From mboxrd@z Thu Jan 1 00:00:00 1970 From: Xen.org security team Subject: Xen Security Advisory 31 (CVE-2012-5515) - Several memory hypercall operations allow invalid extent order values Date: Mon, 03 Dec 2012 17:51:47 +0000 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary Return-path: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com Cc: "Xen.org security team" List-Id: xen-devel@lists.xenproject.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5515 / XSA-31 version 3 Several memory hypercall operations allow invalid extent order values UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Allowing arbitrary extent_order input values for XENMEM_decrease_reservation, XENMEM_populate_physmap, and XENMEM_exchange can cause arbitrarily long time being spent in loops without allowing vital other code to get a chance to execute. This may also cause inconsistent state resulting at the completion of these hypercalls. IMPACT ====== A malicious guest administrator can cause Xen to hang. VULNERABLE SYSTEMS ================== All Xen versions are vulnerable. However, older versions (not supporting Populate-on-Demand, i.e. before 3.4) may only be theoretically affected. MITIGATION ========== Running only trusted guest kernels will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa31-4.1.patch Xen 4.1.x xsa31-4.2-unstable.patch Xen 4.2.x, xen-unstable $ sha256sum xsa31*.patch 8e4bb43999d1a72d7f1b6ad3e66d0c173ca711c8145c5804b025eaa63d2c1691 xsa31-4.1.patch 090d0cca3eddaee798e5f06a8d5f469d47f874c657abcd6028248d949d36da81 xsa31-4.2-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQvOJ4AAoJEIP+FMlX6CvZhCgIAIAkB8EpoFU0vwCW26toELFh 3odZ8kji4hBoIaR6vOj4BIrSuTxC+0TZl3JGSwxQ+zo2k15njNqPZM/8m5kztLzZ K79GXhSRb6zo96EmAhxX6wU4qpBdDH7htdAsO74ApHdfw3hw9yXY2h+OkwiYTO6J K0TegvNYoJ+9NJ4ePTgZpHp4B1H4ymtvw84uzNBJQ6ePR95lV4aOq7h1loIvMPzB Mcxy+3LTAZasK7yYZLClyHXR46pN41qbMawKYNMp70+fQvyP58P6cExwZ4ODrbHf dfgEg2yNeI4YXzOx2vbRSDRDAzf4lhGHq9fXhUpNF/denRJJCC9r/E0+nWTzWog= =CUvM -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa31-4.1.patch" Content-Disposition: attachment; filename="xsa31-4.1.patch" Content-Transfer-Encoding: base64 bWVtb3A6IGxpbWl0IGd1ZXN0IHNwZWNpZmllZCBleHRlbnQgb3JkZXIKCkFs bG93aW5nIHVuYm91bmRlZCBvcmRlciB2YWx1ZXMgaGVyZSBjYXVzZXMgYWxt b3N0IHVuYm91bmRlZCBsb29wcwphbmQvb3IgcGFydGlhbGx5IGluY29tcGxl dGUgcmVxdWVzdHMsIHBhcnRpY3VsYXJseSBpbiBQb0QgY29kZS4KClRoZSBh ZGRlZCByYW5nZSBjaGVja3MgaW4gcG9wdWxhdGVfcGh5c21hcCgpLCBkZWNy ZWFzZV9yZXNlcnZhdGlvbigpLAphbmQgdGhlICJpbiIgb25lIGluIG1lbW9y eV9leGNoYW5nZSgpIGFyY2hpdGVjdHVyYWxseSBhbGwgY291bGQgdXNlClBB RERSX0JJVFMgLSBQQUdFX1NISUZULCBhbmQgYXJlIGJlaW5nIGFydGlmaWNp YWxseSBjb25zdHJhaW5lZCB0bwpNQVhfT1JERVIuCgpUaGlzIGlzIFhTQS0z MSAvIENWRS0yMDEyLTU1MTUuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGlj aCA8amJldWxpY2hAc3VzZS5jb20+CkFja2VkLWJ5OiBUaW0gRGVlZ2FuIDx0 aW1AeGVuLm9yZz4KQWNrZWQtYnk6IElhbiBKYWNrc29uIDxpYW4uamFja3Nv bkBldS5jaXRyaXguY29tPgoKZGlmZiAtLWdpdCBhL3hlbi9jb21tb24vbWVt b3J5LmMgYi94ZW4vY29tbW9uL21lbW9yeS5jCmluZGV4IDRlN2MyMzQuLjli OWZiMTggMTAwNjQ0Ci0tLSBhL3hlbi9jb21tb24vbWVtb3J5LmMKKysrIGIv eGVuL2NvbW1vbi9tZW1vcnkuYwpAQCAtMTE3LDcgKzExNyw4IEBAIHN0YXRp YyB2b2lkIHBvcHVsYXRlX3BoeXNtYXAoc3RydWN0IG1lbW9wX2FyZ3MgKmEp CiAKICAgICAgICAgaWYgKCBhLT5tZW1mbGFncyAmIE1FTUZfcG9wdWxhdGVf b25fZGVtYW5kICkKICAgICAgICAgewotICAgICAgICAgICAgaWYgKCBndWVz dF9waHlzbWFwX21hcmtfcG9wdWxhdGVfb25fZGVtYW5kKGQsIGdwZm4sCisg ICAgICAgICAgICBpZiAoIGEtPmV4dGVudF9vcmRlciA+IE1BWF9PUkRFUiB8 fAorICAgICAgICAgICAgICAgICBndWVzdF9waHlzbWFwX21hcmtfcG9wdWxh dGVfb25fZGVtYW5kKGQsIGdwZm4sCiAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYS0+ZXh0ZW50X29y ZGVyKSA8IDAgKQogICAgICAgICAgICAgICAgIGdvdG8gb3V0OwogICAgICAg ICB9CkBAIC0yMTYsNyArMjE3LDggQEAgc3RhdGljIHZvaWQgZGVjcmVhc2Vf cmVzZXJ2YXRpb24oc3RydWN0IG1lbW9wX2FyZ3MgKmEpCiAgICAgeGVuX3Bm bl90IGdtZm47CiAKICAgICBpZiAoICFndWVzdF9oYW5kbGVfc3VicmFuZ2Vf b2theShhLT5leHRlbnRfbGlzdCwgYS0+bnJfZG9uZSwKLSAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICBhLT5ucl9leHRlbnRzLTEpICkK KyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhLT5ucl9l eHRlbnRzLTEpIHx8CisgICAgICAgICBhLT5leHRlbnRfb3JkZXIgPiBNQVhf T1JERVIgKQogICAgICAgICByZXR1cm47CiAKICAgICBmb3IgKCBpID0gYS0+ bnJfZG9uZTsgaSA8IGEtPm5yX2V4dGVudHM7IGkrKyApCkBAIC0yNzgsNiAr MjgwLDkgQEAgc3RhdGljIGxvbmcgbWVtb3J5X2V4Y2hhbmdlKFhFTl9HVUVT VF9IQU5ETEUoeGVuX21lbW9yeV9leGNoYW5nZV90KSBhcmcpCiAgICAgaWYg KCAoZXhjaC5ucl9leGNoYW5nZWQgPiBleGNoLmluLm5yX2V4dGVudHMpIHx8 CiAgICAgICAgICAvKiBJbnB1dCBhbmQgb3V0cHV0IGRvbWFpbiBpZGVudGlm aWVycyBtYXRjaD8gKi8KICAgICAgICAgIChleGNoLmluLmRvbWlkICE9IGV4 Y2gub3V0LmRvbWlkKSB8fAorICAgICAgICAgLyogRXh0ZW50IG9yZGVycyBh cmUgc2Vuc2libGU/ICovCisgICAgICAgICAoZXhjaC5pbi5leHRlbnRfb3Jk ZXIgPiBNQVhfT1JERVIpIHx8CisgICAgICAgICAoZXhjaC5vdXQuZXh0ZW50 X29yZGVyID4gTUFYX09SREVSKSB8fAogICAgICAgICAgLyogU2l6ZXMgb2Yg aW5wdXQgYW5kIG91dHB1dCBsaXN0cyBkbyBub3Qgb3ZlcmZsb3cgYSBsb25n PyAqLwogICAgICAgICAgKCh+MFVMID4+IGV4Y2guaW4uZXh0ZW50X29yZGVy KSA8IGV4Y2guaW4ubnJfZXh0ZW50cykgfHwKICAgICAgICAgICgofjBVTCA+ PiBleGNoLm91dC5leHRlbnRfb3JkZXIpIDwgZXhjaC5vdXQubnJfZXh0ZW50 cykgfHwK --=separator Content-Type: application/octet-stream; name="xsa31-4.2-unstable.patch" Content-Disposition: attachment; filename="xsa31-4.2-unstable.patch" Content-Transfer-Encoding: base64 bWVtb3A6IGxpbWl0IGd1ZXN0IHNwZWNpZmllZCBleHRlbnQgb3JkZXIKCkFs bG93aW5nIHVuYm91bmRlZCBvcmRlciB2YWx1ZXMgaGVyZSBjYXVzZXMgYWxt b3N0IHVuYm91bmRlZCBsb29wcwphbmQvb3IgcGFydGlhbGx5IGluY29tcGxl dGUgcmVxdWVzdHMsIHBhcnRpY3VsYXJseSBpbiBQb0QgY29kZS4KClRoZSBh ZGRlZCByYW5nZSBjaGVja3MgaW4gcG9wdWxhdGVfcGh5c21hcCgpLCBkZWNy ZWFzZV9yZXNlcnZhdGlvbigpLAphbmQgdGhlICJpbiIgb25lIGluIG1lbW9y eV9leGNoYW5nZSgpIGFyY2hpdGVjdHVyYWxseSBhbGwgY291bGQgdXNlClBB RERSX0JJVFMgLSBQQUdFX1NISUZULCBhbmQgYXJlIGJlaW5nIGFydGlmaWNp YWxseSBjb25zdHJhaW5lZCB0bwpNQVhfT1JERVIuCgpUaGlzIGlzIFhTQS0z MSAvIENWRS0yMDEyLTU1MTUuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGlj aCA8amJldWxpY2hAc3VzZS5jb20+CkFja2VkLWJ5OiBUaW0gRGVlZ2FuIDx0 aW1AeGVuLm9yZz4KQWNrZWQtYnk6IElhbiBKYWNrc29uIDxpYW4uamFja3Nv bkBldS5jaXRyaXguY29tPgoKZGlmZiAtLWdpdCBhL3hlbi9jb21tb24vbWVt b3J5LmMgYi94ZW4vY29tbW9uL21lbW9yeS5jCmluZGV4IDgzZTI2NjYuLjJl NTZkNDYgMTAwNjQ0Ci0tLSBhL3hlbi9jb21tb24vbWVtb3J5LmMKKysrIGIv eGVuL2NvbW1vbi9tZW1vcnkuYwpAQCAtMTE1LDcgKzExNSw4IEBAIHN0YXRp YyB2b2lkIHBvcHVsYXRlX3BoeXNtYXAoc3RydWN0IG1lbW9wX2FyZ3MgKmEp CiAKICAgICAgICAgaWYgKCBhLT5tZW1mbGFncyAmIE1FTUZfcG9wdWxhdGVf b25fZGVtYW5kICkKICAgICAgICAgewotICAgICAgICAgICAgaWYgKCBndWVz dF9waHlzbWFwX21hcmtfcG9wdWxhdGVfb25fZGVtYW5kKGQsIGdwZm4sCisg ICAgICAgICAgICBpZiAoIGEtPmV4dGVudF9vcmRlciA+IE1BWF9PUkRFUiB8 fAorICAgICAgICAgICAgICAgICBndWVzdF9waHlzbWFwX21hcmtfcG9wdWxh dGVfb25fZGVtYW5kKGQsIGdwZm4sCiAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYS0+ZXh0ZW50X29y ZGVyKSA8IDAgKQogICAgICAgICAgICAgICAgIGdvdG8gb3V0OwogICAgICAg ICB9CkBAIC0yMzUsNyArMjM2LDggQEAgc3RhdGljIHZvaWQgZGVjcmVhc2Vf cmVzZXJ2YXRpb24oc3RydWN0IG1lbW9wX2FyZ3MgKmEpCiAgICAgeGVuX3Bm bl90IGdtZm47CiAKICAgICBpZiAoICFndWVzdF9oYW5kbGVfc3VicmFuZ2Vf b2theShhLT5leHRlbnRfbGlzdCwgYS0+bnJfZG9uZSwKLSAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICBhLT5ucl9leHRlbnRzLTEpICkK KyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhLT5ucl9l eHRlbnRzLTEpIHx8CisgICAgICAgICBhLT5leHRlbnRfb3JkZXIgPiBNQVhf T1JERVIgKQogICAgICAgICByZXR1cm47CiAKICAgICBmb3IgKCBpID0gYS0+ bnJfZG9uZTsgaSA8IGEtPm5yX2V4dGVudHM7IGkrKyApCkBAIC0yOTcsNiAr Mjk5LDkgQEAgc3RhdGljIGxvbmcgbWVtb3J5X2V4Y2hhbmdlKFhFTl9HVUVT VF9IQU5ETEVfUEFSQU0oeGVuX21lbW9yeV9leGNoYW5nZV90KSBhcmcpCiAg ICAgaWYgKCAoZXhjaC5ucl9leGNoYW5nZWQgPiBleGNoLmluLm5yX2V4dGVu dHMpIHx8CiAgICAgICAgICAvKiBJbnB1dCBhbmQgb3V0cHV0IGRvbWFpbiBp ZGVudGlmaWVycyBtYXRjaD8gKi8KICAgICAgICAgIChleGNoLmluLmRvbWlk ICE9IGV4Y2gub3V0LmRvbWlkKSB8fAorICAgICAgICAgLyogRXh0ZW50IG9y ZGVycyBhcmUgc2Vuc2libGU/ICovCisgICAgICAgICAoZXhjaC5pbi5leHRl bnRfb3JkZXIgPiBNQVhfT1JERVIpIHx8CisgICAgICAgICAoZXhjaC5vdXQu ZXh0ZW50X29yZGVyID4gTUFYX09SREVSKSB8fAogICAgICAgICAgLyogU2l6 ZXMgb2YgaW5wdXQgYW5kIG91dHB1dCBsaXN0cyBkbyBub3Qgb3ZlcmZsb3cg YSBsb25nPyAqLwogICAgICAgICAgKCh+MFVMID4+IGV4Y2guaW4uZXh0ZW50 X29yZGVyKSA8IGV4Y2guaW4ubnJfZXh0ZW50cykgfHwKICAgICAgICAgICgo fjBVTCA+PiBleGNoLm91dC5leHRlbnRfb3JkZXIpIDwgZXhjaC5vdXQubnJf ZXh0ZW50cykgfHwK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --=separator--