Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 571552 (CVE-2016-1570) - <app-emulation/xen{-tools}-4.6.0-r8: PV superpage functionality missing sanity checks (XSA-167) (CVE-2016-1570)
Summary: <app-emulation/xen{-tools}-4.6.0-r8: PV superpage functionality missing sanit...
Status: RESOLVED FIXED
Alias: CVE-2016-1570
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: C2 [glsa cve]
Keywords: STABLEREQ
Depends on:
Blocks:
 
Reported: 2016-01-11 15:13 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2016-04-05 07:02 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-01-11 15:13:00 UTC
Xen Security Advisory XSA-167

            PV superpage functionality missing sanity checks

              *** EMBARGOED UNTIL 2016-01-20 12:00 UTC ***

ISSUE DESCRIPTION
=================

The PV superpage functionality lacks certain validity checks on data
being passed to the hypervisor by guests.  This is the case for the
page identifier (MFN) passed to MMUEXT_MARK_SUPER and
MMUEXT_UNMARK_SUPER sub-ops of the HYPERVISOR_mmuext_op hypercall as
well as for various forms of page table updates.

IMPACT
======

Use of the feature, which is disabled by default, may have unknown
effects, ranging from information leaks through Denial of Service to
privilege escalation.

VULNERABLE SYSTEMS
==================

Only systems which enable the PV superpage feature are affected.  That
is, only systems with an `allowsuperpage' setting on the hypervisor
command line.  Note that in Xen 4.0.x and 3.4.x the option is named
`allowhugepage'.

Xen versions 3.4.0, 3.4.1, and from 4.1 onwards are affected.

Only x86 systems are affected.

Only PV guests can exploit the vulnerability.

MITIGATION
==========

Running only HVM guests will avoid this issue.

Not enabling PV superpage support (by omitting the `allowsuperpage' or
`allowhugepage' hypervisor command line options) will avoid exposing
the issue.

CREDITS
=======

This issue was discovered by the 360 Marvel Team.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa167.patch           xen-unstable, Xen 4.6.x, 4.5.x
xsa167-4.4.patch       Xen 4.4.x, 4.3.x

$ sha256sum xsa167*
92dda6ba2de63062b8c2377d4d4228ee01a726c2fd126dfc9c9cb790a80db643  xsa167.patch
4c72916f233287ea512fb7041c3c0bbc170205e7d58711f3a7977cae3c2dbf1f  xsa167-4.4.patch
2613559c98909f3c93688a7f0d4979d5fdad4e46bf7f46a5d73c669620d7ac88  xsa167-4.6.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.


However deployment of the SUPERPAGE DISABLEMENT MITIGATION is NOT
permitted (except where all the affected systems and VMs are
administered and used only by organisations which are members of the
Xen Project Security Issues Predisclosure List).  Specifically,
deployment on public cloud systems is NOT permitted.

This is because disabling PV superpage support is visible to guests, so
such deployment could lead to the rediscovery of the vulnerability.

Deployment of the mitigation is permitted only AFTER the embargo ends.


Also: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-01-12 09:16:13 UTC
Updated resolution to be precise in patch naming


Almost:

xsa167.patch           xen-unstable
xsa167-4.6.patch       Xen 4.6.x, 4.5.x
xsa167-4.4.patch       Xen 4.4.x, 4.3.x

Will be fixed in next version sent out.
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-01-20 12:14:48 UTC
Public release
Comment 3 Ian Delaney (RETIRED) gentoo-dev 2016-01-21 14:21:58 UTC
commit 355e4fcbd3f83ef4b3d435e843503033d1a8c3b8
Author: Ian Delaney <idella4@gentoo.org>
Date:   Thu Jan 21 22:07:07 2016 +0800

    app-emulation/xen: revbumps to vns. 4.5.2-r4 4.6.0-r8
    
    wrt gentoo security bug. patches added; xsa 167-4.6, xsa168
    Purging of led version to await stabilsation of revbumped vns.
    
    Gentoo bug: #571556, #571552
Comment 4 Ian Delaney (RETIRED) gentoo-dev 2016-01-21 14:29:52 UTC
Arches please stabilise

                                    Arches

=app-emulation/xen-4.5.2-r4         amd64  arm
=app-emulation/xen-4.6.0-r8         amd64  arm
=app-emulation/xen-tools-4.5.2-r4   amd64  arm  x86
=app-emulation/xen-tools-4.6.0-r7   amd64  arm  x86

The irregularity here is that xen-tools is still to be set stable for the first time.  I have no insight into how or way there is difficulty or delay in that, but if there is I have had no such notification.

I will await full stabilisation for clearing vulnerable version

This can serve for #571556
Comment 5 Ian Delaney (RETIRED) gentoo-dev 2016-01-21 14:31:55 UTC
Need also include

commit dd9ecb826db3250e60c35d188804cb16cf0a6dde
Author: Ian Delaney <idella4@gentoo.org>
Date:   Thu Jan 21 22:03:25 2016 +0800

    app-emulation/xen-tools: revbumps to vns. 4.5.2-r4 4.6.0-r7
    
    wrt gentoo security bug. patches added; xsa 167-4.6, xsa168
    Purging of led version to await stabilsation of revbumped vns.
    
    Gentoo bug: #571556, #571552
Comment 6 Agostino Sarubbo gentoo-dev 2016-01-22 09:31:34 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-01-22 10:01:11 UTC
x86 stable
Comment 8 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-12 11:15:53 UTC
Added to existing GLSA.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2016-04-05 07:02:06 UTC
This issue was resolved and addressed in
 GLSA 201604-03 at https://security.gentoo.org/glsa/201604-03
by GLSA coordinator Yury German (BlueKnight).