoal.
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
06 Jun 2015; Ian Delaney <idella4@gentoo.org> -xen-tools-4.2.5-r5.ebuild, -xen-tools-4.4.2-r2.ebuild, -xen-tools-4.5.0-r4.ebuild: cleanup old wrt Bug #549950
CVE-2015-4106 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4106): QEMU does not properly restrict write access to the PCI config space for certain PCI pass-through devices, which mighy allow local x86 HVM guests to gain privileges, cause a denial of service (host crash), obtain sensitive information, or possibly have other unspecified impact via unknown vectors. CVE-2015-4105 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4105): Xen 3.3.x through 4.5.x enables logging for PCI MSI-X pass-through error messages, which allows local x86 HVM guests to cause a denial of service (host disk consumption) via certain invalid operations. CVE-2015-4104 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4104): Xen 3.3.x through 4.5.x does not properly restrict access to PCI MSI mask bits, which allows local x86 HVM guest users to cause a denial of service (unexpected interrupt and host crash) via unspecified vectors. CVE-2015-4103 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4103): Xen 3.3.x through 4.5.x does not properly restrict write access to the host MSI message data field, which allows local x86 HVM guest administrators cause a denial of service (host interrupt handling confusion) via vectors related to qemu and accessing spanning multiple fields.
Arches and Maintainer(s), Thank you for your work. Added to an existing GLSA Request. (Under Xen)
This issue was resolved and addressed in GLSA 201604-03 at https://security.gentoo.org/glsa/201604-03 by GLSA coordinator Yury German (BlueKnight).