Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 601250 (CVE-2016-9815, CVE-2016-9816, CVE-2016-9817, CVE-2016-9818, XSA-201) - <app-emulation/xen-{4.6.4-r2,4.7.1-r2,4.8.0}: guest-triggered asynchronous aborts
Summary: <app-emulation/xen-{4.6.4-r2,4.7.1-r2,4.8.0}: guest-triggered asynchronous ab...
Status: RESOLVED FIXED
Alias: CVE-2016-9815, CVE-2016-9816, CVE-2016-9817, CVE-2016-9818, XSA-201
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa cve cleanup]
Keywords:
Depends on:
Blocks: CVE-2016-9637, XSA-199
  Show dependency tree
 
Reported: 2016-11-30 04:00 UTC by Aaron Bauman (RETIRED)
Modified: 2016-12-31 16:17 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aaron Bauman (RETIRED) gentoo-dev 2016-11-30 04:00:09 UTC
Xen Security Advisory XSA-201

             ARM guests may induce host asynchronous abort

ISSUE DESCRIPTION
=================

Depending on how the hardware and firmware have been integrated,
guest-triggered asynchronous aborts (SError on ARMv8) may be received
by the hypervisor.  The current action is to crash the host.

A guest might trigger an asynchronous abort when accessing memory
mapped hardware in a non-conventional way.  Even if device
pass-through has not been configured, the hypervisor may give the
guest access to memory mapped hardware in order to take advantage of
hardware virtualization.

IMPACT
======

A malicious guest may be able to crash the host.

VULNERABLE SYSTEMS
==================

All Xen versions which support ARM are potentially affected.

Whether a particular ARM systems is affected depends on technical
details of the hardware and/or firmware.

x86 systems are not affected.

MITIGATION
==========

On systems where the guest kernel is controlled by the host rather than
guest administrator, running only kernels which do not expose MMIO to
userspace will prevent untrusted guest users from exploiting this issue.
However untrusted guest administrators can still trigger it unless
further steps are taken to prevent them from loading code into the
kernel (e.g by disabling loadable modules etc) or from using other
mechanisms which allow them to run code at kernel privilege.

NOTE REGARDING LACK OF EMBARGO
==============================

The issue was discussed publicly (and has been fixed already in KVM in
public trees).

CREDITS
=======

This issue was discovered by ARM engineering personnel.

RESOLUTION
==========

Applying the appropriate set of attached patched resolves this issue.

xsa201-[1234].patch       Xen-unstable

xsa201-[12].patch         }
xsa201-3-4.7.patch        } Xen 4.7.x, Xen 4.6.x
xsa201-4.patch            }
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-08 16:40:28 UTC
Fixed ebuilds are now in Gentoo repository, https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8ac9b49f20aa4f7c140134b16808f6984cf7002c


@ Maintainer(s): Thanks for the bump. Can we start stabilization of =app-emulation/xen-4.6.4-r2?
Comment 2 Yixun Lan archtester gentoo-dev 2016-12-08 22:43:33 UTC
sure, here we go!
let's also combile bug #600662 (XSA-199) together

Arches, please test and mark stable:
=app-emulation/xen-4.6.4-r2
Target keyword only: "amd64"

=app-emulation/xen-tools-4.6.4-r3
Target keywords: "amd64 x86"
Comment 3 Agostino Sarubbo gentoo-dev 2016-12-13 11:35:19 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2016-12-13 11:36:04 UTC
amd64 stable.

Maintainer(s), please cleanup.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-12-13 11:58:46 UTC
GLSA Vote: No
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2016-12-13 13:58:30 UTC
Added to existing GLSA.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2016-12-31 16:17:57 UTC
This issue was resolved and addressed in
 GLSA 201612-56 at https://security.gentoo.org/glsa/201612-56
by GLSA coordinator Thomas Deutschmann (whissi).