Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 624114 (CVE-2017-10911) - <app-emulation/xen-tools-4.7.3: blkif responses leak backend stack data
Summary: <app-emulation/xen-tools-4.7.3: blkif responses leak backend stack data
Alias: CVE-2017-10911
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa cve]
Depends on: CVE-2017-10920, CVE-2017-10921, CVE-2017-10922
  Show dependency tree
Reported: 2017-07-07 14:48 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2017-10-15 20:09 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-07 14:48:50 UTC
From $URL:


The block interface response structure has some discontiguous fields.
Certain backends populate the structure fields of an otherwise
uninitialized instance of this structure on their stacks, leaking
data through the (internal or trailing) padding field.


A malicious unprivileged guest may be able to obtain sensitive
information from the host or other guests.


All Linux versions supporting the xen-blkback, blkback, or blktap
drivers are vulnerable.

FreeBSD, NetBSD and Windows (with or without PV drivers) are not
vulnerable (either because they do not have backends at all, or
because they use a different implementation technique which does not
suffer from this problem).

All qemu versions supporting the Xen block backend are vulnerable.  The
qemu-xen-traditional code base does not include such code, so is not
vulnerable.  Note that an instance of qemu will be spawned to provide
the backend for most non-raw-format disks; so you may need to apply the
patch to qemu even if you use only PV guests.


There's no mitigation available for x86 PV and ARM guests.

For x86 HVM guests it may be possible to change the guest
configuaration such that a fully virtualized disk is being made
available instead.  However, this would normally entail changes inside
the guest itself.


This issue was discovered by Anthony Perard of Citrix.


Applying the appropriate attached patch resolves this issue.

xsa216-linux-4.11.patch           Linux 4.5 ... 4.11
xsa216-linux-4.4.patch            Linux 3.3 ... 4.4
xsa216-qemuu.patch                qemu-upstream master, 4.8
xsa216-qemuu-4.7.patch            qemu-upstream 4.7, 4.6
xsa216-qemuu-4.5.patch            qemu-upstream 4.5
xsa216-linux-2.6.18-xen.patch     linux-2.6.18-xen.hg

$ sha256sum xsa216*
d316e16f8da2078966e9d7d516dd0a9ed5a29c3bc479974374c8fa778859913d  xsa216-linux-2.6.18-xen.patch
4440fe324b61baf0f3f5a73352c4d9ac6f94917e216d8421263a5e67445852db  xsa216-linux-4.4.patch
eb24bfc0303e13e08fd3710463aea139a92a3f83db7f35119c4d3831154a6453  xsa216-linux-4.11.patch
b4b8f68fa05d718c5be7023c84d942e43725bcc563ea15556ee9646f6f9bf7e7  xsa216-qemuu.patch
4fc3665ff07ec79fb31ac66a3fd360a45b7ec546c549c04284f0128ad0c5beba  xsa216-qemuu-4.5.patch
a0e0dfd5ea2643ae14c220124194388017a3656db3e6ce430913cda800c43aad  xsa216-qemuu-4.7.patch


Deployment of the patches described above (or others which are
substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.

However, deployment of the mitigation is NOT permitted (except where
all the affected systems and VMs are administered and used only by
organisations which are members of the Xen Project Security Issues
Predisclosure List).  Specifically, deployment on public cloud systems
is NOT permitted.  This is because this produces a guest-visible
change which will indicate which component contains the vulnerability.

Additionally, distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
Version: GnuPG v1

Comment 1 Yixun Lan archtester gentoo-dev 2017-07-12 07:28:48 UTC
commit 28429de463453f885a35e5059f47970b6d07aa74
Author: Yixun Lan <>
Date:   Wed Jul 12 15:22:23 2017 +0800

    app-emulation/xen-tools: security bump
    fix XSA-216,217,218,219,220,221,222,223,224,225
    Gentoo-Bug: 624112,624114,624116,624118,624120,
    Package-Manager: Portage-2.3.6, Repoman-2.3.2

:100644 100644 32c5829b637... 470e3e74c8b... M  app-emulation/xen-tools/Manifest
:100644 100644 32a28f3d3de... 6fe9bf07e8b... M  app-emulation/xen-tools/files/gentoo-patches.conf
:000000 100644 00000000000... 93100c8956a... A  app-emulation/xen-tools/xen-tools-4.7.3.ebuild
:000000 100644 00000000000... 4653c90e562... A  app-emulation/xen-tools/xen-tools-4.8.1-r1.ebuild
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-21 04:16:09 UTC
Thank you Yixun Lan

Arches please let us know when all is stable
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-21 04:18:03 UTC
Thank you Yixun Lan

Arches please let us know when all is stable
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2017-08-20 21:47:29 UTC
Added to an existing GLSA Request.

Maintainer(s), please drop the vulnerable version(s).
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2017-10-15 20:08:53 UTC
GLSA Vote: No

Cleanup will occur in another bug.