|
Message-Id: <E1dNHpG-0005zH-0I@xenbits.xenproject.org> Date: Tue, 20 Jun 2017 12:00:06 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security-team-members@....org> Subject: Xen Security Advisory 216 - blkif responses leak backend stack data -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory XSA-216 version 3 blkif responses leak backend stack data UPDATES IN VERSION 3 ==================== Public release. Fix a typo ("our" for "or" in Vulnerable Systems). ISSUE DESCRIPTION ================= The block interface response structure has some discontiguous fields. Certain backends populate the structure fields of an otherwise uninitialized instance of this structure on their stacks, leaking data through the (internal or trailing) padding field. IMPACT ====== A malicious unprivileged guest may be able to obtain sensitive information from the host or other guests. VULNERABLE SYSTEMS ================== All Linux versions supporting the xen-blkback, blkback, or blktap drivers are vulnerable. FreeBSD, NetBSD and Windows (with or without PV drivers) are not vulnerable (either because they do not have backends at all, or because they use a different implementation technique which does not suffer from this problem). All qemu versions supporting the Xen block backend are vulnerable. The qemu-xen-traditional code base does not include such code, so is not vulnerable. Note that an instance of qemu will be spawned to provide the backend for most non-raw-format disks; so you may need to apply the patch to qemu even if you use only PV guests. MITIGATION ========== There's no mitigation available for x86 PV and ARM guests. For x86 HVM guests it may be possible to change the guest configuaration such that a fully virtualized disk is being made available instead. However, this would normally entail changes inside the guest itself. CREDITS ======= This issue was discovered by Anthony Perard of Citrix. For patch: Reported by: Anthony Perard <anthony.perard@...rix.com> RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa216-linux-4.11.patch Linux 4.5 ... 4.11 xsa216-linux-4.4.patch Linux 3.3 ... 4.4 xsa216-qemuu.patch qemu-upstream master, 4.8 xsa216-qemuu-4.7.patch qemu-upstream 4.7, 4.6 xsa216-qemuu-4.5.patch qemu-upstream 4.5 xsa216-linux-2.6.18-xen.patch linux-2.6.18-xen.hg $ sha256sum xsa216* 28beb3d876fa0eee77f4377ef2708d764a5d9a2003dd4f1a4ecb9b8bf60658a4 xsa216-linux-2.6.18-xen.patch 6f6138c0a00df4ed7307ae4e5ee30dbe8594ff05bc1e8fdc7cfd785077d72ddc xsa216-linux-4.4.patch e04da27961cd867f7bbba31677f61e3e425c0e7cc7352a7a2d22b5a35eaf8585 xsa216-linux-4.11.patch 850b0143cfe3c69c62abdad71be9813014d46c380109fc650689a10c90ff39f4 xsa216-qemuu.patch 072270274d2554b71579a529c908d16479f8eba6646d8aed2e3d129495b27716 xsa216-qemuu-4.5.patch 5a64e2c5bb78f1c8fae97354be10fcc63ea39d333d6490e3a422ff30460cdef1 xsa216-qemuu-4.7.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. However, deployment of the mitigation is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because this produces a guest-visible change which will indicate which component contains the vulnerability. Additionally, distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJZSQ3JAAoJEIP+FMlX6CvZWkQIAMXD8Lc1PunNw5x9WsLb2y9U KA0QrsNve4Ugc/xvCiuqUoV+ljZIRiy57A//ZnNtTR8JiRqpjEC47he3oYNleytN RfOw2ZzsXdD4F8sqT3YvR0vcPL1Pf7fHzg8Ax19RxdcXRWTrN/b/poxuCu4F5PWn cFi4tQDYLuEb2e9Sj8ue8RbtcVOEyuSG/dP1E29K7sKdc6GB13nWsa93KJsSRLY6 cwKnOmBy+2H66FcfmWomU+OueKI7y5DsYxYV+VVUBGnBTSn0b3dwpHNKUBCuF1nQ RqOjo2rHOMBeiGaAlGg8toef7IkRH20p/LjiQxAneMndmta3t9enx8rYYxgFd5k= =3n1c -----END PGP SIGNATURE----- Download attachment "xsa216-linux-2.6.18-xen.patch" of type "application/octet-stream" (5642 bytes) Download attachment "xsa216-linux-4.4.patch" of type "application/octet-stream" (3643 bytes) Download attachment "xsa216-linux-4.11.patch" of type "application/octet-stream" (3708 bytes) Download attachment "xsa216-qemuu.patch" of type "application/octet-stream" (4399 bytes) Download attachment "xsa216-qemuu-4.5.patch" of type "application/octet-stream" (4375 bytes) Download attachment "xsa216-qemuu-4.7.patch" of type "application/octet-stream" (4375 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.