From mboxrd@z Thu Jan 1 00:00:00 1970 From: Xen.org security team Subject: Xen Security Advisory 95 (CVE-2014-3714, CVE-2014-3715, CVE-2014-3716, CVE-2014-3717) - input handling vulnerabilities loading guest kernel on ARM Date: Fri, 16 May 2014 10:35:40 +0000 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary Return-path: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com Cc: "Xen.org security team" List-Id: xen-devel@lists.xenproject.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-3714,CVE-2014-3715,CVE-2014-3716,CVE-2014-3717 / XSA-95 version 3 input handling vulnerabilities loading guest kernel on ARM UPDATES IN VERSION 3 ==================== Several CVE numbers, CVE-2014-{3714,3715,3716,3717} have been assigned to the issues described here. References have been added to the issue description. ISSUE DESCRIPTION ================= When loading a 32-bit ARM guest kernel the Xen tools did not correctly validate the length of the kernel against the actual image size. This would then lead to an overrun on the input buffer when loading the kernel into guest RAM (CVE-2014-3714). Furthermore when checking a 32-bit guest kernel for an appended DTB, the Xen tools were prone to additional overruns also leading to an overrun on the input buffer when loading the kernel into guest RAM (CVE-2014-3715). Also, the tools would access a field in the putative DTB header without checking for its alignment (CVE-2014-3716). When loading a 64-bit ARM guest kernel the tools similarly did not fully validate the requested load addresses, possibly leading to an overrun on the input buffer when loading the kernel into guest RAM (CVE-2014-3717). IMPACT ====== An attacker who can control the kernel used to boot a guest can exploit these issues. Exploiting the overflow issues allows information which follows the guest kernel in the toolstack address space to be copied into the guest's memory, constituting an information leak. Alternatively either the overflow or alignment issues could be used to crash the toolstack process, leading to a denial of service. VULNERABLE SYSTEMS ================== ARM systems are vulnerable from Xen 4.4 onwards. MITIGATION ========== Ensuring that guests use only trustworthy kernels will avoid this problem. CREDITS ======= This issue was discovered by Thomas Leonard. RESOLUTION ========== Applying the attached patch resolves this issue. xsa95.patch xen-unstable, Xen 4.4.x $ sha256sum xsa95*.patch 1ab63ff126b92e752e88b240838dd66b66415604eaa3e49e373cb50ad3cdd0af xsa95.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTdenGAAoJEIP+FMlX6CvZHbAIAI581kr07vf1KNlGVIyfOoJN y8iqAS4n4D8JM7HJgoC+4Yf8HXA+KljR2Pg31ciY1eryWFibvZiBt1aykZVS7y+c nVMHNoOVv0HmA/RycMT06iNy8BRThat4QY5/Eov8voRESU0yCPXTgoNg1iBLt5Eb ZG31pI2Nk+xOmC4+wtJ8BLv+k2dV6vLNNaZB60OrXL7VOFlQlyCRrUSy3wy86y+h FkhelkAWnRBpYOBn0ZSJayVlMH1fRtZWSYQOhDQHt14laJE/UJVQ5gNnSJDCQevS io2i30xT38SfdoBPfiTj6yfgmmT3YmJRZvJ7QnSqBDWL1r4xcTCtHB7Uyy94X4w= =ivP8 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa95.patch" Content-Disposition: attachment; filename="xsa95.patch" Content-Transfer-Encoding: base64 dG9vbHM6IGFybTogcmVtb3ZlIGNvZGUgdG8gY2hlY2sgZm9yIGEgRFRCIGFw cGVuZGVkIHRvIHRoZSBrZXJuZWwKClRoZSBjb2RlIHRvIGNoZWNrIGZvciBh biBhcHBlbmRlZCBEVEIgd2FzIGNvbmZ1c2luZyBhbmQgdW5uZWNlc3Nhcnku IFNpbmNlIHdlCmtub3cgdGhlIHNpemUgb2YgdGhlIGtlcm5lbCBiaW5hcnkg cGFzc2VkIHRvIHVzIHdlIHNob3VsZCBqdXN0IGxvYWQgdGhlIGVudGlyZQp0 aGluZyBpbnRvIGd1ZXN0IFJBTSAoc3ViamVjdCB0byB0aGUgbGltaXRzIGNo ZWNrcykuIFJlbW92aW5nIHRoaXMgY29kZSBhdm9pZHMKYSB3aG9sZSByYWZ0 IG9mIG92ZXJmbG93IGFuZCBhbGlnbm1lbnQgaXNzdWVzLgoKV2UgYWxzbyBu ZWVkIHRvIHZhbGlkYXRlIHRoZSBsaW1pdHMgb2YgdGhlIHNlZ21lbnQgd2hl cmUgd2UgaW50ZW5kIHRvIGxvYWQgdGhlCmtlcm5lbCB0byBhdm9pZCBvdmVy ZmxvdyBpc3N1ZXMuCgpGb3IgQVJNMzIgd2UgY29udHJvbCB0aGUgbG9hZCBh ZGRyZXNzLCBidXQgd2UgbmVlZCB0byB2YWxpZGF0ZSB0aGUgc2l6ZS4gVGhl CmVudHJ5IHBvaW50IGlzIG9ubHkgcmVsZXZhbnQgd2l0aGluIHRoZSBndWVz dCBzbyB3ZSBkb24ndCBuZWVkIHRvIHdvcnJ5IGFib3V0CnRoYXQuCgpGb3Ig QVJNNjQgd2UgbmVlZCB0byB2YWxpZGF0ZSBib3RoIHRoZSBsb2FkIGFkZHJl c3MgKHdoaWNoIGlzIHRoZSBzYW1lIGFzIHRoZQplbnRyeSBwb2ludCkgYW5k IHRoZSBzaXplLgoKVGhpcyBpcyBYU0EtOTUuCgpSZXBvcnRlZC1ieTogVGhv bWFzIExlb25hcmQgPHRhbGV4NUBnbWFpbC5jb20+ClNpZ25lZC1vZmYtYnk6 IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CkFja2Vk LWJ5OiBJYW4gSmFja3NvbiA8aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4K CmRpZmYgLS1naXQgYS90b29scy9saWJ4Yy94Y19kb21fYXJtemltYWdlbG9h ZGVyLmMgYi90b29scy9saWJ4Yy94Y19kb21fYXJtemltYWdlbG9hZGVyLmMK aW5kZXggZTY1MTZhMS4uMmIyODc4MSAxMDA2NDQKLS0tIGEvdG9vbHMvbGli eGMveGNfZG9tX2FybXppbWFnZWxvYWRlci5jCisrKyBiL3Rvb2xzL2xpYnhj L3hjX2RvbV9hcm16aW1hZ2Vsb2FkZXIuYwpAQCAtNTEsNyArNTEsNiBAQCBz dHJ1Y3QgbWluaW1hbF9kdGJfaGVhZGVyIHsKIHN0YXRpYyBpbnQgeGNfZG9t X3Byb2JlX3ppbWFnZTMyX2tlcm5lbChzdHJ1Y3QgeGNfZG9tX2ltYWdlICpk b20pCiB7CiAgICAgdWludDMyX3QgKnppbWFnZTsKLSAgICB1aW50MzJfdCBl bmQ7CiAKICAgICBpZiAoIGRvbS0+a2VybmVsX2Jsb2IgPT0gTlVMTCApCiAg ICAgewpAQCAtNzMsMjIgKzcyLDYgQEAgc3RhdGljIGludCB4Y19kb21fcHJv YmVfemltYWdlMzJfa2VybmVsKHN0cnVjdCB4Y19kb21faW1hZ2UgKmRvbSkK ICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgfQogCi0gICAgZW5kID0g emltYWdlW1pJTUFHRTMyX0VORF9PRkZTRVQvNF07Ci0KLSAgICAvKgotICAg ICAqIENoZWNrIGZvciBhbiBhcHBlbmRlZCBEVEIuCi0gICAgICovCi0gICAg aWYgKCBlbmQgKyBzaXplb2Yoc3RydWN0IG1pbmltYWxfZHRiX2hlYWRlcikg PCBkb20tPmtlcm5lbF9zaXplICkgewotICAgICAgICBzdHJ1Y3QgbWluaW1h bF9kdGJfaGVhZGVyICpkdGJfaGRyOwotICAgICAgICBkdGJfaGRyID0gKHN0 cnVjdCBtaW5pbWFsX2R0Yl9oZWFkZXIgKikoZG9tLT5rZXJuZWxfYmxvYiAr IGVuZCk7Ci0gICAgICAgIGlmIChudG9obC8qYmUzMl90b19jcHUqLyhkdGJf aGRyLT5tYWdpYykgPT0gRFRCX01BR0lDKSB7Ci0gICAgICAgICAgICB4Y19k b21fcHJpbnRmKGRvbS0+eGNoLCAiJXM6IGZvdW5kIGFuIGFwcGVuZGVkIERU QiIsIF9fRlVOQ1RJT05fXyk7Ci0gICAgICAgICAgICBlbmQgKz0gbnRvaGwv KmJlMzJfdG9fY3B1Ki8oZHRiX2hkci0+dG90YWxfc2l6ZSk7Ci0gICAgICAg IH0KLSAgICB9Ci0KLSAgICBkb20tPmtlcm5lbF9zaXplID0gZW5kOwotCiAg ICAgcmV0dXJuIDA7CiB9CiAKQEAgLTEwNSw4ICs4OCwyMCBAQCBzdGF0aWMg aW50IHhjX2RvbV9wYXJzZV96aW1hZ2UzMl9rZXJuZWwoc3RydWN0IHhjX2Rv bV9pbWFnZSAqZG9tKQogCiAgICAgLyogRG8gbm90IGxvYWQga2VybmVsIGF0 IHRoZSB2ZXJ5IGZpcnN0IFJBTSBhZGRyZXNzICovCiAgICAgdl9zdGFydCA9 IHJhbWJhc2UgKyAweDgwMDA7CisKKyAgICBpZiAoIGRvbS0+a2VybmVsX3Np emUgPiBVSU5UNjRfTUFYIC0gdl9zdGFydCApCisgICAgeworICAgICAgICBE T01QUklOVEYoIiVzOiBrZXJuZWwgaXMgdG9vIGxhcmdlXG4iLCBfX0ZVTkNU SU9OX18pOworICAgICAgICByZXR1cm4gLUVJTlZBTDsKKyAgICB9CisKICAg ICB2X2VuZCA9IHZfc3RhcnQgKyBkb20tPmtlcm5lbF9zaXplOwogCisgICAg LyoKKyAgICAgKiBJZiBzdGFydCBpcyBpbnZhbGlkIHRoZW4gdGhlIGd1ZXN0 IHdpbGwgc3RhcnQgYXQgc29tZSBpbnZhbGlkCisgICAgICogYWRkcmVzcyBh bmQgY3Jhc2gsIGJ1dCB0aGlzIGhhcHBlbnMgaW4gZ3Vlc3QgY29udGV4dCBz byBkb2Vzbid0CisgICAgICogY29uY2VybiB1cyBoZXJlLgorICAgICAqLwog ICAgIHN0YXJ0ID0gemltYWdlW1pJTUFHRTMyX1NUQVJUX09GRlNFVC80XTsK IAogICAgIGlmIChzdGFydCA9PSAwKQpAQCAtMTg3LDcgKzE4MiwyMCBAQCBz dGF0aWMgaW50IHhjX2RvbV9wYXJzZV96aW1hZ2U2NF9rZXJuZWwoc3RydWN0 IHhjX2RvbV9pbWFnZSAqZG9tKQogCiAgICAgemltYWdlID0gZG9tLT5rZXJu ZWxfYmxvYjsKIAorICAgIGlmICggemltYWdlLT50ZXh0X29mZnNldCA+IFVJ TlQ2NF9NQVggLSByYW1iYXNlICkKKyAgICB7CisgICAgICAgIERPTVBSSU5U RigiJXM6IGtlcm5lbCB0ZXh0IG9mZnNldCBpcyB0b28gbGFyZ2VcbiIsIF9f RlVOQ1RJT05fXyk7CisgICAgICAgIHJldHVybiAtRUlOVkFMOworICAgIH0K KwogICAgIHZfc3RhcnQgPSByYW1iYXNlICsgemltYWdlLT50ZXh0X29mZnNl dDsKKworICAgIGlmICggZG9tLT5rZXJuZWxfc2l6ZSA+IFVJTlQ2NF9NQVgg LSB2X3N0YXJ0ICkKKyAgICB7CisgICAgICAgIERPTVBSSU5URigiJXM6IGtl cm5lbCBpcyB0b28gbGFyZ2VcbiIsIF9fRlVOQ1RJT05fXyk7CisgICAgICAg IHJldHVybiAtRUlOVkFMOworICAgIH0KKwogICAgIHZfZW5kID0gdl9zdGFy dCArIGRvbS0+a2VybmVsX3NpemU7CiAKICAgICBkb20tPmtlcm5lbF9zZWcu dnN0YXJ0ID0gdl9zdGFydDsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --=separator--