Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 574012 (CVE-2016-2271, XSA-170) - <app-emulation/xen-{4.5.2-r5, 4.6.0-r9} <app-emulation/xen-tools-{4.5.2-r5, 4.6.0-r9} : Multiple vulnerabilties (CVE-2016-{2270,2271})
Summary: <app-emulation/xen-{4.5.2-r5, 4.6.0-r9} <app-emulation/xen-tools-{4.5.2-r5, 4...
Status: RESOLVED FIXED
Alias: CVE-2016-2271, XSA-170
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa cve]
Keywords:
: CVE-2016-2270, XSA-154 (view as bug list)
Depends on:
Blocks: CVE-2016-1571
  Show dependency tree
 
Reported: 2016-02-06 16:07 UTC by Kristian Fiskerstrand
Modified: 2016-04-05 07:02 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand gentoo-dev Security 2016-02-06 16:07:41 UTC
Xen Security Advisory XSA-170

      VMX: guest user mode may crash guest with non-canonical RIP

              *** EMBARGOED UNTIL 2016-02-17 12:00 UTC ***

ISSUE DESCRIPTION
=================

VMX refuses attempts to enter a guest with an instruction pointer which
doesn't satisfy certain requirements.  In particular, the instruction
pointer needs to be canonical when entering a guest currently in 64-bit
mode.  This is the case even if the VM entry information specifies an
exception to be injected immediately (in which case the bad instruction
pointer would possibly never get used for other than pushing onto the
exception handler's stack).  Provided the guest OS allows user mode to
map the virtual memory space immediately below the canonical/non-
canonical address boundary, a non-canonical instruction pointer can
result even from normal user mode execution. VM entry failure, however,
is fatal to the guest.

IMPACT
======

Malicious HVM guest user mode code may be able to crash the guest.

VULNERABLE SYSTEMS
==================

All Xen versions are affected.

Only systems using Intel or Cyrix CPUs are affected. ARM and AMD
systems are unaffected.

Only HVM guests are affected.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

Running HVM guests on only AMD hardware will also avoid this
vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch works around this issue.  Note
that it does so in a way which isn't architecturally correct, but no
better solution has been found (nor suggested by Intel).

xsa170.patch           xen-unstable, Xen 4.6.x
xsa170-4.5.patch       Xen 4.5.x, Xen 4.4.x
xsa170-4.3.patch       Xen 4.3.x

$ sha256sum xsa170*
cd1e4ba7cc31f8f7442c1c8a58b1bf9616fd3620bc2d224e2e930c4c78116366  xsa170.patch
864b980105da2bcc83b6f8dc3207cd87916b1dacd570cbafdcaa03843128d08f  xsa170-4.3.patch
8922b38e9b6636b4ec7234e9f2b7e121b7b851cbefdd453d866eef2beba64d72  xsa170-4.5.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
Comment 1 Ian Delaney (RETIRED) gentoo-dev 2016-02-16 13:47:23 UTC
all clear for Xen 4.5.x Xen 4.6.x
Comment 2 Kristian Fiskerstrand gentoo-dev Security 2016-02-17 13:35:00 UTC
Public release
Comment 3 Ian Delaney (RETIRED) gentoo-dev 2016-02-19 16:13:05 UTC
commit ec32258807e87fb951a93726c93f823abb681ba3
Author: Ian Delaney <idella4@gentoo.org>
Date:   Fri Feb 19 23:59:30 2016 +0800

    app-emulation/xen-tools: revbumps; 4.5.2-r5, 4.6.0-r9
    
    add sec patches xsa170 wrt the security bug
    
    Gentoo bug: #574012
    
    Package-Manager: portage-2.2.26

commit 9cdacdabd74f26b5141fc0a329f64fd5788267d5
Author: Ian Delaney <idella4@gentoo.org>
Date:   Fri Feb 19 21:41:02 2016 +0800

    app-emulation/xen: revbumps; 4.5.2-r5, 4.6.0-r9
    
    add sec patches xsa170 wrt the security bug
    
    Gentoo bug: #574012
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-12 13:00:17 UTC
@arches, please mark the following stable:

app-emulation/xen-tools-4.5.2-r5
app-emulation/xen-tools-4.6.0-r9

TARGET KEYWORDS = amd64 x86

app-emulation/xen-4.5.2-r5
app-emulation/xen-4.6.0-r9

TARGET KEYWORDS = amd64
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2016-03-14 12:08:53 UTC
CVE-2016-2271 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2271):
  VMX in Xen 4.6.x and earlier, when using an Intel or Cyrix CPU, allows local
  HVM guest users to cause a denial of service (guest crash) via vectors
  related to a non-canonical RIP.

CVE-2016-2270 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2270):
  Xen 4.6.x and earlier allows local guest administrators to cause a denial of
  service (host reboot) via vectors related to multiple mappings of MMIO pages
  with different cachability settings.
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-14 12:12:46 UTC
*** Bug 574010 has been marked as a duplicate of this bug. ***
Comment 7 Agostino Sarubbo gentoo-dev 2016-03-15 08:11:58 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-03-15 08:13:24 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 9 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-15 09:31:14 UTC
Added to existing massive GLSA :)
Comment 10 Ian Delaney (RETIRED) gentoo-dev 2016-03-15 13:41:33 UTC
commit 6902e0a359d140d0c8e9bbc9d6dacc5edf16d695
Author: Ian Delaney <idella4@gentoo.org>
Date:   Tue Mar 15 21:39:19 2016 +0800

    app-emulation/xen-tools: clean old vulnerable vns.
    
    wrt the gentoo security bug
    
    Gentoo bug: #574012
    
----------------------------------------------------

commit 23b1efac2e53d4e8584ee2ace8101a9c65cb6460
Author: Ian Delaney <idella4@gentoo.org>
Date:   Tue Mar 15 21:36:51 2016 +0800

    app-emulation/xen: clean old vulnerable vns.
    
    wrt the gentoo security bug
    
    Gentoo bug: #574012
Comment 11 Yury German Gentoo Infrastructure gentoo-dev Security 2016-04-05 06:54:05 UTC
Arches and Maintainer(s), Thank you for your work.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2016-04-05 07:02:22 UTC
This issue was resolved and addressed in
 GLSA 201604-03 at https://security.gentoo.org/glsa/201604-03
by GLSA coordinator Yury German (BlueKnight).