Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1a9Xsp-0001up-LQ@xenbits.xen.org>
Date: Thu, 17 Dec 2015 12:42:11 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 155 (CVE-2015-8550) - paravirtualized
 drivers incautious about shared memory contents

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2015-8550 / XSA-155
                              version 5

    paravirtualized drivers incautious about shared memory contents

UPDATES IN VERSION 5
====================

Public release.

ISSUE DESCRIPTION
=================

The compiler can emit optimizations in the PV backend drivers which
can lead to double fetch vulnerabilities. Specifically the shared
memory between the frontend and backend can be fetched twice (during
which time the frontend can alter the contents) possibly leading to
arbitrary code execution in backend.

IMPACT
======

Malicious guest administrators can cause denial of service.  If driver
domains are not in use, the impact can be a host crash, or privilege escalation.

VULNERABLE SYSTEMS
==================

Systems running PV or HVM guests are vulnerable.

ARM and x86 systems are vulnerable.

All OSes providing PV backends are susceptible, this includes
Linux and NetBSD. By default the Linux distributions compile kernels
with optimizations.

MITIGATION
==========

There is no mitigation.

CREDITS
=======

This issue was discovered by Felix Wilhelm of ERNW.

RESOLUTION
==========

Applying the appropriate attached patches should fix the problem for
PV backends.  Note only that PV backends are fixed; PV frontend
patches will be developed and released (publicly) after the embargo
date.

Please note that there is a bug in some versions of gcc,
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 which can cause the
construct used in RING_COPY_REQUEST() to be ineffective in some
circumstances. We have determined that this is only the case when the
structure being copied consists purely of bitfields. The Xen PV
protocols updated here do not use bitfields in this way and therefore
these patches are not subject to that bug. However authors of third
party PV protocols should take this into consideration.

Linux v4.4:
xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch
xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch
xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch
xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch
xsa155-linux-xsa155-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch
xsa155-linux-xsa155-0007-xen-pciback-Save-xen_pci_op-commands-before-processi.patch
Linux v4.[0,1,2,3]
All the above patches except #5 will apply, please use:
xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
Linux v3.19:
All the above patches except #5 and #6 will apply, please use:
xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
xsa155-linux319-0006-xen-scsiback-safely-copy-requests.patch

qemu-xen:
xsa155-qemu-qdisk-double-access.patch
xsa155-qemu-xenfb.patch

qemu-traditional:
xsa155-qemut-qdisk-double-access.patch
xsa155-qemut-xenfb.patch

NetBSD 7.0:
xsa155-netbsd-xsa155-0001-netbsd-xen-Add-RING_COPY_REQUEST.patch
xsa155-netbsd-xsa155-0002-netbsd-netback-Use-RING_COPY_REQUEST-instead-of-RING.patch
xsa155-netbsd-xsa155-0003-netbsd-ring-Add-barrier-to-provide-an-compiler-barri.patch
xsa155-netbsd-xsa155-0004-netbsd-block-only-read-request-operation-from-shared.patch
xsa155-netbsd-xsa155-0005-netbsd-pciback-Operate-on-local-version-of-xen_pci_o.patch

xen:
xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch
xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch
xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch

xen 4.4:
All patches except #3 will apply, please use:
xsa155-xen44-0003-libvchan-Read-prod-cons-only-once.patch

$ sha256sum xsa155*
d9fbc104ab2ae797971e351ee0e04e7b7e9c7c33385309bb406c7941dc9a33b4  xsa155-linux319-xsa155-0006-xen-scsiback-safely-copy-requests.patch
590656d83ad7b6052b54659eccb3469658b3942c0dc1366423a66f2f5ac643e1  xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
2bd18632178e09394c5cd06aded2c14bcc6b6e360ad6e81827d24860fe3e8ca4  xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch
cecdeccb8e2551252c81fc5f164a8298005df714a574a7ba18b84e8ed5f2bb70  xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch
3916b847243047f0e1053233ade742c14a7f29243584e60bf5db4842a8068855  xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch
746c8eb0aeb200d76156c88dfbbd49db79f567b88b07eda70f7c7d095721f05a  xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch
18517a184a02f7441065b8d3423086320ec4c2345c00d551231f7976381767f5  xsa155-linux-xsa155-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
2e6d556d25b1cc16e71afde665ae3908f4fa8eab7e0d96283fc78400301baf92  xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch
5e130d8b61906015c6a94f8edd3cce97b172f96a265d97ecf370e7b45125b73d  xsa155-linux-xsa155-0007-xen-pciback-Save-xen_pci_op-commands-before-processi.patch
08c2d0f95dcc215165afbce623b6972b81dd45b091b5f40017579b00c8612e03  xsa155-netbsd-xsa155-0001-netbsd-xen-Add-RING_COPY_REQUEST.patch
0a66010f736092f91f70bb0fd220685e4395efef1db6d23a3d1eace31d144f51  xsa155-netbsd-xsa155-0002-netbsd-netback-Use-RING_COPY_REQUEST-instead-of-RING.patch
5e913a8427cab6b4d384d1246e05116afc301eb117edd838101eb53a82c2f2ff  xsa155-netbsd-xsa155-0003-netbsd-ring-Add-barrier-to-provide-an-compiler-barri.patch
3b8f14eafaed3a7bc66245753a37af4249acf8129fbedb70653192252dc47dc9  xsa155-netbsd-xsa155-0004-netbsd-block-only-read-request-operation-from-shared.patch
81ae5fa998243a78dad749fc561be647dc1dc1be799e8f18484fdf0989469705  xsa155-netbsd-xsa155-0005-netbsd-pciback-Operate-on-local-version-of-xen_pci_o.patch
044ff74fa048df820d528f64f2791ec9cb3940bd313c1179020bd49a6cde2ca3  xsa155-qemu-qdisk-double-access.patch
1150504589eb7bfa108c80ce63395e57d0e627b12d9201219d968fdd026919a6  xsa155-qemut-qdisk-double-access.patch
63186246ab6913b54bfef5f09f33e815935ac40ff821c27a3efda62339bbbd5f  xsa155-qemut-xenfb.patch
e53b4ac298648cde79344192d5a58ca8d8724344f5105bec7c09eef095c668f6  xsa155-qemu-xenfb.patch
e52467fcec73bcc86d3e96d06f8ca8085ae56a83d2c42a30c16bc3dc630d8f8a  xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch
eae34c8ccc096ad93a74190506b3d55020a88afb0cc504a3a514590e9fd746fd  xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch
42780265014085a4221ad32b026214693d751789eb5219e2e83862c0006c66f4  xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch
dfcaddb8a908a4fc1b048a43187e885117e67dc566f5c841037ee366dcd437d1  xsa155-xen44-0003-libvchan-Read-prod-cons-only-once.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJWcqy6AAoJEIP+FMlX6CvZeBQH/ReZbtQjtRmlvHyu72GPZfGm
fI3Ji5NMczuAu/2aopqOl+dUudO91lHEDmKNuBKHFAb2hOjTd003mCig0JP2D3js
0Ca8ab7VDgSlNKTl99XAizKFYMJEDRdAxYHktNj+1ok9381e7xquEJ77GfSk2S1e
gKDoSYkseSEcrThsgsohYiEvIe/odf8gn4gKq7CTK2sAf45wxWwP/QtgbAidJR3s
hQKuv++cyf11csSuVBX4cp0YN8lRWPmygD1si6D/y2TUvn3sAw2EzDkdSfryvtFV
/PJTtaQKtyvwOu3kJedguPL0yYmdAPQLAwYWum/NfSBB4g94ydxJ30amp3q37lY=
=9VP6
-----END PGP SIGNATURE-----

Download attachment "xsa155-linux319-xsa155-0006-xen-scsiback-safely-copy-requests.patch" of type "application/octet-stream" (1159 bytes)

Download attachment "xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch" of type "application/octet-stream" (2339 bytes)

Download attachment "xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch" of type "application/octet-stream" (2057 bytes)

Download attachment "xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch" of type "application/octet-stream" (1568 bytes)

Download attachment "xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch" of type "application/octet-stream" (4383 bytes)

Download attachment "xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch" of type "application/octet-stream" (1925 bytes)

Download attachment "xsa155-linux-xsa155-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch" of type "application/octet-stream" (2395 bytes)

Download attachment "xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch" of type "application/octet-stream" (1176 bytes)

Download attachment "xsa155-linux-xsa155-0007-xen-pciback-Save-xen_pci_op-commands-before-processi.patch" of type "application/octet-stream" (2855 bytes)

Download attachment "xsa155-netbsd-xsa155-0001-netbsd-xen-Add-RING_COPY_REQUEST.patch" of type "application/octet-stream" (2150 bytes)

Download attachment "xsa155-netbsd-xsa155-0002-netbsd-netback-Use-RING_COPY_REQUEST-instead-of-RING.patch" of type "application/octet-stream" (8263 bytes)

Download attachment "xsa155-netbsd-xsa155-0003-netbsd-ring-Add-barrier-to-provide-an-compiler-barri.patch" of type "application/octet-stream" (1272 bytes)

Download attachment "xsa155-netbsd-xsa155-0004-netbsd-block-only-read-request-operation-from-shared.patch" of type "application/octet-stream" (1182 bytes)

Download attachment "xsa155-netbsd-xsa155-0005-netbsd-pciback-Operate-on-local-version-of-xen_pci_o.patch" of type "application/octet-stream" (2391 bytes)

Download attachment "xsa155-qemu-qdisk-double-access.patch" of type "application/octet-stream" (1402 bytes)

Download attachment "xsa155-qemut-qdisk-double-access.patch" of type "application/octet-stream" (1804 bytes)

Download attachment "xsa155-qemut-xenfb.patch" of type "application/octet-stream" (1563 bytes)

Download attachment "xsa155-qemu-xenfb.patch" of type "application/octet-stream" (1313 bytes)

Download attachment "xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch" of type "application/octet-stream" (2095 bytes)

Download attachment "xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch" of type "application/octet-stream" (2439 bytes)

Download attachment "xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch" of type "application/octet-stream" (1578 bytes)

Download attachment "xsa155-xen44-0003-libvchan-Read-prod-cons-only-once.patch" of type "application/octet-stream" (1575 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.