Xen Security Advisory XSA-170 VMX: guest user mode may crash guest with non-canonical RIP *** EMBARGOED UNTIL 2016-02-17 12:00 UTC *** ISSUE DESCRIPTION ================= VMX refuses attempts to enter a guest with an instruction pointer which doesn't satisfy certain requirements. In particular, the instruction pointer needs to be canonical when entering a guest currently in 64-bit mode. This is the case even if the VM entry information specifies an exception to be injected immediately (in which case the bad instruction pointer would possibly never get used for other than pushing onto the exception handler's stack). Provided the guest OS allows user mode to map the virtual memory space immediately below the canonical/non- canonical address boundary, a non-canonical instruction pointer can result even from normal user mode execution. VM entry failure, however, is fatal to the guest. IMPACT ====== Malicious HVM guest user mode code may be able to crash the guest. VULNERABLE SYSTEMS ================== All Xen versions are affected. Only systems using Intel or Cyrix CPUs are affected. ARM and AMD systems are unaffected. Only HVM guests are affected. MITIGATION ========== Running only PV guests will avoid this vulnerability. Running HVM guests on only AMD hardware will also avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch works around this issue. Note that it does so in a way which isn't architecturally correct, but no better solution has been found (nor suggested by Intel). xsa170.patch xen-unstable, Xen 4.6.x xsa170-4.5.patch Xen 4.5.x, Xen 4.4.x xsa170-4.3.patch Xen 4.3.x $ sha256sum xsa170* cd1e4ba7cc31f8f7442c1c8a58b1bf9616fd3620bc2d224e2e930c4c78116366 xsa170.patch 864b980105da2bcc83b6f8dc3207cd87916b1dacd570cbafdcaa03843128d08f xsa170-4.3.patch 8922b38e9b6636b4ec7234e9f2b7e121b7b851cbefdd453d866eef2beba64d72 xsa170-4.5.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html
all clear for Xen 4.5.x Xen 4.6.x
Public release
commit ec32258807e87fb951a93726c93f823abb681ba3 Author: Ian Delaney <idella4@gentoo.org> Date: Fri Feb 19 23:59:30 2016 +0800 app-emulation/xen-tools: revbumps; 4.5.2-r5, 4.6.0-r9 add sec patches xsa170 wrt the security bug Gentoo bug: #574012 Package-Manager: portage-2.2.26 commit 9cdacdabd74f26b5141fc0a329f64fd5788267d5 Author: Ian Delaney <idella4@gentoo.org> Date: Fri Feb 19 21:41:02 2016 +0800 app-emulation/xen: revbumps; 4.5.2-r5, 4.6.0-r9 add sec patches xsa170 wrt the security bug Gentoo bug: #574012
@arches, please mark the following stable: app-emulation/xen-tools-4.5.2-r5 app-emulation/xen-tools-4.6.0-r9 TARGET KEYWORDS = amd64 x86 app-emulation/xen-4.5.2-r5 app-emulation/xen-4.6.0-r9 TARGET KEYWORDS = amd64
CVE-2016-2271 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2271): VMX in Xen 4.6.x and earlier, when using an Intel or Cyrix CPU, allows local HVM guest users to cause a denial of service (guest crash) via vectors related to a non-canonical RIP. CVE-2016-2270 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2270): Xen 4.6.x and earlier allows local guest administrators to cause a denial of service (host reboot) via vectors related to multiple mappings of MMIO pages with different cachability settings.
*** Bug 574010 has been marked as a duplicate of this bug. ***
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Added to existing massive GLSA :)
commit 6902e0a359d140d0c8e9bbc9d6dacc5edf16d695 Author: Ian Delaney <idella4@gentoo.org> Date: Tue Mar 15 21:39:19 2016 +0800 app-emulation/xen-tools: clean old vulnerable vns. wrt the gentoo security bug Gentoo bug: #574012 ---------------------------------------------------- commit 23b1efac2e53d4e8584ee2ace8101a9c65cb6460 Author: Ian Delaney <idella4@gentoo.org> Date: Tue Mar 15 21:36:51 2016 +0800 app-emulation/xen: clean old vulnerable vns. wrt the gentoo security bug Gentoo bug: #574012
Arches and Maintainer(s), Thank you for your work.
This issue was resolved and addressed in GLSA 201604-03 at https://security.gentoo.org/glsa/201604-03 by GLSA coordinator Yury German (BlueKnight).