Xen Security Advisory XSA-182 x86: Privilege escalation in PV guests *** EMBARGOED UNTIL 2016-07-26 12:00 UTC *** ISSUE DESCRIPTION ================= The PV pagetable code has fast-paths for making updates to pre-existing pagetable entries, to skip expensive re-validation in safe cases (e.g. clearing only Access/Dirty bits). The bits considered safe were too broad, and not actually safe. IMPACT ====== A malicous PV guest administrator can escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== All versions of Xen are vulnerable. The vulnerability is only exposed to PV guests on x86 hardware. The vulnerability is not exposed to x86 HVM guests, or ARM guests. MITIGATION ========== Running only HVM guests will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa182.patch xen-unstable, Xen 4.7.x xsa182-4.6.patch Xen 4.6.x xsa182-4.5.patch Xen 4.5.x, 4.4.x, 4.3.x $ sha256sum xsa182* 7142b80e6b7bfe28a184774f0ffdfd01b7f7be0fb674392dfcdbfec29a27b0cd xsa182-unstable.patch c5747cb25beb8e9a1f1f5427d89b2f90fd47d8e6fc4af9ffbf3878c19015fd9c xsa182-4.5.patch bb397629c599427dbef99ce795bc9848b0898af12741db63442abe70f1fe93ae xsa182-4.6.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html
Created attachment 440622 [details, diff] xsa182-4.5.patch
Created attachment 440624 [details, diff] xsa182-4.6.patch
Created attachment 440628 [details, diff] xsa182-unstable.patch
Created attachment 440630 [details, diff] xsa183-4.6.patch
Created attachment 440632 [details, diff] xsa183-unstable.patch
Xen Security Advisory XSA-183 x86: Missing SMAP whitelisting in 32-bit exception / event delivery *** EMBARGOED UNTIL 2016-07-26 12:00 UTC *** ISSUE DESCRIPTION ================= Supervisor Mode Access Prevention is a hardware feature designed to make an Operating System more robust, by raising a pagefault rather than accidentally following a pointer into userspace. However, legitimate accesses into userspace require whitelisting, and the exception delivery mechanism for 32bit PV guests wasn't whitelisted. IMPACT ====== A malicious 32-bit PV guest kernel can trigger a safety check, crashing the hypervisor and causing a denial of service to other VMs on the host. VULNERABLE SYSTEMS ================== Xen version 4.5 and newer are vulnerable. Versions 4.4 and older are not, due to not having software support for SMAP. The vulnerability is only exposed on x86 hardware supporting the SMAP feature (Intel Broadwell and later CPUs). The vulnerability is not exposed on ARM hardware, or x86 hardware which do not support SMAP. The vulnerability is only exposed to x86 32bit PV guests. The vulnerability is not exposed to 64bit PV guests or HVM guests. MITIGATION ========== Running only HVM guests or 64-bit PV guests, avoids the vulnerability. Disabling SMAP in the hypervisor by booting Xen with "smap=0" on the command line will avoid this vulnerability. (Depending on the circumstances this workaround may pose a small risk of increasing the impact of other, possibly unknown, vulnerabilities.) RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa183.patch xen-unstable, 4.7.x xsa183-4.6.patch Xen 4.6.x, 4.5.x $ sha256sum xsa183* 7d349c7c33e3bd7fcbc493a819f1d2007b9c38d4425d9e4ba642e402e007892b xsa183-unstable.patch d66d6ae60a1f18e19fe85850b8c8ec1af70eb81635c274a770a2eeda58404c14 xsa183-4.6.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Deployment of the "smap=0" mitigation is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because this produces a guest-visible change which could lead to rediscovery of the vulnerability. And: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html
@bman, you don't have to attach patches here (may save your time), we've already got via xen upstream's security list
(In reply to Yixun Lan from comment #7) > @bman, you don't have to attach patches here (may save your time), we've > already got via xen upstream's security list Thank you. Kristian informed me as well and I will not attach them in the future.
fixed at =app-emulation/xen-4.6.3-r1 =app-emulation/xen-4.7.0-r1 btw, there is another XSA-184 which will expire at 2016/07/27 15:00 do you guys want to stable this version? or wait for the next -r2?
Arches, please test and mark stable: =app-emulation/xen-4.6.3-r1 Target keyword only: "amd64" =app-emulation/xen-pvgrub-4.6.3 =app-emulation/xen-tools-4.6.3 Target keywords: "amd64 x86" Notice: I'll bump to =app-emulation/xen-tools-r1 soon (14 hours later)
updated, included XSA-184 fix arches, please test and mark stable: =app-emulation/xen-4.6.3-r1 Target keyword only: "amd64" =app-emulation/xen-pvgrub-4.6.3 =app-emulation/xen-tools-4.6.3-r1 Target keywords: "amd64 x86"
Embargo date is passed, making bug publicly visible
amd64 stable
x86 stable. Maintainer(s), please cleanup.
done the cleanup, thanks commit b640b623d901afc89ac1e47c7dd5f8b94cebcd12 Author: Yixun Lan <dlan@gentoo.org> Date: Fri Jul 29 00:48:13 2016 +0800 app-emulation/xen-pvgrub: drop old Package-Manager: portage-2.3.0 :100644 100644 9d16eff... 5939f84... M app-emulation/xen-pvgrub/Manifest :100644 000000 4e08a30... 0000000... D app-emulation/xen-pvgrub/files/xen-4-fix_dotconfig-gcc.patch :100644 000000 f2525ae... 0000000... D app-emulation/xen-pvgrub/files/xen-4.2.1-externals.patch :100644 000000 588be74... 0000000... D app-emulation/xen-pvgrub/files/xen-4.3-fix_dotconfig-gcc.patch :100644 000000 5bba0fd... 0000000... D app-emulation/xen-pvgrub/files/xen-4.4-fix_dotconfig-gcc.patch :100644 000000 33d56db... 0000000... D app-emulation/xen-pvgrub/files/xen-pvgrub-4-qa.patch :100644 000000 ea69366... 0000000... D app-emulation/xen-pvgrub/files/xen-pvgrub-4.2.3-qa.patch :100644 000000 f5cb3d2... 0000000... D app-emulation/xen-pvgrub/files/xen-pvgrub-4.3.1-qa.patch :100644 000000 eb54859... 0000000... D app-emulation/xen-pvgrub/xen-pvgrub-4.6.0.ebuild :100644 000000 bf577ad... 0000000... D app-emulation/xen-pvgrub/xen-pvgrub-4.6.1.ebuild commit f2ad0b87046b1a0349f702a7126b66c4a360214c Author: Yixun Lan <dlan@gentoo.org> Date: Fri Jul 29 00:44:19 2016 +0800 app-emulation/xen-tools: drop old vulnerable versions Gentoo-Bug: 588780 Package-Manager: portage-2.3.0 :100644 100644 f4a828a... c614caa... M app-emulation/xen-tools/Manifest :100644 000000 8e879dc... 0000000... D app-emulation/xen-tools/xen-tools-4.6.0-r10.ebuild :100644 000000 0ce7a84... 0000000... D app-emulation/xen-tools/xen-tools-4.6.0-r11.ebuild :100644 000000 92486da... 0000000... D app-emulation/xen-tools/xen-tools-4.6.0-r9.ebuild :100644 000000 ecf2593... 0000000... D app-emulation/xen-tools/xen-tools-4.6.1-r1.ebuild :100644 000000 1d23c9f... 0000000... D app-emulation/xen-tools/xen-tools-4.6.1-r2.ebuild :100644 000000 1a0afb5... 0000000... D app-emulation/xen-tools/xen-tools-4.6.1-r3.ebuild :100644 000000 0b7d40f... 0000000... D app-emulation/xen-tools/xen-tools-4.6.1-r4.ebuild :100644 000000 a63bbda... 0000000... D app-emulation/xen-tools/xen-tools-4.6.1.ebuild :100644 000000 62d7661... 0000000... D app-emulation/xen-tools/xen-tools-4.6.3.ebuild :100644 000000 62d7661... 0000000... D app-emulation/xen-tools/xen-tools-4.7.0.ebuild commit 84bf2b9c833cde1fcaa35aa8b59fd86a67d2659b Author: Yixun Lan <dlan@gentoo.org> Date: Fri Jul 29 00:37:03 2016 +0800 app-emulation/xen: drop old vulnerable versions Gentoo-Bug: 588780 Package-Manager: portage-2.3.0 :100644 100644 905cd14... 93dc0da... M app-emulation/xen/Manifest :100644 000000 c0dbd20... 0000000... D app-emulation/xen/files/xen-4-fix_dotconfig-gcc.patch :100644 000000 6e38aaa... 0000000... D app-emulation/xen/files/xen-4.2-efi.patch :100644 000000 76ff44a... 0000000... D app-emulation/xen/files/xen-4.5-efi.patch :100644 000000 9402472... 0000000... D app-emulation/xen/xen-4.6.0-r10.ebuild :100644 000000 04e2f63... 0000000... D app-emulation/xen/xen-4.6.0-r9.ebuild :100644 000000 ce56970... 0000000... D app-emulation/xen/xen-4.6.1-r1.ebuild :100644 000000 4461a53... 0000000... D app-emulation/xen/xen-4.6.1-r2.ebuild :100644 000000 8a514ff... 0000000... D app-emulation/xen/xen-4.6.1-r3.ebuild :100644 000000 6277f0c... 0000000... D app-emulation/xen/xen-4.6.1.ebuild :100644 000000 97198be... 0000000... D app-emulation/xen/xen-4.6.3.ebuild :100644 000000 97198be... 0000000... D app-emulation/xen/xen-4.7.0.ebuild
This issue was resolved and addressed in GLSA 201611-09 at https://security.gentoo.org/glsa/201611-09 by GLSA coordinator Aaron Bauman (b-man).