Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <E1WBPmy-0004Ab-3K@xenbits.xen.org>
Date: Thu, 06 Feb 2014 14:18:48 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 84 - integer overflow in several XSM/Flask
 hypercalls

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                     Xen Security Advisory XSA-84
                              version 2

           integer overflow in several XSM/Flask hypercalls

UPDATES IN VERSION 2
====================

Public release.

The patch for 4.1 was extended to cover a few further similar issues.

ISSUE DESCRIPTION
=================

The FLASK_{GET,SET}BOOL, FLASK_USER and FLASK_CONTEXT_TO_SID
suboperations of the flask hypercall are vulnerable to an integer
overflow on the input size. The hypercalls attempt to allocate a
buffer which is 1 larger than this size and is therefore vulnerable to
integer overflow and an attempt to allocate then access a zero byte
buffer.

Xen 3.3 through 4.1, while not affected by the above overflow, have a
different overflow issue on FLASK_{GET,SET}BOOL and expose unreasonably
large memory allocation to aribitrary guests.

Xen 3.2 (and presumably earlier) exhibit both problems, with the
overflow issue being present for more than just the suboperations
listed above.

The FLASK_GETBOOL op is available to all domains.

The FLASK_SETBOOL op is only available to domains which are granted
access via the Flask policy.  However the permissions check is
performed only after running the vulnerable code and the vulnerability
via this subop is exposed to all domains.

The FLASK_USER and FLASK_CONTEXT_TO_SID ops are only available to
domains which are granted access via the Flask policy.

IMPACT
======

Attempting to access the result of a zero byte allocation results in
a processor fault leading to a denial of service.

VULNERABLE SYSTEMS
==================

All Xen versions back to at least 3.2 are vulnerable to this issue when
built with XSM/Flask support. XSM support is disabled by default and is
enabled by building with XSM_ENABLE=y.

We have not checked earlier versions of Xen, but it is likely that
they are vulnerable to this or related vulnerabilities.

All Xen versions built with XSM_ENABLE=y are vulnerable.

MITIGATION
==========

There is no useful mitigation available in installations where XSM
support is actually in use.

In other systems, compiling it out (with XSM_ENABLE=n) will avoid the
vulnerability.

CREDITS
=======

This issue was discovered by Matthew Daley.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa84-unstable-4.3.patch        xen-unstable,Xen 4.3.x
xsa84-4.2.patch                 Xen 4.2.x
xsa84-4.1.patch                 Xen 4.1.x


$ sha256sum xsa84*.patch
e33dd94499959363ad01bebefda9733683c49fd42a9641cf2d7edcd87f853d55  xsa84-4.1.patch
433f3c8a202482c51a48dc0e9e47ac8751d1c0d0759b7bcd22804e1856279a89  xsa84-4.2.patch
64ae433eb606c5446184c08e6fceb9f660ed9a9c28ec112c8cc529251b3b49fb  xsa84-unstable-4.3.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJS85mEAAoJEIP+FMlX6CvZpLkH/1+K6cyCORgAmm1z4zzq4lwg
2XNHen88xZ/NAzZN/ETiGrvtafpGe2yBUAQlJWrYoKGNimBKVh4wlVUmymm/GLRp
Fcg+eck6q5BGF1L4ojMrWkZy1XqEOHrdzBk7nYxsJ/LN6lKKupvtPG67x65qBMkP
z/jEq5vP37J9mWtaZjBCn9wpfGrrUnoOi+MKw/5Wmr44eDm/V5+tJmZiAqxxvB9H
fFs2CI7alIvX4j848dG17juYGemlnVqOMHS65+IchDShAcde9ho6EoQMpDISFK+Q
HSCY5HfSPn4XmpqWHKlONL3sQAMj6WqZvok3WxlU0lIq9PPVrvdQDrbP4GdJKz4=
=dK4H
-----END PGP SIGNATURE-----

Download attachment "xsa84-4.1.patch" of type "application/octet-stream" (2943 bytes)

Download attachment "xsa84-4.2.patch" of type "application/octet-stream" (4943 bytes)

Download attachment "xsa84-unstable-4.3.patch" of type "application/octet-stream" (4955 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.