Xen.org security team
2014-Feb-06 12:39 UTC
Xen Security Advisory 86 - libvchan failure handling malicious ring indexes
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-86 version 2 libvchan failure handling malicious ring indexes UPDATES IN VERSION 2 =================== Public release. ISSUE DESCRIPTION ================ libvchan (a library for inter-domain communication) does not correctly handle unusual or malicious contents in the xenstore ring. A malicious guest can exploit this to cause a libvchan-using facility to read or write past the end of the ring. IMPACT ===== libvchan-using facilities are vulnerable to denial of service and perhaps privilege escalation. There are no such services provided in the upstream Xen Project codebase. VULNERABLE SYSTEMS ================= All versions of libvchan are vulnerable. Only installations which use libvchan for communication involving untrusted domains are vulnerable. libvirt, xapi, xend, libxl and xl do not use libvchan. If your installation contains other Xen-related software components it is possible that they use libvchan and might be vulnerable. Xen versions 4.1 and earlier do not contain libvchan. MITIGATION ========= Disabling libvchan-based facilities could be used to mitigate the vulnerability. CREDITS ====== This issue was discovered by Marek Marczykowski-Górecki of Invisible Things Lab. RESOLUTION ========= Applying the appropriate attached patch resolves this issue. After the patch is applied to the Xen tree and built, any software which is statically linked against libvchan will need to be relinked against the new libvchan.a for the fix to take effect. xsa86.patch Xen 4.2.x, 4.3.x, 4.4-RC series, and xen-unstable $ sha256sum xsa86*.patch cd2df017e42717dd2a1b6f2fdd3ad30a38d3c0fbdd9d08b5f56ee0a01cd87b51 xsa86.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS84JeAAoJEIP+FMlX6CvZsvYH/3HbxPvs42Al1gncMsc4uh+R V+j48ENTQzSNhVTtXQq9bUgNk5Dp/kok7RpZbxCWIBl79UUP/fpPUT/FjD5egMOX NU8FslhmalOkkpmyeX0Kt1SvhQt6FvaozTTOdR47wHerfd+mKkYchFRrkCBvllBU /UIVItU6fA5xyXSsFy8quT66g2a88OTlv30YTsg3jhDo48FxO7A54ay4xVAIyOFK 4Wl+hpEgTSE47VRSIGriAvjOMSSQjiMFPjR/DSbUMj8FaVhwVSitIEG9cRhn+3HE I6HqPFzy2jP+Lzj/WFkkZrt/k12GL4cZafg7th3/YcmABfR23QMN5SwfYDLKqqw=XbpF -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa86.patch" Content-Disposition: attachment; filename="xsa86.patch" Content-Transfer-Encoding: base64 RnJvbSBiNGM0NTI2NDZlZmQzN2I0Y2QwOTk2MjU2ZGQwYWI3YmY2Y2NiN2Y2 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiA9P1VURi04P3E/TWFy ZWs9MjBNYXJjenlrb3dza2ktRz1DMz1CM3JlY2tpPz0KIDxtYXJtYXJla0Bp bnZpc2libGV0aGluZ3NsYWIuY29tPgpEYXRlOiBNb24sIDIwIEphbiAyMDE0 IDE1OjUxOjU2ICswMDAwClN1YmplY3Q6IFtQQVRDSF0gbGlidmNoYW46IEZp eCBoYW5kbGluZyBvZiBpbnZhbGlkIHJpbmcgYnVmZmVyIGluZGljZXMKTUlN RS1WZXJzaW9uOiAxLjAKQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFy c2V0PVVURi04CkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDhiaXQKClRo ZSByZW1vdGUgKGhvc3RpbGUpIHByb2Nlc3MgY2FuIHNldCByaW5nIGJ1ZmZl ciBpbmRpY2VzIHRvIGFueSB2YWx1ZQphdCBhbnkgdGltZS4gSWYgdGhhdCBo YXBwZW5zLCBpdCBpcyBwb3NzaWJsZSB0byBnZXQgImJ1ZmZlciBzcGFjZSIK KGVpdGhlciBmb3Igd3JpdGluZyBkYXRhLCBvciByZWFkeSBmb3IgcmVhZGlu ZykgbmVnYXRpdmUgb3IgZ3JlYXRlcgp0aGFuIGJ1ZmZlciBzaXplLiAgVGhp cyB3aWxsIGVuZCB1cCB3aXRoIGJ1ZmZlciBvdmVyZmxvdyBpbiB0aGUgc2Vj b25kCm1lbWNweSBpbnNpZGUgb2YgZG9fc2VuZC9kb19yZWN2LgoKRml4IHRo aXMgYnkgaW50cm9kdWNpbmcgbmV3IGF2YWlsYWJsZSBieXRlcyBhY2Nlc3Nv ciBmdW5jdGlvbnMKcmF3X2dldF9kYXRhX3JlYWR5IGFuZCByYXdfZ2V0X2J1 ZmZlcl9zcGFjZSB3aGljaCBhcmUgcm9idXN0IGFnYWluc3QKbWFkIHJpbmcg c3RhdGVzLCBhbmQgb25seSByZXR1cm4gc2FuaXRpc2VkIHZhbHVlcy4KClBy b29mIHNrZXRjaCBvZiBjb3JyZWN0bmVzczoKCk5vdyB7cmQsd3J9X3tjb25z LHByb2R9IGFyZSBvbmx5IGV2ZXIgdXNlZCBpbiB0aGUgcmF3IGF2YWlsYWJs ZSBieXRlcwpmdW5jdGlvbnMsIGFuZCBpbiBkb19zZW5kIGFuZCBkb19yZWN2 LgoKVGhlIHJhdyBhdmFpbGFibGUgYnl0ZXMgZnVuY3Rpb25zIGRvIHVuc2ln bmVkIGFyaXRobWV0aWMgb24gdGhlCnJldHVybmVkIHZhbHVlcy4gIElmIHRo ZSByZXN1bHQgaXMgIm5lZ2F0aXZlIiBvciB0b28gYmlnIGl0IHdpbGwgYmUK PnJpbmdfc2l6ZSAoc2luY2Ugd2UgdXNlZCB1bnNpZ25lZCBhcml0aG1ldGlj KS4gIE90aGVyd2lzZSB0aGUgcmVzdWx0CmlzIGEgcG9zaXRpdmUgaW4tcmFu Z2UgdmFsdWUgcmVwcmVzZW50aW5nIGEgcmVhc29uYWJsZSByaW5nIHN0YXRl LCBpbgp3aGljaCBjYXNlIHdlIGNhbiBzYWZlbHkgY29udmVydCBpdCB0byBp bnQgKGFzIHRoZSByZXN0IG9mIHRoZSBjb2RlCmV4cGVjdHMpLgoKZG9fc2Vu ZCBhbmQgZG9fcmVjdiBpbW1lZGlhdGVseSBtYXNrIHRoZSByaW5nIGluZGV4 IHZhbHVlIHdpdGggdGhlCnJpbmcgc2l6ZS4gIFRoZSByZXN1bHQgaXMgYWx3 YXlzIGdvaW5nIHRvIGJlIHBsYXVzaWJsZS4gIElmIHRoZSByaW5nCnN0YXRl IGhhcyBiZWNvbWUgbWFkLCB0aGUgd29yc3QgY2FzZSBpcyB0aGF0IG91ciBi ZWhhdmlvdXIgaXMKaW5jb25zaXN0ZW50IHdpdGggdGhlIHBlZXIncyByaW5n IHBvaW50ZXIuICBJLmUuIHdlIHJlYWQgb3Igd3JpdGUgdG8KYXJndWFibHkt aW5jb3JyZWN0IHBhcnRzIG9mIHRoZSByaW5nIC0gYnV0IGFsd2F5cyBwYXJ0 cyBvZiB0aGUgcmluZy4KQW5kIG9mIGNvdXJzZSBpZiBhIHBlZXIgbWlzb3Bl cmF0ZXMgdGhlIHJpbmcgdGhleSBjYW4gYWNoaWV2ZSB0aGlzCmVmZmVjdCBh bnl3YXkuCgpTbyB0aGUgc2VjdXJpdHkgcHJvYmxlbSBpcyBmaXhlZC4KClRo aXMgaXMgWFNBLTg2LgoKKFRoZSBwYXRjaCBpcyBlc3NlbnRpYWxseSBJYW4g SmFja3NvbidzIHdvcmssIGFsdGhvdWdoIHBhcnRzIG9mIHRoZQpjb21taXQg bWVzc2FnZSBhcmUgYnkgTWFyZWsuKQoKU2lnbmVkLW9mZi1ieTogTWFyZWsg TWFyY3p5a293c2tpLUfDs3JlY2tpIDxtYXJtYXJla0BpbnZpc2libGV0aGlu Z3NsYWIuY29tPgpTaWduZWQtb2ZmLWJ5OiBJYW4gSmFja3NvbiA8aWFuLmph Y2tzb25AZXUuY2l0cml4LmNvbT4KQ2M6IE1hcmVrIE1hcmN6eWtvd3NraS1H w7NyZWNraSA8bWFybWFyZWtAaW52aXNpYmxldGhpbmdzbGFiLmNvbT4KQ2M6 IEpvYW5uYSBSdXRrb3dza2EgPGpvYW5uYUBpbnZpc2libGV0aGluZ3NsYWIu Y29tPgotLS0KIHRvb2xzL2xpYnZjaGFuL2lvLmMgfCAgIDQ3ICsrKysrKysr KysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrLS0tLS0tCiAxIGZp bGUgY2hhbmdlZCwgNDEgaW5zZXJ0aW9ucygrKSwgNiBkZWxldGlvbnMoLSkK CmRpZmYgLS1naXQgYS90b29scy9saWJ2Y2hhbi9pby5jIGIvdG9vbHMvbGli dmNoYW4vaW8uYwppbmRleCAyMzgzMzY0Li44MDRjNjNjIDEwMDY0NAotLS0g YS90b29scy9saWJ2Y2hhbi9pby5jCisrKyBiL3Rvb2xzL2xpYnZjaGFuL2lv LmMKQEAgLTExMSwxMiArMTExLDI2IEBAIHN0YXRpYyBpbmxpbmUgaW50IHNl bmRfbm90aWZ5KHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3RybCwgdWludDhfdCBi aXQpCiAJCXJldHVybiAwOwogfQogCisvKgorICogR2V0IHRoZSBhbW91bnQg b2YgYnVmZmVyIHNwYWNlIGF2YWlsYWJsZSwgYW5kIGRvIG5vdGhpbmcgYWJv dXQKKyAqIG5vdGlmaWNhdGlvbnMuCisgKi8KK3N0YXRpYyBpbmxpbmUgaW50 IHJhd19nZXRfZGF0YV9yZWFkeShzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwp Cit7CisJdWludDMyX3QgcmVhZHkgPSByZF9wcm9kKGN0cmwpIC0gcmRfY29u cyhjdHJsKTsKKwlpZiAocmVhZHkgPj0gcmRfcmluZ19zaXplKGN0cmwpKQor CQkvKiBXZSBoYXZlIG5vIHdheSB0byByZXR1cm4gZXJyb3JzLiAgTG9ja2lu ZyB1cCB0aGUgcmluZyBpcworCQkgKiBiZXR0ZXIgdGhhbiB0aGUgYWx0ZXJu YXRpdmVzLiAqLworCQlyZXR1cm4gMDsKKwlyZXR1cm4gcmVhZHk7Cit9CisK IC8qKgogICogR2V0IHRoZSBhbW91bnQgb2YgYnVmZmVyIHNwYWNlIGF2YWls YWJsZSBhbmQgZW5hYmxlIG5vdGlmaWNhdGlvbnMgaWYgbmVlZGVkLgogICov CiBzdGF0aWMgaW5saW5lIGludCBmYXN0X2dldF9kYXRhX3JlYWR5KHN0cnVj dCBsaWJ4ZW52Y2hhbiAqY3RybCwgc2l6ZV90IHJlcXVlc3QpCiB7Ci0JaW50 IHJlYWR5ID0gcmRfcHJvZChjdHJsKSAtIHJkX2NvbnMoY3RybCk7CisJaW50 IHJlYWR5ID0gcmF3X2dldF9kYXRhX3JlYWR5KGN0cmwpOwogCWlmIChyZWFk eSA+PSByZXF1ZXN0KQogCQlyZXR1cm4gcmVhZHk7CiAJLyogV2UgcGxhbiB0 byBjb25zdW1lIGFsbCBkYXRhOyBwbGVhc2UgdGVsbCB1cyBpZiB5b3Ugc2Vu ZCBtb3JlICovCkBAIC0xMjYsNyArMTQwLDcgQEAgc3RhdGljIGlubGluZSBp bnQgZmFzdF9nZXRfZGF0YV9yZWFkeShzdHJ1Y3QgbGlieGVudmNoYW4gKmN0 cmwsIHNpemVfdCByZXF1ZXN0KQogCSAqIHdpbGwgbm90IGdldCBub3RpZmll ZCBldmVuIHRob3VnaCB0aGUgYWN0dWFsIGFtb3VudCBvZiBkYXRhIHJlYWR5 IGlzCiAJICogYWJvdmUgcmVxdWVzdC4gUmVyZWFkIHJkX3Byb2QgdG8gY292 ZXIgdGhpcyBjYXNlLgogCSAqLwotCXJldHVybiByZF9wcm9kKGN0cmwpIC0g cmRfY29ucyhjdHJsKTsKKwlyZXR1cm4gcmF3X2dldF9kYXRhX3JlYWR5KGN0 cmwpOwogfQogCiBpbnQgbGlieGVudmNoYW5fZGF0YV9yZWFkeShzdHJ1Y3Qg bGlieGVudmNoYW4gKmN0cmwpCkBAIC0xMzUsNyArMTQ5LDIxIEBAIGludCBs aWJ4ZW52Y2hhbl9kYXRhX3JlYWR5KHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3Ry bCkKIAkgKiB3aGVuIGl0IGNoYW5nZXMKIAkgKi8KIAlyZXF1ZXN0X25vdGlm eShjdHJsLCBWQ0hBTl9OT1RJRllfV1JJVEUpOwotCXJldHVybiByZF9wcm9k KGN0cmwpIC0gcmRfY29ucyhjdHJsKTsKKwlyZXR1cm4gcmF3X2dldF9kYXRh X3JlYWR5KGN0cmwpOworfQorCisvKioKKyAqIEdldCB0aGUgYW1vdW50IG9m IGJ1ZmZlciBzcGFjZSBhdmFpbGFibGUsIGFuZCBkbyBub3RoaW5nCisgKiBh Ym91dCBub3RpZmljYXRpb25zCisgKi8KK3N0YXRpYyBpbmxpbmUgaW50IHJh d19nZXRfYnVmZmVyX3NwYWNlKHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3RybCkK K3sKKwl1aW50MzJfdCByZWFkeSA9IHdyX3Jpbmdfc2l6ZShjdHJsKSAtICh3 cl9wcm9kKGN0cmwpIC0gd3JfY29ucyhjdHJsKSk7CisJaWYgKHJlYWR5ID4g d3JfcmluZ19zaXplKGN0cmwpKQorCQkvKiBXZSBoYXZlIG5vIHdheSB0byBy ZXR1cm4gZXJyb3JzLiAgTG9ja2luZyB1cCB0aGUgcmluZyBpcworCQkgKiBi ZXR0ZXIgdGhhbiB0aGUgYWx0ZXJuYXRpdmVzLiAqLworCQlyZXR1cm4gMDsK KwlyZXR1cm4gcmVhZHk7CiB9CiAKIC8qKgpAQCAtMTQzLDcgKzE3MSw3IEBA IGludCBsaWJ4ZW52Y2hhbl9kYXRhX3JlYWR5KHN0cnVjdCBsaWJ4ZW52Y2hh biAqY3RybCkKICAqLwogc3RhdGljIGlubGluZSBpbnQgZmFzdF9nZXRfYnVm ZmVyX3NwYWNlKHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3RybCwgc2l6ZV90IHJl cXVlc3QpCiB7Ci0JaW50IHJlYWR5ID0gd3JfcmluZ19zaXplKGN0cmwpIC0g KHdyX3Byb2QoY3RybCkgLSB3cl9jb25zKGN0cmwpKTsKKwlpbnQgcmVhZHkg PSByYXdfZ2V0X2J1ZmZlcl9zcGFjZShjdHJsKTsKIAlpZiAocmVhZHkgPj0g cmVxdWVzdCkKIAkJcmV0dXJuIHJlYWR5OwogCS8qIFdlIHBsYW4gdG8gZmls bCB0aGUgYnVmZmVyOyBwbGVhc2UgdGVsbCB1cyB3aGVuIHlvdSd2ZSByZWFk IGl0ICovCkBAIC0xNTMsNyArMTgxLDcgQEAgc3RhdGljIGlubGluZSBpbnQg ZmFzdF9nZXRfYnVmZmVyX3NwYWNlKHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3Ry bCwgc2l6ZV90IHJlcXVlc3QKIAkgKiB3aWxsIG5vdCBnZXQgbm90aWZpZWQg ZXZlbiB0aG91Z2ggdGhlIGFjdHVhbCBhbW91bnQgb2YgYnVmZmVyIHNwYWNl CiAJICogaXMgYWJvdmUgcmVxdWVzdC4gUmVyZWFkIHdyX2NvbnMgdG8gY292 ZXIgdGhpcyBjYXNlLgogCSAqLwotCXJldHVybiB3cl9yaW5nX3NpemUoY3Ry bCkgLSAod3JfcHJvZChjdHJsKSAtIHdyX2NvbnMoY3RybCkpOworCXJldHVy biByYXdfZ2V0X2J1ZmZlcl9zcGFjZShjdHJsKTsKIH0KIAogaW50IGxpYnhl bnZjaGFuX2J1ZmZlcl9zcGFjZShzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwp CkBAIC0xNjIsNyArMTkwLDcgQEAgaW50IGxpYnhlbnZjaGFuX2J1ZmZlcl9z cGFjZShzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwpCiAJICogd2hlbiBpdCBj aGFuZ2VzCiAJICovCiAJcmVxdWVzdF9ub3RpZnkoY3RybCwgVkNIQU5fTk9U SUZZX1JFQUQpOwotCXJldHVybiB3cl9yaW5nX3NpemUoY3RybCkgLSAod3Jf cHJvZChjdHJsKSAtIHdyX2NvbnMoY3RybCkpOworCXJldHVybiByYXdfZ2V0 X2J1ZmZlcl9zcGFjZShjdHJsKTsKIH0KIAogaW50IGxpYnhlbnZjaGFuX3dh aXQoc3RydWN0IGxpYnhlbnZjaGFuICpjdHJsKQpAQCAtMTc2LDYgKzIwNCw4 IEBAIGludCBsaWJ4ZW52Y2hhbl93YWl0KHN0cnVjdCBsaWJ4ZW52Y2hhbiAq Y3RybCkKIAogLyoqCiAgKiByZXR1cm5zIC0xIG9uIGVycm9yLCBvciBzaXpl IG9uIHN1Y2Nlc3MKKyAqCisgKiBjYWxsZXIgbXVzdCBoYXZlIGNoZWNrZWQg dGhhdCBlbm91Z2ggc3BhY2UgaXMgYXZhaWxhYmxlCiAgKi8KIHN0YXRpYyBp bnQgZG9fc2VuZChzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwsIGNvbnN0IHZv aWQgKmRhdGEsIHNpemVfdCBzaXplKQogewpAQCAtMjQ4LDYgKzI3OCwxMSBA QCBpbnQgbGlieGVudmNoYW5fd3JpdGUoc3RydWN0IGxpYnhlbnZjaGFuICpj dHJsLCBjb25zdCB2b2lkICpkYXRhLCBzaXplX3Qgc2l6ZSkKIAl9CiB9CiAK Ky8qKgorICogcmV0dXJucyAtMSBvbiBlcnJvciwgb3Igc2l6ZSBvbiBzdWNj ZXNzCisgKgorICogY2FsbGVyIG11c3QgaGF2ZSBjaGVja2VkIHRoYXQgZW5v dWdoIGRhdGEgaXMgYXZhaWxhYmxlCisgKi8KIHN0YXRpYyBpbnQgZG9fcmVj dihzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwsIHZvaWQgKmRhdGEsIHNpemVf dCBzaXplKQogewogCWludCByZWFsX2lkeCA9IHJkX2NvbnMoY3RybCkgJiAo cmRfcmluZ19zaXplKGN0cmwpIC0gMSk7Ci0tIAoxLjcuMTAuNAoK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users --=separator--