Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 593198 (CVE-2016-7092, CVE-2016-7093, CVE-2016-7094) - <app-emulation/xen-4.6.3-r2: Multiple Vulnerabilities (CVE-2016-{7092,7093,7094})
Summary: <app-emulation/xen-4.6.3-r2: Multiple Vulnerabilities (CVE-2016-{7092,7093,70...
Status: RESOLVED FIXED
Alias: CVE-2016-7092, CVE-2016-7093, CVE-2016-7094
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-08 13:16 UTC by Yury German
Modified: 2016-11-15 07:43 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Yury German Gentoo Infrastructure gentoo-dev 2016-09-08 13:16:15 UTC
Xen Security Advisory CVE-2016-7094 / XSA-187
                              version 3

                x86 HVM: Overflow of sh_ctxt->seg_reg[]

ISSUE DESCRIPTION
=================

x86 HVM guests running with shadow paging use a subset of the x86 emulator to
handle the guest writing to its own pagetables.  There are situations a guest
can provoke which result in exceeding the space allocated for internal state.


IMPACT
======

A malicious HVM guest administrator can cause Xen to fail a bug check,
causing a denial of service to the host.


VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

The vulnerability is only exposed to HVM guests on x86 hardware, which are
configured to run with shadow paging.

The vulnerability is not exposed to x86 PV guests, x86 HVM guests running with
hardware assisted paging, or ARM guests.


x86 HVM guests run in HAP mode by default on modern CPUs.

To discover whether your HVM guests are using HAP, or shadow page
tables: request debug key `q' (from the Xen console, or with
`xl debug-keys q').  This will print (to the console, and visible in
`xl dmesg'), debug information for every domain, containing something
like this:

  (XEN) General information for domain 2:
  (XEN)     refcnt=1 dying=2 pause_count=2
  (XEN)     nr_pages=2 xenheap_pages=0 shared_pages=0 paged_pages=0 dirty_cpus={} max_pages=262400
  (XEN)     handle=ef58ef1a-784d-4e59-8079-42bdee87f219 vm_assist=00000000
  (XEN)     paging assistance: hap refcounts translate external
                               ^^^
The presence of `hap' here indicates that the host is not
vulnerable to this domain.  For an HVM domain the presence of `shadow'
indicates that the domain can exploit the vulnerability.


MITIGATION
==========

Running only PV guests will avoid this vulnerability.

On hardware which supports Hardware Assisted Paging, configuring the
guests to not run with shadow paging will avoid this vulnerability.


CREDITS
=======

This issue was discovered by Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the first patch will resolve this issue.

The second patch provides additional assurance that the vulnerability
is truly eliminated and that there are no related problems.

If hotpatching, applying only the first patch is recommended since the
second patch is awkward for hotpatching.  If deploying new builds,
applying both patches is recommended.

______________________________

            Xen Security Advisory CVE-2016-7092 / XSA-185
                              version 3

        x86: Disallow L3 recursive pagetable for 32-bit PV guests

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

On real hardware, a 32-bit PAE guest must leave the USER and RW bit
clear in L3 pagetable entries, but the pagetable walk behaves as if
they were set.  (The L3 entries are cached in processor registers, and
don't actually form part of the pagewalk.)

When running a 32-bit PV guest on a 64-bit Xen, Xen must always OR in
the USER and RW bits for L3 updates for the guest to observe
architectural behaviour.  This is unsafe in combination with recursive
pagetables.

As there is no way to construct an L3 recursive pagetable in native
32-bit PAE mode, disallow this option in 32-bit PV guests.

IMPACT
======

A malicious 32-bit PV guest administrator can escalate their privilege
to that of the host.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

Only 64-bit builds of the hypervisor are vulnerable.  For Xen 4.3 and
earlier, 32-bit builds of the hypervisor are not vulnerable.

The vulnerability is only exposed to 32-bit PV guests on x86 hardware.

The vulnerability is not exposed to 64-bit PV guests, x86 HVM guests,
or ARM guests.

MITIGATION
==========

Running only 64-bit PV or HVM guests will avoid this vulnerability.

CREDITS
=======

This issue was found in parallel by multiple discoverers, who each
disclosed it to the Xen Project Security Team.

The first report to us was made by Jérémie Boutoille of Quarkslab.
The second report, one working day later, by Shangcong Luan of Alibaba
Cloud.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa185.patch           xen-unstable - Xen 4.4

$ sha256sum xsa185*
3328a1953ecdf4de35462ea8396b0927171d718e95f73a87a7f651427bd8f8b4  xsa18

______________________________

            Xen Security Advisory CVE-2016-7093 / XSA-186
                              version 4

      x86: Mishandling of instruction pointer truncation during emulation

UPDATES IN VERSION 4
====================

Public release.

ISSUE DESCRIPTION
=================

When emulating HVM instructions, Xen uses a small i-cache for fetches
from guest memory.  The code that handles cache misses does not check
if the address from which it fetched lies within the cache before
blindly writing to it.  As such it is possible for the guest to
overwrite hypervisor memory.

It is currently believed that the only way to trigger this bug is to
use the way that Xen currently incorrectly wraps CS:IP in 16 bit
modes.  The included patch prevents such wrapping.

IMPACT
======

A malicious HVM guest administrator can escalate their privilege to that
of the host.

VULNERABLE SYSTEMS
==================

Xen versions 4.7.0 and later are vulnerable.
Xen releases 4.6.3 and 4.5.3 are vulnerable.

Xen releases 4.6.0 to 4.6.2 inclusive are NOT vulnerable.
Xen releases 4.5.2 and earlier are NOT vulnerable.

The vulnerability is only exposed to HVM guests on x86 hardware.

The vulnerability is not exposed to x86 PV guests, or ARM guests.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

CREDITS
=======

This issue was discovered by Brian Marcotte.

RESOLUTION
==========

Applying the first patch will resolve the issue.
Comment 1 Yixun Lan archtester gentoo-dev 2016-09-09 09:40:40 UTC
fixed in tree
=app-emulation/xen-4.6.3-r2
=app-emulation/xen-4.7.0-r2


commit 1a7685105711a4c1c8899a717d128a569e63e608
Author: Yixun Lan <dlan@gentoo.org>
Date:   Fri Sep 9 09:16:47 2016 +0800

    app-emulation/xen: security bump, XSA-185/186/187
    
    Package-Manager: portage-2.3.0

:100644 100644 93dc0da... 94e76a9... M  app-emulation/xen/Manifest
:000000 100644 00000000.. 5773cce... A  app-emulation/xen/xen-4.6.3-r2.ebuild
:000000 100644 00000000.. 5773cce... A  app-emulation/xen/xen-4.7.0-r2.ebuild
Comment 2 Yixun Lan archtester gentoo-dev 2016-09-09 09:41:51 UTC
Arches, please test and mark stable:
=app-emulation/xen-4.6.3-r2
Target keyword only: "amd64"
Comment 3 Agostino Sarubbo gentoo-dev 2016-09-10 12:50:40 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2016-09-11 05:49:48 UTC
Arches, Thank you for your work.
Added to an existing GLSA Request.

Maintainer(s), please drop the vulnerable version(s).
Version: 4.6.3-r1
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2016-09-15 22:25:01 UTC
Maintainer(s), Thank you for cleanup!
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2016-11-15 07:43:44 UTC
This issue was resolved and addressed in
 GLSA 201611-09 at https://security.gentoo.org/glsa/201611-09
by GLSA coordinator Aaron Bauman (b-man).