Xen Security Advisory 188 (CVE-2016-7154) - use after free in FIFO event channel code

Xen Security Advisory 188 (CVE-2016-7154) - use after free in FIFO event channel code

[Xen.org security team]

[-- Attachment #1: Type: text/plain, Size: 2387 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2016-7154 / XSA-188
                              version 3

               use after free in FIFO event channel code

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

When the EVTCHNOP_init_control operation is called with a bad guest
frame number, it takes an error path which frees a control structure
without also clearing the corresponding pointer.  Certain subsequent
operations (EVTCHNOP_expand_array or another EVTCHNOP_init_control),
upon finding the non-NULL pointer, continue operation assuming it
points to allocated memory.

IMPACT
======

A malicious guest administrator can crash the host, leading to a DoS.
Arbitrary code execution (and therefore privilege escalation), and
information leaks, cannot be excluded.

VULNERABLE SYSTEMS
==================

Only Xen 4.4 is vulnerable.  Xen versions 4.5 and later as well as Xen
versions 4.3 and earlier are not vulnerable.

MITIGATION
==========

There is no mitigation available.

CREDITS
=======

This issue was discovered by Mikhail Gorobets of Advanced Threat
Research, Intel Security.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa188.patch           Xen 4.4.x

$ sha256sum xsa188*
9f374c2e1437ad71369f41275e7b333e7b7691a783ba693ee567c899bd78c722  xsa188.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJX0VLuAAoJEIP+FMlX6CvZNjYH/RVxqYegZpfj0aiT5pai/a0i
PgPSoMccGoSSVTXzivXUTZS3fTIqfTpd4SQHu2Q2dUqbb6zcPqd3NzF7Jl9IMwLk
JHZwPYXOsZ0D6thFAMYFpjHOWXv7+1Mw7Np82PaA2yAUad+kxUORiJeL1RAE6zG/
xsAR7PTl2mK1Ae9lqDtKLijn0cnicAYoKiSlta8M0T5Sp79CT3xsfHiBbaWUBCcI
gmOW76RUbfOwn2kmhFJ4X5bwSzEhM93pQu7hJCmuwAADc8ezEEFv2lsUm5W8hkmW
a8V2nuqM+prbxY8JI3XbKJm5YrmHQpnX4FiBn13DZeUsaukT4Q1EltP1z/XvJto=
=jzF5
-----END PGP SIGNATURE-----

[-- Attachment #2: xsa188.patch --]
[-- Type: application/octet-stream, Size: 833 bytes --]

evtchn-fifo: prevent use after free

evtchn_fifo_init_control() calls evtchn_fifo_destroy() on an error
path, leading to cleanup_event_array() which frees d->evtchn_fifo
without also clearing the pointer. Otoh the bulk of
evtchn_fifo_init_control() is dependent on d->evtchn_fifo being NULL.

This is XSA-188.

Reported-by: Mikhail V Gorobets <mikhail.v.gorobets@intel.com>
Suggested-by: Mikhail V Gorobets <mikhail.v.gorobets@intel.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/common/event_fifo.c
+++ b/xen/common/event_fifo.c
@@ -482,6 +482,7 @@ static void cleanup_event_array(struct d
     for ( i = 0; i < EVTCHN_FIFO_MAX_EVENT_ARRAY_PAGES; i++ )
         unmap_guest_page(d->evtchn_fifo->event_array[i]);
     xfree(d->evtchn_fifo);
+    d->evtchn_fifo = NULL;
 }
 
 static void setup_ports(struct domain *d)

[-- Attachment #3: Type: text/plain, Size: 127 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel