* Xen Security Advisory 167 (CVE-2016-1570) - PV superpage functionality missing sanity checks
@ 2016-01-20 12:08 Xen.org security team
0 siblings, 0 replies; only message in thread
From: Xen.org security team @ 2016-01-20 12:08 UTC (permalink / raw)
To: xen-announce, xen-devel, xen-users, oss-security; +Cc: Xen.org security team
[-- Attachment #1: Type: text/plain, Size: 3952 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2016-1570 / XSA-167
version 4
PV superpage functionality missing sanity checks
UPDATES IN VERSION 4
====================
Public release.
ISSUE DESCRIPTION
=================
The PV superpage functionality lacks certain validity checks on data
being passed to the hypervisor by guests. This is the case for the
page identifier (MFN) passed to MMUEXT_MARK_SUPER and
MMUEXT_UNMARK_SUPER sub-ops of the HYPERVISOR_mmuext_op hypercall as
well as for various forms of page table updates.
IMPACT
======
Use of the feature, which is disabled by default, may have unknown
effects, ranging from information leaks through Denial of Service to
privilege escalation.
VULNERABLE SYSTEMS
==================
Only systems which enable the PV superpage feature are affected. That
is, only systems with an `allowsuperpage' setting on the hypervisor
command line. Note that in Xen 4.0.x and 3.4.x the option is named
`allowhugepage'.
Xen versions 3.4.0, 3.4.1, and from 4.1 onwards are affected.
Only x86 systems are affected.
Only PV guests can exploit the vulnerability.
MITIGATION
==========
Running only HVM guests will avoid this issue.
Not enabling PV superpage support (by omitting the `allowsuperpage' or
`allowhugepage' hypervisor command line options) will avoid exposing
the issue.
CREDITS
=======
This issue was discovered by Qinghao Tang of 360 Marvel Team.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa167.patch xen-unstable
xsa167-4.6.patch Xen 4.6.x, 4.5.x
xsa167-4.4.patch Xen 4.4.x, 4.3.x
$ sha256sum xsa167*
a71f709eef59425cb2113fa48d3b44048c6bf41063200fee1c847f6e0ed45a09 xsa167.patch
194c1ce89292f4cbb9980baa703095bcbeb5849abf46d193e07a98a0d8301f78 xsa167-4.4.patch
2bd786cccfd13c6732d6db8afc9e18058465efcb1bc93f894c359e3a820d5403 xsa167-4.6.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.
However deployment of the SUPERPAGE DISABLEMENT MITIGATION is NOT
permitted (except where all the affected systems and VMs are
administered and used only by organisations which are members of the
Xen Project Security Issues Predisclosure List). Specifically,
deployment on public cloud systems is NOT permitted.
This is because disabling PV superpage support is visible to guests, so
such deployment could lead to the rediscovery of the vulnerability.
Deployment of the mitigation is permitted only AFTER the embargo ends.
Also: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJWn3jEAAoJEIP+FMlX6CvZTOsH/2ReFJ0Yhp5da69XKvFEJR/s
0yEFxjvqiSyBPsWjyiaAdOp/1A2sltEeDDnMy7xEoXHmon0p6IV0IR4L+fMCLjl2
1ZI4tKpkn3zUE+IOjfu/GJ53f87XWSq/u9Ri7yZQdxFpgd3AXcLegGm8i4L/58iY
vdwAAuczACztEN/NbWFedlGUEd5PKqKwb4wOg1uhLIMwzvjxgtejVAyZD83HgP6i
LeWMO7EfeU8ND38Otiw9lNlKD/Ia7vpRG+BXuADLx18hbR1TU9AJ0RO1zb9JnAAj
snYdgB6s1wzRD4/HOc+s1uaIttPPODs0IhZunylI7UVhdWKp5Qkszw/QUcmufnk=
=5acB
-----END PGP SIGNATURE-----
[-- Attachment #2: xsa167.patch --]
[-- Type: application/octet-stream, Size: 2372 bytes --]
x86/mm: PV superpage handling lacks sanity checks
MMUEXT_{,UN}MARK_SUPER fail to check the input MFN for validity before
dereferencing pointers into the superpage frame table.
get_superpage() has a similar issue.
This is XSA-167.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -2635,6 +2635,9 @@ int get_superpage(unsigned long mfn, str
ASSERT(opt_allow_superpage);
+ if ( !mfn_valid(mfn | (L1_PAGETABLE_ENTRIES - 1)) )
+ return -EINVAL;
+
spage = mfn_to_spage(mfn);
y = spage->type_info;
do {
@@ -3432,42 +3435,26 @@ long do_mmuext_op(
}
case MMUEXT_MARK_SUPER:
+ case MMUEXT_UNMARK_SUPER:
{
unsigned long mfn = op.arg1.mfn;
- if ( unlikely(d != pg_owner) )
- rc = -EPERM;
- else if ( mfn & (L1_PAGETABLE_ENTRIES-1) )
- {
- MEM_LOG("Unaligned superpage reference mfn %lx", mfn);
- rc = -EINVAL;
- }
- else if ( !opt_allow_superpage )
+ if ( !opt_allow_superpage )
{
MEM_LOG("Superpages disallowed");
rc = -ENOSYS;
}
- else
- rc = mark_superpage(mfn_to_spage(mfn), d);
- break;
- }
-
- case MMUEXT_UNMARK_SUPER:
- {
- unsigned long mfn = op.arg1.mfn;
-
- if ( unlikely(d != pg_owner) )
+ else if ( unlikely(d != pg_owner) )
rc = -EPERM;
- else if ( mfn & (L1_PAGETABLE_ENTRIES-1) )
+ else if ( mfn & (L1_PAGETABLE_ENTRIES - 1) )
{
MEM_LOG("Unaligned superpage reference mfn %lx", mfn);
rc = -EINVAL;
- }
- else if ( !opt_allow_superpage )
- {
- MEM_LOG("Superpages disallowed");
- rc = -ENOSYS;
}
+ else if ( !mfn_valid(mfn | (L1_PAGETABLE_ENTRIES - 1)) )
+ rc = -EINVAL;
+ else if ( op.cmd == MMUEXT_MARK_SUPER )
+ rc = mark_superpage(mfn_to_spage(mfn), d);
else
rc = unmark_superpage(mfn_to_spage(mfn));
break;
[-- Attachment #3: xsa167-4.4.patch --]
[-- Type: application/octet-stream, Size: 2202 bytes --]
x86/mm: PV superpage handling lacks sanity checks
MMUEXT_{,UN}MARK_SUPER fail to check the input MFN for validity before
dereferencing pointers into the superpage frame table.
get_superpage() has a similar issue.
This is XSA-167.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -2566,6 +2566,9 @@ int get_superpage(unsigned long mfn, str
ASSERT(opt_allow_superpage);
+ if ( !mfn_valid(mfn | (L1_PAGETABLE_ENTRIES - 1)) )
+ return -EINVAL;
+
spage = mfn_to_spage(mfn);
y = spage->type_info;
do {
@@ -3320,14 +3323,6 @@ long do_mmuext_op(
unsigned long mfn;
struct spage_info *spage;
- mfn = op.arg1.mfn;
- if ( mfn & (L1_PAGETABLE_ENTRIES-1) )
- {
- MEM_LOG("Unaligned superpage reference mfn %lx", mfn);
- okay = 0;
- break;
- }
-
if ( !opt_allow_superpage )
{
MEM_LOG("Superpages disallowed");
@@ -3336,16 +3331,6 @@ long do_mmuext_op(
break;
}
- spage = mfn_to_spage(mfn);
- okay = (mark_superpage(spage, d) >= 0);
- break;
- }
-
- case MMUEXT_UNMARK_SUPER:
- {
- unsigned long mfn;
- struct spage_info *spage;
-
mfn = op.arg1.mfn;
if ( mfn & (L1_PAGETABLE_ENTRIES-1) )
{
@@ -3354,16 +3339,16 @@ long do_mmuext_op(
break;
}
- if ( !opt_allow_superpage )
+ if ( !mfn_valid(mfn | (L1_PAGETABLE_ENTRIES - 1)) )
{
- MEM_LOG("Superpages disallowed");
okay = 0;
- rc = -ENOSYS;
break;
}
spage = mfn_to_spage(mfn);
- okay = (unmark_superpage(spage) >= 0);
+ okay = ((op.cmd == MMUEXT_MARK_SUPER
+ ? mark_superpage(spage, d)
+ : unmark_superpage(spage)) >= 0);
break;
}
[-- Attachment #4: xsa167-4.6.patch --]
[-- Type: application/octet-stream, Size: 2395 bytes --]
x86/mm: PV superpage handling lacks sanity checks
MMUEXT_{,UN}MARK_SUPER fail to check the input MFN for validity before
dereferencing pointers into the superpage frame table.
get_superpage() has a similar issue.
This is XSA-167.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -2624,6 +2624,9 @@ int get_superpage(unsigned long mfn, str
ASSERT(opt_allow_superpage);
+ if ( !mfn_valid(mfn | (L1_PAGETABLE_ENTRIES - 1)) )
+ return -EINVAL;
+
spage = mfn_to_spage(mfn);
y = spage->type_info;
do {
@@ -3401,42 +3404,26 @@ long do_mmuext_op(
}
case MMUEXT_MARK_SUPER:
+ case MMUEXT_UNMARK_SUPER:
{
unsigned long mfn = op.arg1.mfn;
- if ( unlikely(d != pg_owner) )
- rc = -EPERM;
- else if ( mfn & (L1_PAGETABLE_ENTRIES-1) )
- {
- MEM_LOG("Unaligned superpage reference mfn %lx", mfn);
- okay = 0;
- }
- else if ( !opt_allow_superpage )
+ if ( !opt_allow_superpage )
{
MEM_LOG("Superpages disallowed");
rc = -ENOSYS;
}
- else
- rc = mark_superpage(mfn_to_spage(mfn), d);
- break;
- }
-
- case MMUEXT_UNMARK_SUPER:
- {
- unsigned long mfn = op.arg1.mfn;
-
- if ( unlikely(d != pg_owner) )
+ else if ( unlikely(d != pg_owner) )
rc = -EPERM;
- else if ( mfn & (L1_PAGETABLE_ENTRIES-1) )
+ else if ( mfn & (L1_PAGETABLE_ENTRIES - 1) )
{
MEM_LOG("Unaligned superpage reference mfn %lx", mfn);
- okay = 0;
- }
- else if ( !opt_allow_superpage )
- {
- MEM_LOG("Superpages disallowed");
- rc = -ENOSYS;
+ rc = -EINVAL;
}
+ else if ( !mfn_valid(mfn | (L1_PAGETABLE_ENTRIES - 1)) )
+ rc = -EINVAL;
+ else if ( op.cmd == MMUEXT_MARK_SUPER )
+ rc = mark_superpage(mfn_to_spage(mfn), d);
else
rc = unmark_superpage(mfn_to_spage(mfn));
break;
[-- Attachment #5: Type: text/plain, Size: 126 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2016-01-20 12:08 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-01-20 12:08 Xen Security Advisory 167 (CVE-2016-1570) - PV superpage functionality missing sanity checks Xen.org security team
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).