Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1WlFUK-00079S-Oi@xenbits.xen.org>
Date: Fri, 16 May 2014 10:35:40 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 95 (CVE-2014-3714,CVE-2014-3715,CVE-2014-3716,CVE-2014-3717)
 - input handling vulnerabilities loading guest kernel on ARM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 Xen Security Advisory CVE-2014-3714,CVE-2014-3715,CVE-2014-3716,CVE-2014-3717 / XSA-95
                             version 3

      input handling vulnerabilities loading guest kernel on ARM

UPDATES IN VERSION 3
====================

Several CVE numbers, CVE-2014-{3714,3715,3716,3717} have been assigned
to the issues described here. References have been added to the issue
description.

ISSUE DESCRIPTION
=================

When loading a 32-bit ARM guest kernel the Xen tools did not correctly
validate the length of the kernel against the actual image size.  This
would then lead to an overrun on the input buffer when loading the
kernel into guest RAM (CVE-2014-3714).

Furthermore when checking a 32-bit guest kernel for an appended DTB,
the Xen tools were prone to additional overruns also leading to an
overrun on the input buffer when loading the kernel into guest RAM
(CVE-2014-3715).  Also, the tools would access a field in the putative
DTB header without checking for its alignment (CVE-2014-3716).

When loading a 64-bit ARM guest kernel the tools similarly did not
fully validate the requested load addresses, possibly leading to an
overrun on the input buffer when loading the kernel into guest RAM
(CVE-2014-3717).

IMPACT
======

An attacker who can control the kernel used to boot a guest can
exploit these issues.

Exploiting the overflow issues allows information which follows the
guest kernel in the toolstack address space to be copied into the
guest's memory, constituting an information leak.

Alternatively either the overflow or alignment issues could be used to
crash the toolstack process, leading to a denial of service.

VULNERABLE SYSTEMS
==================

ARM systems are vulnerable from Xen 4.4 onwards.

MITIGATION
==========

Ensuring that guests use only trustworthy kernels will avoid this
problem.

CREDITS
=======

This issue was discovered by Thomas Leonard.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa95.patch        xen-unstable, Xen 4.4.x

$ sha256sum xsa95*.patch
1ab63ff126b92e752e88b240838dd66b66415604eaa3e49e373cb50ad3cdd0af  xsa95.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJTdenGAAoJEIP+FMlX6CvZHbAIAI581kr07vf1KNlGVIyfOoJN
y8iqAS4n4D8JM7HJgoC+4Yf8HXA+KljR2Pg31ciY1eryWFibvZiBt1aykZVS7y+c
nVMHNoOVv0HmA/RycMT06iNy8BRThat4QY5/Eov8voRESU0yCPXTgoNg1iBLt5Eb
ZG31pI2Nk+xOmC4+wtJ8BLv+k2dV6vLNNaZB60OrXL7VOFlQlyCRrUSy3wy86y+h
FkhelkAWnRBpYOBn0ZSJayVlMH1fRtZWSYQOhDQHt14laJE/UJVQ5gNnSJDCQevS
io2i30xT38SfdoBPfiTj6yfgmmT3YmJRZvJ7QnSqBDWL1r4xcTCtHB7Uyy94X4w=
=ivP8
-----END PGP SIGNATURE-----

Download attachment "xsa95.patch" of type "application/octet-stream" (3213 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.