From mboxrd@z Thu Jan  1 00:00:00 1970
From: Xen.org security team <security@xen.org>
Subject: Xen Security Advisory 104 (CVE-2014-7154) - Race
 condition in HVMOP_track_dirty_vram
Date: Wed, 24 Sep 2014 10:30:01 +0000
Message-ID: <E1XWjph-00051m-Gn@xenbits.xen.org>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
Return-path: <xen-devel-bounces@lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com
Cc: "Xen.org security team" <security@xen.org>
List-Id: xen-devel@lists.xenproject.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2014-7154 / XSA-104
                              version 3

               Race condition in HVMOP_track_dirty_vram

UPDATES IN VERSION 3
====================

This issue has been assigned CVE-2014-7154.

ISSUE DESCRIPTION
=================

The routine controlling the setup of dirty video RAM tracking latches
the value of a pointer before taking the respective guarding lock, thus
making it possible for a stale pointer to be used by the time the lock
got acquired and the pointer gets dereferenced.

The hypercall providing access to the affected function is available to
the domain controlling HVM guests.

IMPACT
======

Malicious or buggy stub domain kernels or tool stacks otherwise living
outside of Domain0 can mount a denial of service attack which, if
successful, can affect the whole system.

Only domains controlling HVM guests can exploit this vulnerability.
(This includes domains providing hardware emulation services to HVM
guests.)

VULNERABLE SYSTEMS
==================

Xen versions from 4.0.0 onwards are vulnerable.

This vulnerability is only applicable to Xen systems using stub
domains or other forms of disaggregation of control domains for HVM
guests.

MITIGATION
==========

There is no mitigation available for this issue.

(The security of a Xen system using stub domains is still better than
with a qemu-dm running as an unrestricted dom0 process.  Therefore
users with these configurations should not switch to an unrestricted
dom0 qemu-dm.)

CREDITS
=======

This issue was discovered by Andrew Cooper at Citrix.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa104.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa104*.patch
fc02f6365ca79a6ef386c882b57fab8b56aa12b54fc9b05054552f0f25e32047  xsa104.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJUIpziAAoJEIP+FMlX6CvZO2wIAMm2konqFYzaAZXbEH25T24K
aNTRF+x+RFwZy/701GupySti6Go6HPvm4uya09qIVRyTkafH2WF+VT93rBRlROHM
z5ZFwR/wKLFj3TPr/Fhb52ynwDdRPMvFkaWGxvSvxjASBbAPxCAlE8SuTmG1nBOe
RtnHNk6cxV5UeYTZ8TosG7RvlPIVA17o82btJ6DPbXIn2tENLTJaZf9cTtNZxKPo
kIEuo9E0JFQQyje+t7lImbMQbbe216JTRtATTivVuP68AcE/TSRggLwoBxSitjUp
YNbcfbHUeg2qltftvlZKeGgvrVceQ+Vj59cFNRj4r+xRXXywAAGZkgCpZNLeQnA=
=gwmy
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa104.patch"
Content-Disposition: attachment; filename="xsa104.patch"
Content-Transfer-Encoding: base64

eDg2L3NoYWRvdzogZml4IHJhY2UgY29uZGl0aW9uIHNhbXBsaW5nIHRoZSBk
aXJ0eSB2cmFtIHN0YXRlCgpkLT5hcmNoLmh2bV9kb21haW4uZGlydHlfdnJh
bSBtdXN0IGJlIHJlYWQgd2l0aCB0aGUgZG9tYWluJ3MgcGFnaW5nIGxvY2sg
aGVsZC4KCklmIG5vdCwgdHdvIGNvbmN1cnJlbnQgaHlwZXJjYWxscyBjb3Vs
ZCBib3RoIGVuZCB1cCBhdHRlbXB0aW5nIHRvIGZyZWUKZGlydHlfdnJhbSAo
dGhlIHNlY29uZCBvZiB3aGljaCB3aWxsIGZyZWUgYSB3aWxkIHBvaW50ZXIp
LCBvciBib3RoIGVuZCB1cAphbGxvY2F0aW5nIGEgbmV3IGRpcnR5X3ZyYW0g
c3RydWN0dXJlICh0aGUgZmlyc3Qgb2Ygd2hpY2ggd2lsbCBiZSBsZWFrZWQp
LgoKVGhpcyBpcyBYU0EtMTA0LgoKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENv
b3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6
IFRpbSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgoKLS0tIGEveGVuL2FyY2gveDg2
L21tL3NoYWRvdy9jb21tb24uYworKysgYi94ZW4vYXJjaC94ODYvbW0vc2hh
ZG93L2NvbW1vbi5jCkBAIC0zNDg1LDcgKzM0ODUsNyBAQCBpbnQgc2hhZG93
X3RyYWNrX2RpcnR5X3ZyYW0oc3RydWN0IGRvbWFpCiAgICAgaW50IGZsdXNo
X3RsYiA9IDA7CiAgICAgdW5zaWduZWQgbG9uZyBpOwogICAgIHAybV90eXBl
X3QgdDsKLSAgICBzdHJ1Y3Qgc2hfZGlydHlfdnJhbSAqZGlydHlfdnJhbSA9
IGQtPmFyY2guaHZtX2RvbWFpbi5kaXJ0eV92cmFtOworICAgIHN0cnVjdCBz
aF9kaXJ0eV92cmFtICpkaXJ0eV92cmFtOwogICAgIHN0cnVjdCBwMm1fZG9t
YWluICpwMm0gPSBwMm1fZ2V0X2hvc3RwMm0oZCk7CiAKICAgICBpZiAoIGVu
ZF9wZm4gPCBiZWdpbl9wZm4gfHwgZW5kX3BmbiA+IHAybS0+bWF4X21hcHBl
ZF9wZm4gKyAxICkKQEAgLTM0OTUsNiArMzQ5NSw4IEBAIGludCBzaGFkb3df
dHJhY2tfZGlydHlfdnJhbShzdHJ1Y3QgZG9tYWkKICAgICBwMm1fbG9jayhw
Mm1fZ2V0X2hvc3RwMm0oZCkpOwogICAgIHBhZ2luZ19sb2NrKGQpOwogCisg
ICAgZGlydHlfdnJhbSA9IGQtPmFyY2guaHZtX2RvbWFpbi5kaXJ0eV92cmFt
OworCiAgICAgaWYgKCBkaXJ0eV92cmFtICYmICghbnIgfHwKICAgICAgICAg
ICAgICAoIGJlZ2luX3BmbiAhPSBkaXJ0eV92cmFtLT5iZWdpbl9wZm4KICAg
ICAgICAgICAgIHx8IGVuZF9wZm4gICAhPSBkaXJ0eV92cmFtLT5lbmRfcGZu
ICkpICkKLS0tIGEveGVuL2luY2x1ZGUvYXNtLXg4Ni9odm0vZG9tYWluLmgK
KysrIGIveGVuL2luY2x1ZGUvYXNtLXg4Ni9odm0vZG9tYWluLmgKQEAgLTEx
Miw3ICsxMTIsNyBAQCBzdHJ1Y3QgaHZtX2RvbWFpbiB7CiAgICAgLyogTWVt
b3J5IHJhbmdlcyB3aXRoIHBpbm5lZCBjYWNoZSBhdHRyaWJ1dGVzLiAqLwog
ICAgIHN0cnVjdCBsaXN0X2hlYWQgICAgICAgcGlubmVkX2NhY2hlYXR0cl9y
YW5nZXM7CiAKLSAgICAvKiBWUkFNIGRpcnR5IHN1cHBvcnQuICovCisgICAg
LyogVlJBTSBkaXJ0eSBzdXBwb3J0LiAgUHJvdGVjdCB3aXRoIHRoZSBkb21h
aW4gcGFnaW5nIGxvY2suICovCiAgICAgc3RydWN0IHNoX2RpcnR5X3ZyYW0g
KmRpcnR5X3ZyYW07CiAKICAgICAvKiBJZiBvbmUgb2YgdmNwdXMgb2YgdGhp
cyBkb21haW4gaXMgaW4gbm9fZmlsbF9tb2RlIG9yCg==

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

--=separator--