Kurt Seifried
2013-Jun-20 07:09 UTC
Re: [oss-security] Xen Security Advisory 55 - Multiple vulnerabilities in libelf PV kernel handling
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/14/2013 10:46 AM, Xen.org security team wrote:> Xen Security Advisory XSA-55 version 4 > > Multiple vulnerabilities in libelf PV kernel handling > > UPDATES IN VERSION 4 ===================> > We are sending out a version 4 of this advisory with no files > attached. This is because the size of the version 3 advisory > email caused delivery problems for some recipients. > > This version instead quotes the patchset git changeset ids in > xen.git. > > UPDATES IN VERSION 3 ===================> > Fixed patch series provided. These patches have been as > thoroughly reviewed as possible and subjected to various regression > testing. > > NOTE REGARDING CVE =================> > We have not yet been assigned a CVE number for this issue. > > ISSUE DESCRIPTION ================> > The ELF parser used by the Xen tools to read domains'' kernels and > construct domains has multiple integer overflows, pointer > dereferences based on calculations from unchecked input values, and > other problems.Apologies for the delay on this, I tried to tease all the issues apart and ended up taking the cowards way out (which I should have in the first place, apologies to the Xen guys). Please use: CVE-2013-2194 XEN XSA-55 integer overflows CVE-2013-2195 XEN XSA-55 pointer dereferences CVE-2013-2196 XEN XSA-55 other problems> IMPACT =====> > A malicious PV domain administrator who can specify their own > kernel can escalate their privilege to that of the domain > construction tools (i.e., normally, to control of the host). > > Additionally a malicious HVM domain administrator who is able to > supply their own firmware ("hvmloader") can do likewise; however > we think this would be very unusual and it is unlikely that such > configurations exist in production systems. > > VULNERABLE SYSTEMS =================> > All Xen versions are affected. > > Installations which only allow the use of trustworthy kernels for > PV domains are not affected. > > MITIGATION =========> > Ensuring that PV guests use only trustworthy kernels will avoid > this problem. > > RESOLUTION =========> > Applying the appropriate patch series will resolve this issue. > > These were attached to v3 of the advisory which can be found here: > http://lists.xen.org/archives/html/xen-devel/2013-06/msg01626.html > > These are available in xen.git > http://xenbits.xen.org/gitweb/?p=xen.git > git://xenbits.xen.org/xen.git > http://xenbits.xen.org/git-http/xen.git in the git changesets > listed below. > > xen-unstable: > > 82cb4113b6ace16de192021de20f6cbd991e478f libxc: Better range check > in xc_dom_alloc_segment 966070058d02cce9684e30073b61d6465e4b351c > libxc: check blob size before proceeding in xc_dom_check_gzip > de7911eaef98b6643d80e4612fe4dcd4528d15b9 libxc: range checks in > xc_dom_p2m_host and _guest 3d5a1d4733e55e33521cd5004cab1313e5c5d5ff > libxc: check return values from malloc > aaebaba5ae225f591e0602e071037a935bb281b6 libxc: check failure of > xc_dom_*_to_ptr, xc_map_foreign_range > 2bcee4b3c316379f4b52cb308947eb6db3faf1a0 libxc: Add range checking > to xc_dom_binloader 66fe2726fe8492676f9970b9c2c511bce6186ece > libelf: abolish obsolete macros > 39bf7b9d0ae534491745e54df5232127c0bddaf1 libelf: check loops for > running away a004800f8fc607b96527815c8e3beabcb455d8e0 libelf: use > only unsigned integers 7a549a6aa04dba807f8dd4c1577ab6a7592c4c76 > libelf: use C99 bool for booleans > c84481fbc7de7d15ff7476b3b9cd2713f81feaa3 libelf: Make all callers > call elf_check_broken 943de71cf07d9d04ccb215bd46153b04930e9f25 > libelf: Check pointer references in elf_is_elfbinary > 65808a8ed41cc7c044f588bd6cab5af0fdc0e029 libelf: check all pointer > accesses 04877847ade4ac9216e9f408fd544ade8f90cf9a libelf: check > nul-terminated strings properly > 50421bd56bf164f490d7d0bf5741e58936de41e8 tools/xcutils/readnotes: > adjust print_l1_mfn_valid_note > 85256359995587df00001dca22e9a76ba6ea8258 libelf: introduce macros > for memory access and pointer handling > 95dd49bed681af93f71a401b0a35bf2f917c6e68 > libelf/xc_dom_load_elf_symtab: Do not use "syms" uninitialised > f7aa72ec00aec71eed055dac5e8a151966d75c9c libelf: move include of > <asm/guest_access.h> to top of file > 13e2c808f7ea721c8f200062e2b9b977ee924471 libelf: abolish elf_sval > and elf_access_signed 009ddca51504ce80889937e485d44ac0f9290d63 > libelf: add `struct elf_binary*'' parameter to elf_load_image > b5a869209998fedadfe205d37addbd50a802998b libxc: Fix range checking > in xc_dom_pfn_to_ptr etc. 53bfcf585b09eb4ac2240f89d1ade77421cd2451 > libxc: introduce xc_dom_seg_to_ptr_pages > 14573b974850d82de7aebad17e6471d27d847f2c libelf: abolish > libelf-relocate.c > > Xen 4.2.x: > > d21d36e84354c04638b60a739a5f7c3d9f8adaf8 libxc: Better range check > in xc_dom_alloc_segment 2a548e22915535ac13694eb38222903bca7245e3 > libxc: check blob size before proceeding in xc_dom_check_gzip > 052a689aa526ca51fd70528d4b0f83dfb2de99c1 libxc: range checks in > xc_dom_p2m_host and _guest 8dc90d163650ce8aa36ae0b46debab83cc61edb6 > libxc: check return values from malloc > 77c0829fa751f052f7b8ec08287aef6e7ba97bc5 libxc: check failure of > xc_dom_*_to_ptr, xc_map_foreign_range > b06e277b1fc08c7da3befeb3ac3950e1d941585d libxc: Add range checking > to xc_dom_binloader 3baaa4ffcd3e7dd6227f9bdf817f90e5b75aeda2 > libelf: abolish obsolete macros > 52d8cc2dd3bb3e0f6d51e00280da934e8d91653a libelf: check loops for > running away e673ca50127b6c1263727aa31de0b8bb966ca7a2 libelf: use > only unsigned integers 3fb6ccf2faccaf5e22e33a3155ccc72d732896d8 > libelf: use C99 bool for booleans > a965b8f80388603d439ae2b8ee7b9b018a079f90 libelf: Make all callers > call elf_check_broken d0790bdad7496e720416b2d4a04563c4c27e7b95 > libelf: Check pointer references in elf_is_elfbinary > cc8761371aac432318530c2ddfe2c8234bc0621f libelf: check all pointer > accesses db14d5bd9b6508adfcd2b910f454fae12fa4ba00 libelf: check > nul-terminated strings properly > 59f66d58180832af6b99a9e4489031b5c2f627ab tools/xcutils/readnotes: > adjust print_l1_mfn_valid_note > 40020ab55a1e9a1674ddecdb70299fab4fe8579d libelf: introduce macros > for memory access and pointer handling > de9089b449d2508b1ba05590905c7ebaee00c8c4 > libelf/xc_dom_load_elf_symtab: Do not use "syms" uninitialised > 682a04488e7b3bd6c3448ab60599566eb7c6177a libelf: move include of > <asm/guest_access.h> to top of file > 83ec905922b496e1a5756e3a88405eb6c2c6ba88 libelf: abolish elf_sval > and elf_access_signed 035634047d10c678cbb8801c4263747bdaf4e5b1 > libelf: add `struct elf_binary*'' parameter to elf_load_image > 8c738fa5c1f3cfcd935b6191b3526f7ac8b2a5bd libxc: Fix range checking > in xc_dom_pfn_to_ptr etc. a672da4b2d58ef12be9d7407160e9fb43cac75d9 > libxc: introduce xc_dom_seg_to_ptr_pages > 9737484becab4a25159f1e985700eaee89690d34 libelf: abolish > libelf-relocate.c > > Xen 4.1.x: > > ac63ddd70a5ccf5ebf790f06ea4cd4ed794c3978 libxc: check blob size > before proceeding in xc_dom_check_gzip > 6eca85d5c144ee8c899ee3cf8791f9087b15f2e8 libxc: range checks in > xc_dom_p2m_host and _guest a2986a7959919bc748784bb75970bfbd42697d3b > libxc: check return values from malloc > 117a538dbef62f8d39159dea652e633e01b50a9a libxc: check failure of > xc_dom_*_to_ptr, xc_map_foreign_range > 40b76f1fb04af421c1415f7bcb168dfaa6960d0d libxc: Add range checking > to xc_dom_binloader 4a3a60d8caee49af6951a672c55b08436a8d1f86 > libelf: abolish obsolete macros > 968c0399159c65e24bb8b9969259e18791e1f4d8 libelf: check loops for > running away 282188ea84b9e0f9c4865f0609e7740f2f28e7b0 libxc: > Introduce xc_bitops.h 86e39ce58e91fe55d4fdbc914cb1955c45acc20e > libelf: use only unsigned integers > bd3dba9f435fa59f305407f7d9b34e1e164ddd98 libelf: use C99 bool for > booleans 44c74b1ed31c75ed9026abf62ab7427a46d8027a libelf: Make all > callers call elf_check_broken > 9962d7ffcce97ec2d69a15ef861996b1ead33694 libelf: Check pointer > references in elf_is_elfbinary > 39923542bb43e67776c4e8292d4a5a1adef2bd3b libelf: check all pointer > accesses 8ce60b35beaac91a97b79c004ca6bf5d58e7390b libelf: check > nul-terminated strings properly > 4e46085972d2367dff2345a73361c1c17b47ce73 tools/xcutils/readnotes: > adjust print_l1_mfn_valid_note > de49d6e83c3a8c753646b007972140ddbb746ba8 libelf: introduce macros > for memory access and pointer handling > 4d3339de1fe3cbf7b05487fdb6cadd7267950948 > libelf/xc_dom_load_elf_symtab: Do not use "syms" uninitialised > e719b136b750e5eee87c4647d1846e4e1e70eac0 libelf: abolish elf_sval > and elf_access_signed f7fb94409c562beec06094141ef262dc85f28dac > libxc: Fix range checking in xc_dom_pfn_to_ptr etc. > bbf40e6b6d47809f4289a866d7d167c25104ecc0 libxc: introduce > xc_dom_seg_to_ptr_pages 64a0206c451920b72a9c5721a6f2427baf99e3dd > libelf: abolish libelf-relocate.c >- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRwqqxAAoJEBYNRVNeJnmTHsIP+gMjk22r1tou75ZcDHamVxB4 aOMPuzMa8AwQrzMjVUK9H+VSNPPlchYQF3IWd/pyy5aHRf5FnQPUMlLFV+PB9RHD i81FvKlq9KEKoLVl5WMpgqQFn1mV+A7tR5g73btgux5Pd49OV0xnVXQPp8R9tln0 TDd7bb21xZhd+8qOCa4I416beC4/B7SLD8fFaHQ0ZtOE7f7pUn7Reqo/DjDhgGnd Bfi42LQxeKjU87Rw4k3u7hDSvYEh9rFxYs0NZBWh3i4WIsWY9L4kOsZvnDJJUMaB lu4jhLTmfHDT8350WKdJmUgrPzgZcfavTakviiLlSxaBTd/mphf/sUF0PoftCykZ HqjXv8DFFg+xOBq8DfTMdEZGsBh4NS+xSSsI8pS0qU8my6BtJONKfVDMPP+B7I7F qY3tY+ns7AZgCavbCYGbNsrGpHWCNyzmN94755fvvz31lxqtWaGRiHqYySqwExDO f+uLajX/4jcHq9E42zZoBOcOcV/C+3O7GhaI4sgCrFQe3Ie2dBPgo1rXTlbXgRsW Wl1t6l1m4qv61KoQYvULL+zgzF82r3j3kTTcMYNYchpPNi7VDw1mRs2H2wwhkOTw 9IZA7IOdoKlyvOi/NiTHXRxyzYAoemJDqEqsjHAfTwUlS0WDOTJj/DgBJ/zfk06V WRz82P+Iq2h8wVFhlw7h =nUHR -----END PGP SIGNATURE-----