Xen devel - Jun 2013 - Xen Security Advisory 55 - Multiple vulnerabilities in libelf PV kernel handling

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                     Xen Security Advisory XSA-55

           Multiple vulnerabilities in libelf PV kernel handling

NOTE REGARDING LACK OF EMBARGO
=============================
Due to a human error this issue was prematurely publicly disclosed to
the xen-devel mailing list. Therefore this advisory is being published
immediately.

The Xen.org security apologizes for this error and will review its
procedures to avoid it in the future.

STATUS OF THE FIX
================
Due to the unintended early release of these patches they have not
received as much review or testing as we would have liked.

Due to the method used to fix the issue we have reasonable confidence
that the security vulnerability is addressed by these patches however
there is a risk of regressions when loading kernels which are in fact
OK, i.e. treating valid kernels as malicious.

We have not yet been assigned a CVE number for this issue.

ISSUE DESCRIPTION
================
The ELF parser used by the Xen tools to read domains'' kernels and
construct domains has multiple integer overflows, pointer dereferences
based on calculations from unchecked input values, and other problems.

IMPACT
=====
A malicious PV domain administrator who can specify their own kernel
can escalate their privilege to that of the domain construction tools
(i.e., normally, to control of the host).

Additionally a malicious HVM domain administrator who is able to
supply their own firmware ("hvmloader") can do likewise; however we
think this would be very unusual and it is unlikely that such
configurations exist in production systems.

VULNERABLE SYSTEMS
=================
All Xen versions are affected.

Installations which only allow the use of trustworthy kernels for PV
domains are not affected.

MITIGATION
=========
Ensuring that PV guests use only trustworthy kernels will avoid this
problem.

RESOLUTION
=========
Applying the appropriate attached patch series is intended to resolve
this issue.

xsa55-4.1/*.patch             Xen 4.1.x
xsa55-4.2/*.patch             Xen 4.2.x
xsa55-unstable/*.patch        xen-unstable

$ sha256sum xsa55-*/**.patch
0806c7fd33e659d1b7f5a8fa6ee0a295b45c77bcc2feeb9ffcb94b02d847ac02 
xsa55-4.1/0001-libelf-abolish-libelf-relocate.c.patch
965a511d6d8c37616d10381ae6df70c3dd5872898b121f67f0963cec1025d875 
xsa55-4.1/0002-libxc-introduce-xc_dom_seg_to_ptr_pages.patch
6e745ca2e2c209bc65926a48ed868d061af842036dbe8e1a9193c9d8a045e77d 
xsa55-4.1/0003-libelf-abolish-elf_sval-and-elf_access_signed.patch
d5da28d86626e0de39d21fce374fb72ad1cec4223429041a43b75921c9702961 
xsa55-4.1/0004-libelf-xc_dom_load_elf_symtab-Do-not-use-syms-uninit.patch
2423669ed389c532c05d8813b3f678cff314251af18f7fc56960eca3708b9c22 
xsa55-4.1/0005-libelf-introduce-macros-for-memory-access-and-pointe.patch
0a021f4e6aa646aee47786cd63d2514a27d543115e8c1820baacc27b4afe3c28 
xsa55-4.1/0006-tools-xcutils-readnotes-adjust-print_l1_mfn_valid_no.patch
87cd22f2479c125b6997bf6efc449179790f39e5951d4853d93b8836c3b47287 
xsa55-4.1/0007-libelf-check-nul-terminated-strings-properly.patch
17c16ec73fcf4166777c692ba0e1733d046f5fe6f747e81689f7b4915ee3e1e7 
xsa55-4.1/0008-libelf-check-all-pointer-accesses.patch
6501bb4f208a0ca0fbd7f1e2c38d55f01a992d0f3ad2cf190a104749818e7ae0 
xsa55-4.1/0009-libelf-Check-pointer-references-in-elf_is_elfbinary.patch
012467b3bea8553a8556daae6bceab15f934306f7067bc20033d5313a3804048 
xsa55-4.1/0010-libelf-Make-all-callers-call-elf_check_broken.patch
5e7d223b5386b9a8e15999700008e1db9cab011e672eed08a973447d806fb57c 
xsa55-4.1/0011-libelf-use-C99-bool-for-booleans.patch
35bff8abd08343257ee623b5e280e96065e2a6618bb448e2ab8254242d485cb3 
xsa55-4.1/0012-libelf-use-only-unsigned-integers.patch
3db711c397541c5841a8a2da3446144474ff1040cd3813ce2c31ebebf603537d 
xsa55-4.1/0013-libelf-check-loops-for-running-away.patch
9d27078f976d9e21c862feaef4603b319774ccaec78ef1dc4c92eab6cb2fa847 
xsa55-4.1/0014-libelf-abolish-obsolete-macros.patch
7f9d868985dd851e7f00ab76b443698d911216579d7e18bfa46e0fa04b416404 
xsa55-4.2/0001-libelf-abolish-libelf-relocate.c.patch
f10c538555c79d6093af1a36ac1239078c64b4045f0b74c965cdbc0473e60d42 
xsa55-4.2/0002-libxc-introduce-xc_dom_seg_to_ptr_pages.patch
23f3f9d5c52f6a2a76050ad8db2e0e21001e6b520b36d5d5d4df174e4e6fc9a5 
xsa55-4.2/0003-libelf-add-struct-elf_binary-parameter-to-elf_load_i.patch
b246052c87f2eb4b094ea8b20bfb87b1d6a5a89496d4d23e087cb9bc03b0e01a 
xsa55-4.2/0004-libelf-abolish-elf_sval-and-elf_access_signed.patch
ae07b29d2fdb47c54841d16fd7f5e057b8858c14a7404b3c1ffffc8f43f8fe06 
xsa55-4.2/0005-libelf-move-include-of-asm-guest_access.h-to-top-of-.patch
bb437d324f641face7fd6f48ddba381c5dcb043c8231b3115432ba53d297f372 
xsa55-4.2/0006-libelf-xc_dom_load_elf_symtab-Do-not-use-syms-uninit.patch
f7ca43339d1f0c6354478cfaa3393cd8509878a062b6d3c9a69b746239c23019 
xsa55-4.2/0007-libelf-introduce-macros-for-memory-access-and-pointe.patch
736b968fe21596b1ede2817f9255f88002cc0e4489a39a382675cae8f2b3f161 
xsa55-4.2/0008-tools-xcutils-readnotes-adjust-print_l1_mfn_valid_no.patch
98bde2b49b040e6e085a3c1e99ba18926a5ba0682f32b7aed711eb07fa199143 
xsa55-4.2/0009-libelf-check-nul-terminated-strings-properly.patch
f69614e3c2cbb5a6e80dc4f4a7b374f5d543456f378679917fff083442b1d76d 
xsa55-4.2/0010-libelf-check-all-pointer-accesses.patch
8bc58423705fbf546aa1ec56d44b7d41b2f777531bd5fab3ae8feef96b1b5aba 
xsa55-4.2/0011-libelf-Check-pointer-references-in-elf_is_elfbinary.patch
d78d3bcafaee8dae558a1e4bd86ead9903a22e6becb888b485eac6ddaabd4447 
xsa55-4.2/0012-libelf-Make-all-callers-call-elf_check_broken.patch
23b98f94176bd4205c3a337855f15c74499799419e4368a81470d62e24983f4e 
xsa55-4.2/0013-libelf-use-C99-bool-for-booleans.patch
08184c337fc9aea46e7bd1e476e0c40bf8d24cc319132bdc59e29e1e185f10fd 
xsa55-4.2/0014-libelf-use-only-unsigned-integers.patch
d88033e2d63a0f12d9acc1ade5cb420f6fd8f56a46237d86b40706750e1181e9 
xsa55-4.2/0015-libelf-check-loops-for-running-away.patch
62a3811bdea007d9083199d7a101932a4eaaffba07999a8b841bf35718e33b08 
xsa55-4.2/0016-libelf-abolish-obsolete-macros.patch
e68c4d3a5f81f4511b605b0a31af1a6316e75eef0f876a8e4fbacffbd33a3bc3 
xsa55-unstable/0001-libelf-abolish-libelf-relocate.c.patch
b735bed4a919001c8f0e94285e84435bacc6ce51107b1d78d5d2f54827f7dd0e 
xsa55-unstable/0002-libxc-introduce-xc_dom_seg_to_ptr_pages.patch
7102467603f1d7bc577421e5087cb90186bb2f7e7b412f849b5fa28be2d9db8a 
xsa55-unstable/0003-libelf-add-struct-elf_binary-parameter-to-elf_load_i.patch
bcb2b79864cdb6827376f521275c0e1327c9347f898b28b76346ff6309f89a0f 
xsa55-unstable/0004-libelf-abolish-elf_sval-and-elf_access_signed.patch
3bca1907fec2a3a233511980070a712d6052c3f17d5d1c1b21f808a09edf839b 
xsa55-unstable/0005-libelf-move-include-of-asm-guest_access.h-to-top-of-.patch
0bc3be2ace08cbf5bc9e80273486eae7ca78cb0b0967bdf6bb6a979aee6950bc 
xsa55-unstable/0006-libelf-xc_dom_load_elf_symtab-Do-not-use-syms-uninit.patch
e93fef15ec83f098fe52d5c093bf3d6d1d520e588e71a47b94596a2031a6b4b4 
xsa55-unstable/0007-libelf-introduce-macros-for-memory-access-and-pointe.patch
620c5606749f4f0b4fa0f24bdace3d8ad2dcc5c5ae86144e1b70fdfee9abdea1 
xsa55-unstable/0008-tools-xcutils-readnotes-adjust-print_l1_mfn_valid_no.patch
789679f20e4836fe0de903ed6f49de0329a2438e5533a88011327e051eece671 
xsa55-unstable/0009-libelf-check-nul-terminated-strings-properly.patch
b0c3305b67c63c9cc05d28cf2a367af41aa01911be04d9dd37dfa62a504a99fc 
xsa55-unstable/0010-libelf-check-all-pointer-accesses.patch
abe0993e06d907d46883425025126be114d9464a0c10ae4cb50efffb8e74f30a 
xsa55-unstable/0011-libelf-Check-pointer-references-in-elf_is_elfbinary.patch
d93a31551d8052bf488217b1c9836b9e2a47f115673469e33f950465ca516631 
xsa55-unstable/0012-libelf-Make-all-callers-call-elf_check_broken.patch
686c4f29ec5f2fc567d7490d5391008bd399eb260274d9a4c49eae66670ed835 
xsa55-unstable/0013-libelf-use-C99-bool-for-booleans.patch
2652866b241e69be4dcea49c4798fdcf1e78cf31da93b49381f2b256a6d921b8 
xsa55-unstable/0014-libelf-use-only-unsigned-integers.patch
b487e09440cd36ebc1c58ec229eb89ead3b93368c2f1716781bab953bab3baca 
xsa55-unstable/0015-libelf-check-loops-for-running-away.patch
217820c0ab0aef6eba23ee4b8a83d0bbffe7675f4cd7d907e1cc3b14840f609f 
xsa55-unstable/0016-libelf-abolish-obsolete-macros.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRrMEnAAoJEIP+FMlX6CvZx08IAJb6mCuPzfb6OGwVT5QFEgre
en0IkexF4qvum9rYPxVfK9IrDizNAmqWoUZOdnhlts+PEKnx1F3G2/ahLY6bImqV
KgaEjNTZeUQwdoY7SrX9c8abC1GNXunJDVHYRBD/t6cxKbCzyAjbfvM6VxyW1GDg
EEBcNgHB8kisED3QurvY3q1yOPHqiC3pOfLD+JdRAbdU027dy4oKzzT6d17ajAIz
PuWfhGwHKgok2Gn7xPs1Q194OnqnFqA4VTMW/TYdXv7vs+Sr+0O5//5wRdYo1MrV
BViQbzI5FZQ3MYfde3qng9R460KAC1i2dNLxrwpWMfGFTefUiHaJfAKT4SCNCKs=1vKb
-----END PGP SIGNATURE-----















































_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                     Xen Security Advisory XSA-55
                             version 2

           Multiple vulnerabilities in libelf PV kernel handling

UPDATES IN VERSION 2
===================
Updated information regarding the status of the fix.

STATUS OF THE FIX
================
Due to the unintended early release of these patches they have not
received as much review or testing as we would have liked.

As discussed on xen-devel, the patches distributed with version 2 of
the advisory are known to introduce regressions and also additional
issues in the same have been discovered.  An updated patch series is
in preparation.  Technical assistance with review of the drafts would
be greatly appreciated.

Under the circumstances, we are sending version of this advisory out
without any attached patches.

We have not yet been assigned a CVE number for this issue.

ISSUE DESCRIPTION
================
The ELF parser used by the Xen tools to read domains'' kernels and
construct domains has multiple integer overflows, pointer dereferences
based on calculations from unchecked input values, and other problems.

IMPACT
=====
A malicious PV domain administrator who can specify their own kernel
can escalate their privilege to that of the domain construction tools
(i.e., normally, to control of the host).

Additionally a malicious HVM domain administrator who is able to
supply their own firmware ("hvmloader") can do likewise; however we
think this would be very unusual and it is unlikely that such
configurations exist in production systems.

VULNERABLE SYSTEMS
=================
All Xen versions are affected.

Installations which only allow the use of trustworthy kernels for PV
domains are not affected.

MITIGATION
=========
Ensuring that PV guests use only trustworthy kernels will avoid this
problem.

RESOLUTION
=========
The patch series to properly resolve this issue is under development.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRshDXAAoJEIP+FMlX6CvZfjEIAICD3oeHvE8DsECuI2hEc7ZY
KebriUO5XccEzqXF4oCyhkhj54MuZvZI5+n9ha/rbucvBfMzA90EMFOu9TUQr8eR
NANbVn52X7an+a8cfTBQJHmzUbP9SSO3/8abArmQFm9W7dzPWfMZY2LJ9NE2zUG1
vHPgx5vZTVVKPf2UtWxQnAEggCoemWk7qn9p9Sy7z72JjwLFzShflSXZZju4bgcW
ncl9Ww0QCsNC0JxnunhvmO/3Xg5j45+nNxqEpUZ5f+KToFs/n9hQTkm2fSHTOOsW
9ojSG05sUR/6/DyAc3vRwDTBTmYRHM+CQIL2n3FFUh1yT/Y+lW1qJvZMRz/1ph0=fELy
-----END PGP SIGNATURE-----

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Chuck Anderson writes ("Re: Xen Security Advisory 55 - Multiple
vulnerabilities> >> * 907abe4 2013-06-07 | libxc: check blob size
before proceeding...
> >>
> >> @@ -278,6 +278,10 @@ size_t xc_dom_check_gzip(xc_interface *xch,
void
> >> *blob, siz
> >> +    if ( ziplen < 6 )
> >> +        /* too small */
> >> +        return 0;
> >>
> >> Add #define for MIN_ZIPLEN and include a comment on why it is 6. 
Then:
> >> +    if ( MIN_ZIPLEN < 6 )
> >
> > The code below uses simple integers.  Your proposal would separate the
> > definition of the limit to be applied from the code which is to be
> > protected, so I think it''s better the way it is.
> 
> I think it is better to use good programming practices with new code 
> even if existing code doesn''t.  In any case I think a comment
saying why
> 6 is used would be a good.  That way a reviewer knows what your 
> assumptions are and can evaluate if it is an appropriate value.
I''ll add a comment.
> >> **********
> >>
> >> * 1448048 2013-06-07 | libxc: range checks in xc_dom_p2m_host
and...
> >> 	OK
> >
> > Thanks.  Should I take this as a formal Reviewed-by and put your name
> > on the patch ?
> 
> Yes.  For all "OK", please add:
> Reviewed-by Chuck Anderson <chuck.anderson@oracle.com>
Excellent, thanks.
> >> **********
> >>
> >> * e80dd92 2013-06-07 | libxc: Add range checking to
xc_dom_binloader
> >>
> >> @@ -123,9 +123,12 @@ static struct xen_bin_image_table
> >> *find_table(struct xc_dom
> >>        probe_ptr = dom->kernel_blob;
> >>        probe_end = dom->kernel_blob + dom->kernel_size -
sizeof(*table);
> >> -    if ( (void*)probe_end > (dom->kernel_blob + 8192) )
> >> +    if ( dom->kernel_size >= 8192 &&
> >> +         (void*)probe_end > (dom->kernel_blob + 8192) )
> >>            probe_end = dom->kernel_blob + 8192;
> >>
> >> probe_end is kernel_blob + dom->kernel_size - metadata table
size
> >> You could simplify the code and make it clearer by changing:
> >>
> >> +    if ( dom->kernel_size >= 8192 &&
> >> +         (void*)probe_end > (dom->kernel_blob + 8192) )
> >>            probe_end = dom->kernel_blob + 8192;
> >>
> >> to:
> >>
> >> +    if ( dom->kernel_size > (8192 - sizeof(*table)) )
> >>            probe_end = dom->kernel_blob + 8192;
> >
> > Perhaps, but I think it''s probably better to make a smaller
change
> > here.  If we were to change it I think the change would be this:
> >
> >   -    probe_end = dom->kernel_blob + dom->kernel_size -
sizeof(*table);
> >   +    if ( dom->kernel_size > (8192 - sizeof(*table)) )
> >            probe_end = dom->kernel_blob + 8192;
> >        else
> >   +        probe_end = dom->kernel_blob + dom->kernel_size -
sizeof(*table);
> 
> Yep, that works.
I think at this stage of the development of the series, I would prefer
not to change it though.  Thanks for your comment though.
> >> * 8dfa66a 2013-06-07 | libxc: Fix range checking in
xc_dom_pfn_to_ptr...
...
> >> Replace the last 6 instructions with:
> >> +    ptr = xc_dom_pfn_to_ptr_retcount(dom, page, 0,
&safe_region_count);
> >> +    if ( ptr != NULL )
> >> +        *safe_region_out = (safe_region_count <<
> >> XC_DOM_PAGE_SHIFT(dom)) - offs
> >> et;
> >> +    else
> >> +        *safe_region_out = 0;
> >> +    return ptr;
> >
> > I''m not sure why ?
> 
> - I''m assuming "if ( ptr != NULL )" is the expected
path.
>    Handling it first prevents the likely branch mis-prediction.
>    Not a big deal but good to do if practical as is the case here.
> 
> - "*safe_region_out = 0" will be overwritten in the expected code
path
>    so do it only when needed.
I don''t think this is such a hot path that we should be thinking about
these kinds of optimisations here.  Setting *safe_region_out=0 at the
start is a simple guard against any error exit paths, even though at
the moment there is only one such.
> >>       if ( pfn > dom->total_pages ||    /* multiple checks
to avoid
> >> overflows */
> >>
> >> Isn''t pfn zero-based?  If so, the test should be:
> >>
> >>       if ( pfn >= dom->total_pages ||    /* multiple checks
to avoid
> >> overflows */
> >>
> >> I believe there are similar off-by-one errors in existing code if
pfn is
> >> zero-based.
> >
> > If count is nonzero then this will be caught by the third inequality.
> > This code isn''t touched by my patch series.
> 
> I was reviewing just the changes in the patch but that chunk of existing 
> code caught my eye.
I see.
> Normally a pfn is zero-based.  If you have N pfns they would be numbered 
> 0, 1, ..., N-1.
Yes.  However as I say if count is nonzero this works correctly I
think.

If count is zero then we are in the other case where we look up an
existing block, which has different length checks.  It says:
            if ( pfn >= phys->first + phys->count )
                continue;
which will mean that pfn must be < phys->first + phys->count ie it
must be strictly within the block.

So this code is currently fine.

Thanks,
Ian.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                     Xen Security Advisory XSA-55
                             version 3

           Multiple vulnerabilities in libelf PV kernel handling

UPDATES IN VERSION 3
===================
Fixed patch series provided.  These patches have been as thoroughly
reviewed as possible and subjected to various regression testing.

NOTE REGARDING CVE
=================
We have not yet been assigned a CVE number for this issue.

ISSUE DESCRIPTION
================
The ELF parser used by the Xen tools to read domains'' kernels and
construct domains has multiple integer overflows, pointer dereferences
based on calculations from unchecked input values, and other problems.

IMPACT
=====
A malicious PV domain administrator who can specify their own kernel
can escalate their privilege to that of the domain construction tools
(i.e., normally, to control of the host).

Additionally a malicious HVM domain administrator who is able to
supply their own firmware ("hvmloader") can do likewise; however we
think this would be very unusual and it is unlikely that such
configurations exist in production systems.

VULNERABLE SYSTEMS
=================
All Xen versions are affected.

Installations which only allow the use of trustworthy kernels for PV
domains are not affected.

MITIGATION
=========
Ensuring that PV guests use only trustworthy kernels will avoid this
problem.

RESOLUTION
=========
Applying the appropriate attached patch series will resolve this
issue.

xsa55-4.1/*.patch             Xen 4.1.x
xsa55-4.2/*.patch             Xen 4.2.x
xsa55-unstable/*.patch        xen-unstable

$ sha256sum xsa55-*/*.patch
69fb6ac8ff225f9b9a32a678d71668779030c85468d2e0aa7b646f79214a3499 
xsa55-4.1/0001-libelf-abolish-libelf-relocate.c.patch
97a1d35efb01c3fa3c83f6f870cfd7f50cf1b9de1f74174179cd769cc822dbb2 
xsa55-4.1/0002-libxc-introduce-xc_dom_seg_to_ptr_pages.patch
5dab0459abe2c3dadb4e73843744fcb0aa9e35cbeb72c397fc55f5ab6ef19c0e 
xsa55-4.1/0003-libxc-Fix-range-checking-in-xc_dom_pfn_to_ptr-etc.patch
779bcb0941ebeff6000edcf8802e6809d47b13095929579d599351941ded89ca 
xsa55-4.1/0004-libelf-abolish-elf_sval-and-elf_access_signed.patch
2fbc5d79667fe8f7d353fc2541bd7e732318625639a45c12942f45675c35839f 
xsa55-4.1/0005-libelf-xc_dom_load_elf_symtab-Do-not-use-syms-uninit.patch
c368e8862269007a7b3aceaea0dbd341104ba9e4b3053d165f7e4fca84b5e3c4 
xsa55-4.1/0006-libelf-introduce-macros-for-memory-access-and-pointe.patch
85e5be7bf0db23b40c260a06d22ffeabf0b4af96dca3e779ceb9ad94c059459f 
xsa55-4.1/0007-tools-xcutils-readnotes-adjust-print_l1_mfn_valid_no.patch
bb9ee33d65dee7aeccccb345dba11cac844eb516a57f3349dc06f6fdba0c2ba7 
xsa55-4.1/0008-libelf-check-nul-terminated-strings-properly.patch
2687aaa03ec0ae6f0252913d1992653f6c665bb11d160430a937a51bd371a3ee 
xsa55-4.1/0009-libelf-check-all-pointer-accesses.patch
39987f917c5d98e8e5e3f1de38066e6f4a6b9a31c5fcac8ec52d117a0cf24b2f 
xsa55-4.1/0010-libelf-Check-pointer-references-in-elf_is_elfbinary.patch
d8e0f78941ebe07828ba867195305b87fb0d9f210f052d33110d1fc718127876 
xsa55-4.1/0011-libelf-Make-all-callers-call-elf_check_broken.patch
21ab34c623df317d2b0eda2f63b26bb150d36643881ad64ec8655772293c418e 
xsa55-4.1/0012-libelf-use-C99-bool-for-booleans.patch
50aceaf851598b36cc996ddc53a8562b7da3396968f40030e4c45b62eaa71824 
xsa55-4.1/0013-libelf-use-only-unsigned-integers.patch
f47cc73ca658473e99a92682ebd2783a229550a4f8803bc035023b186f61c893 
xsa55-4.1/0014-libxc-Introduce-xc_bitops.h.patch
f171661a8de8891012abcb5f41a1d003ad3eebc4de1e2cf9b68e9576df73d340 
xsa55-4.1/0015-libelf-check-loops-for-running-away.patch
71d3db55a5d0ea6124e55749d8f58529ebceafa9c223e14553c3b70a8926949c 
xsa55-4.1/0016-libelf-abolish-obsolete-macros.patch
3443181298891cf942faf7af74c2a2c3498bf8465a5a550780ba4e2c3f336f98 
xsa55-4.1/0017-libxc-Add-range-checking-to-xc_dom_binloader.patch
6a2b1a723024d7618d55bcef9316bfae0a5d098d06d0e73b3da25e4d2c13e020 
xsa55-4.1/0018-libxc-check-failure-of-xc_dom_-_to_ptr-xc_map_foreig.patch
eb94cb56c3e266af9f6160c1eb0b30dd39736cfb29dfc1e5ff006b734e0d5da8 
xsa55-4.1/0019-libxc-check-return-values-from-malloc.patch
b83cb61f7d85d707d29d395a409248aa7389befa3493e79b19d0ed6dd59de3b1 
xsa55-4.1/0020-libxc-range-checks-in-xc_dom_p2m_host-and-_guest.patch
487376464087ff0c5aae7e857eaa1a4feb2092504adc344fca6d68f960403dca 
xsa55-4.1/0021-libxc-check-blob-size-before-proceeding-in-xc_dom_ch.patch
a13a0913a4d9b30bf4fd2a64967bfa838fc53784f9ae3833387034265dcafcf4 
xsa55-4.2/0001-libelf-abolish-libelf-relocate.c.patch
b7673609a18525f238d411f9b150c90ecf48248542cc95ca969c9a85995768f8 
xsa55-4.2/0002-libxc-introduce-xc_dom_seg_to_ptr_pages.patch
f5b809eceb7d342bac01f6a204eca7c89e1c62287040d2588b093b9cd0b5be22 
xsa55-4.2/0003-libxc-Fix-range-checking-in-xc_dom_pfn_to_ptr-etc.patch
51b5f8a996f0d84c715235b1497e0816a6b31fbeea593b7c14925d11856e48b1 
xsa55-4.2/0004-libelf-add-struct-elf_binary-parameter-to-elf_load_i.patch
95324b6aafeb4729b2cf1112b4675dac0afb94e03b625e3bd075daa6d1b6d60d 
xsa55-4.2/0005-libelf-abolish-elf_sval-and-elf_access_signed.patch
720f5a129f271ca82d59eb17fda287cb54891d75305e8df55c45dcba974d9e75 
xsa55-4.2/0006-libelf-move-include-of-asm-guest_access.h-to-top-of-.patch
d5d9df42cd7fff7a8c7faf2f795b09752f40265fb5a11089a6050e1c11e3ad95 
xsa55-4.2/0007-libelf-xc_dom_load_elf_symtab-Do-not-use-syms-uninit.patch
3e0efa56062f3425cc76519d34f5eb0ea08f434b75de334a3f781249c8ac6532 
xsa55-4.2/0008-libelf-introduce-macros-for-memory-access-and-pointe.patch
3df88d7118b07b69c826a00a0f6459f07dba28b3067a167d8087cb3fa9ee12e8 
xsa55-4.2/0009-tools-xcutils-readnotes-adjust-print_l1_mfn_valid_no.patch
916536dd4a2a78a094b77fc979108ec8b16f17d76dde63e32cd4c2ae7d6c4e71 
xsa55-4.2/0010-libelf-check-nul-terminated-strings-properly.patch
799c45c01b3aadb3728632522da86b1b66550021a48526084bb4bdbaff2aa4da 
xsa55-4.2/0011-libelf-check-all-pointer-accesses.patch
f00ebff829ab73cd16a179014012bc1d4f16acb3becd92a301b8915f5895f75a 
xsa55-4.2/0012-libelf-Check-pointer-references-in-elf_is_elfbinary.patch
7aac6c8e639a8322c86aa639af30e014c997357810119e240c0b8de485f6016a 
xsa55-4.2/0013-libelf-Make-all-callers-call-elf_check_broken.patch
d9df769e1b6847a84cd85e3909acee85ce71fd3bc84945890d586388bc69cb11 
xsa55-4.2/0014-libelf-use-C99-bool-for-booleans.patch
cf32b0dfd4ab22d0fe8867259d1aee70d6d148dbc032b9399d91b8348b4b758c 
xsa55-4.2/0015-libelf-use-only-unsigned-integers.patch
345068acdcf4f974d78d2f579c90c6d74ac3b6ed190eae0f182e5f12ac2c48fb 
xsa55-4.2/0016-libelf-check-loops-for-running-away.patch
46665bce2e48a945ac25960f5f9459e9b9b5ffdc6284c0e8622d3fa01636c3a0 
xsa55-4.2/0017-libelf-abolish-obsolete-macros.patch
ef1634ea3ab9d6998009fc0da8e0c4b07a0cf9a141cc17a0c06a1d64c149d0ed 
xsa55-4.2/0018-libxc-Add-range-checking-to-xc_dom_binloader.patch
4bca58ac49bd56f6defefbfa76cfd0e6d45aabb1641fa9e9f983edbc784a9d89 
xsa55-4.2/0019-libxc-check-failure-of-xc_dom_-_to_ptr-xc_map_foreig.patch
d497a638760b8014a5b03168a3e75e3d7c5aaab19b6b704dea554868556a29cb 
xsa55-4.2/0020-libxc-check-return-values-from-malloc.patch
ea4ee198dccfd3bf98469ff542c530838c65fe47772af8d7b5178c90e0a529a8 
xsa55-4.2/0021-libxc-range-checks-in-xc_dom_p2m_host-and-_guest.patch
bbbe00dd78982cf0b15f91a7125c3a402c20be6985350da97ddfb8d886b0cadc 
xsa55-4.2/0022-libxc-check-blob-size-before-proceeding-in-xc_dom_ch.patch
30451fe900d0ff6a95d7ace7fb6557d6922223fe03b4caf625d73e6a212b0a09 
xsa55-4.2/0023-libxc-Better-range-check-in-xc_dom_alloc_segment.patch
bbe361b12232597d633b7384d44c803bf8bd902e00fb0042c4badee5738eb442 
xsa55-unstable/0001-libelf-abolish-libelf-relocate.c.patch
8bfd58d571573d7699538e3a1676c3b3c162cd5addb77b2e67da5e1eb0c4bc29 
xsa55-unstable/0002-libxc-introduce-xc_dom_seg_to_ptr_pages.patch
1eacea14bdd04dbabb49842cc17dcd518e10437056ff45f644df93f5dadad010 
xsa55-unstable/0003-libxc-Fix-range-checking-in-xc_dom_pfn_to_ptr-etc.patch
fe051647026423a6f7cd265456ff3775dd2ce3ecf1a88e7f2cb73e7b44e14318 
xsa55-unstable/0004-libelf-add-struct-elf_binary-parameter-to-elf_load_i.patch
0e8db1f8647f0851a3b65f9aa9fe9e0019da8cb420825f0069908c65329bae56 
xsa55-unstable/0005-libelf-abolish-elf_sval-and-elf_access_signed.patch
30bce100004a5fb5dfe0e48a530dcdf153c517a8746cc7bbfd817d11e3552ba4 
xsa55-unstable/0006-libelf-move-include-of-asm-guest_access.h-to-top-of-.patch
657b6ee80675ec2479dab7bed30dcecff13e658584e64d21a788b6b18eedd49b 
xsa55-unstable/0007-libelf-xc_dom_load_elf_symtab-Do-not-use-syms-uninit.patch
d810bd76932d3807d679c1c67c028c896331fc4d5c7ba36c8db3971a27c0b4a4 
xsa55-unstable/0008-libelf-introduce-macros-for-memory-access-and-pointe.patch
5dd7d25a45f95b06e23b3c806d5f63f92700c693f4637382dded4cd2d60058a2 
xsa55-unstable/0009-tools-xcutils-readnotes-adjust-print_l1_mfn_valid_no.patch
9b269e867b1babd684e4c832220d6f58c2db79690b45031ce02f42edc3063c87 
xsa55-unstable/0010-libelf-check-nul-terminated-strings-properly.patch
f27494f38bdff3b246c886f7892320a1a903b80d18a41c77a3bbaf1356b5824a 
xsa55-unstable/0011-libelf-check-all-pointer-accesses.patch
97a68c9c5aa15a9d021e9e39d9bd4b5aa99225e81e09627935e43ec0428a442b 
xsa55-unstable/0012-libelf-Check-pointer-references-in-elf_is_elfbinary.patch
a88ce1a20f9d681d66589ac0b95f5e4b70ceb43c84a4c239deb9ebad638d9cd2 
xsa55-unstable/0013-libelf-Make-all-callers-call-elf_check_broken.patch
b079b775bc19cfbee3794f8ad3e241fdd6de338751f4b7d91ada01fd7eaf6475 
xsa55-unstable/0014-libelf-use-C99-bool-for-booleans.patch
6ac80351cab574fdf620471e10015c39d7c95fa7e81d6e64be0ada8e51a5be82 
xsa55-unstable/0015-libelf-use-only-unsigned-integers.patch
e6479bb97c0d24776aa25ee1d321a79c441b3d4f2420e70802b4b1a35f68e3e4 
xsa55-unstable/0016-libelf-check-loops-for-running-away.patch
a5962fc8db6228db5e4c22abd4daec86990dbb6ac3f4ba161ce54d45b5370fe4 
xsa55-unstable/0017-libelf-abolish-obsolete-macros.patch
db2d7d947e273c4f627e912d1100341ede0610e9a58705e8a900504db5a94533 
xsa55-unstable/0018-libxc-Add-range-checking-to-xc_dom_binloader.patch
cd148e8e2c71f100379c6b28028d236ebb5388540f1d5e171f83a373202c3d77 
xsa55-unstable/0019-libxc-check-failure-of-xc_dom_-_to_ptr-xc_map_foreig.patch
b1642765be1bc014c464b90301facd658c5685cd4c76ddf5cb83efa25779c100 
xsa55-unstable/0020-libxc-check-return-values-from-malloc.patch
55933a56b504b53402774860b7d138bf5bb7f9d910d16b11ce27560642a0007c 
xsa55-unstable/0021-libxc-range-checks-in-xc_dom_p2m_host-and-_guest.patch
15c7be1cec55974a8c77739bdc1198d7759ef5c78067d04e2102cc6392d99d9c 
xsa55-unstable/0022-libxc-check-blob-size-before-proceeding-in-xc_dom_ch.patch
fbfa57982123b985cf2d772cbad4b012cb3cd2cd535badde7e2011a3eaf407e1 
xsa55-unstable/0023-libxc-Better-range-check-in-xc_dom_alloc_segment.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRuzxfAAoJEIP+FMlX6CvZ+OsH/jshJt4c98teo2orONHIfF3X
6s9QYKH53gv2twpW2TVH9KqWa2GFWPDINlpxCEVq/5dq8mntUNZA/DH4xfc6+WkQ
TUowT1WcGBrH4flAqVfEPFMoDKuBxG/+70GrOWjUPYPpytKY8HWdTieFNSmNCFhq
Lo5uqDM0Ycy1Hbs+kQTWo9kBKywA3fjcEh2W6E5jKq7jP7FOA1tfEh9PwDB+r1YA
9NU09M0nj5OE3xjtwNy+KwvopPPxO0gJJu24y301A3xN/L4lZC/BcxHm9WTR0BzI
22ZTsxKUFBSwtC6Fs1y7jOt1TKcuvFwPeKMp9MgOky0X7XV5Y4dHPzCE7CUI4a4=UDws
-----END PGP SIGNATURE-----




































































_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                     Xen Security Advisory XSA-55
                             version 4

           Multiple vulnerabilities in libelf PV kernel handling

UPDATES IN VERSION 4
===================
We are sending out a version 4 of this advisory with no files
attached.  This is because the size of the version 3 advisory email
caused delivery problems for some recipients.

This version instead quotes the patchset git changeset ids in xen.git.

UPDATES IN VERSION 3
===================
Fixed patch series provided.  These patches have been as thoroughly
reviewed as possible and subjected to various regression testing.

NOTE REGARDING CVE
=================
We have not yet been assigned a CVE number for this issue.

ISSUE DESCRIPTION
================
The ELF parser used by the Xen tools to read domains'' kernels and
construct domains has multiple integer overflows, pointer dereferences
based on calculations from unchecked input values, and other problems.

IMPACT
=====
A malicious PV domain administrator who can specify their own kernel
can escalate their privilege to that of the domain construction tools
(i.e., normally, to control of the host).

Additionally a malicious HVM domain administrator who is able to
supply their own firmware ("hvmloader") can do likewise; however we
think this would be very unusual and it is unlikely that such
configurations exist in production systems.

VULNERABLE SYSTEMS
=================
All Xen versions are affected.

Installations which only allow the use of trustworthy kernels for PV
domains are not affected.

MITIGATION
=========
Ensuring that PV guests use only trustworthy kernels will avoid this
problem.

RESOLUTION
=========
Applying the appropriate patch series will resolve this issue.

These were attached to v3 of the advisory which can be found here:
  http://lists.xen.org/archives/html/xen-devel/2013-06/msg01626.html

These are available in xen.git
   http://xenbits.xen.org/gitweb/?p=xen.git
   git://xenbits.xen.org/xen.git
   http://xenbits.xen.org/git-http/xen.git
in the git changesets listed below.

xen-unstable:

82cb4113b6ace16de192021de20f6cbd991e478f libxc: Better range check in
xc_dom_alloc_segment
966070058d02cce9684e30073b61d6465e4b351c libxc: check blob size before
proceeding in xc_dom_check_gzip
de7911eaef98b6643d80e4612fe4dcd4528d15b9 libxc: range checks in xc_dom_p2m_host
and _guest
3d5a1d4733e55e33521cd5004cab1313e5c5d5ff libxc: check return values from malloc
aaebaba5ae225f591e0602e071037a935bb281b6 libxc: check failure of
xc_dom_*_to_ptr, xc_map_foreign_range
2bcee4b3c316379f4b52cb308947eb6db3faf1a0 libxc: Add range checking to
xc_dom_binloader
66fe2726fe8492676f9970b9c2c511bce6186ece libelf: abolish obsolete macros
39bf7b9d0ae534491745e54df5232127c0bddaf1 libelf: check loops for running away
a004800f8fc607b96527815c8e3beabcb455d8e0 libelf: use only unsigned integers
7a549a6aa04dba807f8dd4c1577ab6a7592c4c76 libelf: use C99 bool for booleans
c84481fbc7de7d15ff7476b3b9cd2713f81feaa3 libelf: Make all callers call
elf_check_broken
943de71cf07d9d04ccb215bd46153b04930e9f25 libelf: Check pointer references in
elf_is_elfbinary
65808a8ed41cc7c044f588bd6cab5af0fdc0e029 libelf: check all pointer accesses
04877847ade4ac9216e9f408fd544ade8f90cf9a libelf: check nul-terminated strings
properly
50421bd56bf164f490d7d0bf5741e58936de41e8 tools/xcutils/readnotes: adjust
print_l1_mfn_valid_note
85256359995587df00001dca22e9a76ba6ea8258 libelf: introduce macros for memory
access and pointer handling
95dd49bed681af93f71a401b0a35bf2f917c6e68 libelf/xc_dom_load_elf_symtab: Do not
use "syms" uninitialised
f7aa72ec00aec71eed055dac5e8a151966d75c9c libelf: move include of
<asm/guest_access.h> to top of file
13e2c808f7ea721c8f200062e2b9b977ee924471 libelf: abolish elf_sval and
elf_access_signed
009ddca51504ce80889937e485d44ac0f9290d63 libelf: add `struct
elf_binary*'' parameter to elf_load_image
b5a869209998fedadfe205d37addbd50a802998b libxc: Fix range checking in
xc_dom_pfn_to_ptr etc.
53bfcf585b09eb4ac2240f89d1ade77421cd2451 libxc: introduce
xc_dom_seg_to_ptr_pages
14573b974850d82de7aebad17e6471d27d847f2c libelf: abolish libelf-relocate.c

Xen 4.2.x:

d21d36e84354c04638b60a739a5f7c3d9f8adaf8 libxc: Better range check in
xc_dom_alloc_segment
2a548e22915535ac13694eb38222903bca7245e3 libxc: check blob size before
proceeding in xc_dom_check_gzip
052a689aa526ca51fd70528d4b0f83dfb2de99c1 libxc: range checks in xc_dom_p2m_host
and _guest
8dc90d163650ce8aa36ae0b46debab83cc61edb6 libxc: check return values from malloc
77c0829fa751f052f7b8ec08287aef6e7ba97bc5 libxc: check failure of
xc_dom_*_to_ptr, xc_map_foreign_range
b06e277b1fc08c7da3befeb3ac3950e1d941585d libxc: Add range checking to
xc_dom_binloader
3baaa4ffcd3e7dd6227f9bdf817f90e5b75aeda2 libelf: abolish obsolete macros
52d8cc2dd3bb3e0f6d51e00280da934e8d91653a libelf: check loops for running away
e673ca50127b6c1263727aa31de0b8bb966ca7a2 libelf: use only unsigned integers
3fb6ccf2faccaf5e22e33a3155ccc72d732896d8 libelf: use C99 bool for booleans
a965b8f80388603d439ae2b8ee7b9b018a079f90 libelf: Make all callers call
elf_check_broken
d0790bdad7496e720416b2d4a04563c4c27e7b95 libelf: Check pointer references in
elf_is_elfbinary
cc8761371aac432318530c2ddfe2c8234bc0621f libelf: check all pointer accesses
db14d5bd9b6508adfcd2b910f454fae12fa4ba00 libelf: check nul-terminated strings
properly
59f66d58180832af6b99a9e4489031b5c2f627ab tools/xcutils/readnotes: adjust
print_l1_mfn_valid_note
40020ab55a1e9a1674ddecdb70299fab4fe8579d libelf: introduce macros for memory
access and pointer handling
de9089b449d2508b1ba05590905c7ebaee00c8c4 libelf/xc_dom_load_elf_symtab: Do not
use "syms" uninitialised
682a04488e7b3bd6c3448ab60599566eb7c6177a libelf: move include of
<asm/guest_access.h> to top of file
83ec905922b496e1a5756e3a88405eb6c2c6ba88 libelf: abolish elf_sval and
elf_access_signed
035634047d10c678cbb8801c4263747bdaf4e5b1 libelf: add `struct
elf_binary*'' parameter to elf_load_image
8c738fa5c1f3cfcd935b6191b3526f7ac8b2a5bd libxc: Fix range checking in
xc_dom_pfn_to_ptr etc.
a672da4b2d58ef12be9d7407160e9fb43cac75d9 libxc: introduce
xc_dom_seg_to_ptr_pages
9737484becab4a25159f1e985700eaee89690d34 libelf: abolish libelf-relocate.c

Xen 4.1.x:

ac63ddd70a5ccf5ebf790f06ea4cd4ed794c3978 libxc: check blob size before
proceeding in xc_dom_check_gzip
6eca85d5c144ee8c899ee3cf8791f9087b15f2e8 libxc: range checks in xc_dom_p2m_host
and _guest
a2986a7959919bc748784bb75970bfbd42697d3b libxc: check return values from malloc
117a538dbef62f8d39159dea652e633e01b50a9a libxc: check failure of
xc_dom_*_to_ptr, xc_map_foreign_range
40b76f1fb04af421c1415f7bcb168dfaa6960d0d libxc: Add range checking to
xc_dom_binloader
4a3a60d8caee49af6951a672c55b08436a8d1f86 libelf: abolish obsolete macros
968c0399159c65e24bb8b9969259e18791e1f4d8 libelf: check loops for running away
282188ea84b9e0f9c4865f0609e7740f2f28e7b0 libxc: Introduce xc_bitops.h
86e39ce58e91fe55d4fdbc914cb1955c45acc20e libelf: use only unsigned integers
bd3dba9f435fa59f305407f7d9b34e1e164ddd98 libelf: use C99 bool for booleans
44c74b1ed31c75ed9026abf62ab7427a46d8027a libelf: Make all callers call
elf_check_broken
9962d7ffcce97ec2d69a15ef861996b1ead33694 libelf: Check pointer references in
elf_is_elfbinary
39923542bb43e67776c4e8292d4a5a1adef2bd3b libelf: check all pointer accesses
8ce60b35beaac91a97b79c004ca6bf5d58e7390b libelf: check nul-terminated strings
properly
4e46085972d2367dff2345a73361c1c17b47ce73 tools/xcutils/readnotes: adjust
print_l1_mfn_valid_note
de49d6e83c3a8c753646b007972140ddbb746ba8 libelf: introduce macros for memory
access and pointer handling
4d3339de1fe3cbf7b05487fdb6cadd7267950948 libelf/xc_dom_load_elf_symtab: Do not
use "syms" uninitialised
e719b136b750e5eee87c4647d1846e4e1e70eac0 libelf: abolish elf_sval and
elf_access_signed
f7fb94409c562beec06094141ef262dc85f28dac libxc: Fix range checking in
xc_dom_pfn_to_ptr etc.
bbf40e6b6d47809f4289a866d7d167c25104ecc0 libxc: introduce
xc_dom_seg_to_ptr_pages
64a0206c451920b72a9c5721a6f2427baf99e3dd libelf: abolish libelf-relocate.c
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRu0jbAAoJEIP+FMlX6CvZfeYH/0sfcaTV8eItCkee6YHVUvyd
cFgo19SBiLRQB/K+qK9vWoaVEqUXrailkS4Lx8syaVUTzwjBxWMbuv8gXxwrP4DZ
xay65+WzcBpJmnYwKqcx37d8or2L+fQpn9wLQQu1yd4Ta/QecUldh+K7eZCHJps2
v5oPw6wjJtG7C+W6skp7Y6mC0+FGNr3LBXgPuiHfH/NXqUMkom8JEd+1izSCxaxP
oZeTVtGeYfCH4ERakUViz7XtjvtFscJQETK9xI6HM6aXgEONiP8q1SJGJWVdpQSC
FlRqxAiusorY0RZln0UVVb55yJ7zhvuWUKVTvPa5tFz+pHtpknBG2tD9L4CVpUw=0trA
-----END PGP SIGNATURE-----

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel