Xen.org security team
2013-Jun-20 10:26 UTC
Xen Security Advisory 55 (CVE-2013-2194, CVE-2013-2195, CVE-2013-2196) - Multiple vulnerabilities in libelf PV kernel handling
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-2194,CVE-2013-2195,CVE-2013-2196 / XSA-55 version 5 Multiple vulnerabilities in libelf PV kernel handling UPDATES IN VERSION 5 =================== CVE numbers have been assigned. ISSUE DESCRIPTION ================ The ELF parser used by the Xen tools to read domains'' kernels and construct domains has multiple integer overflows, pointer dereferences based on calculations from unchecked input values, and other problems. This corresponds to the following CVEs: CVE-2013-2194 XEN XSA-55 integer overflows CVE-2013-2195 XEN XSA-55 pointer dereferences CVE-2013-2196 XEN XSA-55 other problems IMPACT ===== A malicious PV domain administrator who can specify their own kernel can escalate their privilege to that of the domain construction tools (i.e., normally, to control of the host). Additionally a malicious HVM domain administrator who is able to supply their own firmware ("hvmloader") can do likewise; however we think this would be very unusual and it is unlikely that such configurations exist in production systems. VULNERABLE SYSTEMS ================= All Xen versions are affected. Installations which only allow the use of trustworthy kernels for PV domains are not affected. MITIGATION ========= Ensuring that PV guests use only trustworthy kernels will avoid this problem. RESOLUTION ========= Applying the appropriate patch series will resolve this issue. These were attached to v3 of the advisory which can be found here: http://lists.xen.org/archives/html/xen-devel/2013-06/msg01626.html These are available in xen.git http://xenbits.xen.org/gitweb/?p=xen.git git://xenbits.xen.org/xen.git http://xenbits.xen.org/git-http/xen.git in the git changesets listed below. xen-unstable: 82cb4113b6ace16de192021de20f6cbd991e478f libxc: Better range check in xc_dom_alloc_segment 966070058d02cce9684e30073b61d6465e4b351c libxc: check blob size before proceeding in xc_dom_check_gzip de7911eaef98b6643d80e4612fe4dcd4528d15b9 libxc: range checks in xc_dom_p2m_host and _guest 3d5a1d4733e55e33521cd5004cab1313e5c5d5ff libxc: check return values from malloc aaebaba5ae225f591e0602e071037a935bb281b6 libxc: check failure of xc_dom_*_to_ptr, xc_map_foreign_range 2bcee4b3c316379f4b52cb308947eb6db3faf1a0 libxc: Add range checking to xc_dom_binloader 66fe2726fe8492676f9970b9c2c511bce6186ece libelf: abolish obsolete macros 39bf7b9d0ae534491745e54df5232127c0bddaf1 libelf: check loops for running away a004800f8fc607b96527815c8e3beabcb455d8e0 libelf: use only unsigned integers 7a549a6aa04dba807f8dd4c1577ab6a7592c4c76 libelf: use C99 bool for booleans c84481fbc7de7d15ff7476b3b9cd2713f81feaa3 libelf: Make all callers call elf_check_broken 943de71cf07d9d04ccb215bd46153b04930e9f25 libelf: Check pointer references in elf_is_elfbinary 65808a8ed41cc7c044f588bd6cab5af0fdc0e029 libelf: check all pointer accesses 04877847ade4ac9216e9f408fd544ade8f90cf9a libelf: check nul-terminated strings properly 50421bd56bf164f490d7d0bf5741e58936de41e8 tools/xcutils/readnotes: adjust print_l1_mfn_valid_note 85256359995587df00001dca22e9a76ba6ea8258 libelf: introduce macros for memory access and pointer handling 95dd49bed681af93f71a401b0a35bf2f917c6e68 libelf/xc_dom_load_elf_symtab: Do not use "syms" uninitialised f7aa72ec00aec71eed055dac5e8a151966d75c9c libelf: move include of <asm/guest_access.h> to top of file 13e2c808f7ea721c8f200062e2b9b977ee924471 libelf: abolish elf_sval and elf_access_signed 009ddca51504ce80889937e485d44ac0f9290d63 libelf: add `struct elf_binary*'' parameter to elf_load_image b5a869209998fedadfe205d37addbd50a802998b libxc: Fix range checking in xc_dom_pfn_to_ptr etc. 53bfcf585b09eb4ac2240f89d1ade77421cd2451 libxc: introduce xc_dom_seg_to_ptr_pages 14573b974850d82de7aebad17e6471d27d847f2c libelf: abolish libelf-relocate.c Xen 4.2.x: d21d36e84354c04638b60a739a5f7c3d9f8adaf8 libxc: Better range check in xc_dom_alloc_segment 2a548e22915535ac13694eb38222903bca7245e3 libxc: check blob size before proceeding in xc_dom_check_gzip 052a689aa526ca51fd70528d4b0f83dfb2de99c1 libxc: range checks in xc_dom_p2m_host and _guest 8dc90d163650ce8aa36ae0b46debab83cc61edb6 libxc: check return values from malloc 77c0829fa751f052f7b8ec08287aef6e7ba97bc5 libxc: check failure of xc_dom_*_to_ptr, xc_map_foreign_range b06e277b1fc08c7da3befeb3ac3950e1d941585d libxc: Add range checking to xc_dom_binloader 3baaa4ffcd3e7dd6227f9bdf817f90e5b75aeda2 libelf: abolish obsolete macros 52d8cc2dd3bb3e0f6d51e00280da934e8d91653a libelf: check loops for running away e673ca50127b6c1263727aa31de0b8bb966ca7a2 libelf: use only unsigned integers 3fb6ccf2faccaf5e22e33a3155ccc72d732896d8 libelf: use C99 bool for booleans a965b8f80388603d439ae2b8ee7b9b018a079f90 libelf: Make all callers call elf_check_broken d0790bdad7496e720416b2d4a04563c4c27e7b95 libelf: Check pointer references in elf_is_elfbinary cc8761371aac432318530c2ddfe2c8234bc0621f libelf: check all pointer accesses db14d5bd9b6508adfcd2b910f454fae12fa4ba00 libelf: check nul-terminated strings properly 59f66d58180832af6b99a9e4489031b5c2f627ab tools/xcutils/readnotes: adjust print_l1_mfn_valid_note 40020ab55a1e9a1674ddecdb70299fab4fe8579d libelf: introduce macros for memory access and pointer handling de9089b449d2508b1ba05590905c7ebaee00c8c4 libelf/xc_dom_load_elf_symtab: Do not use "syms" uninitialised 682a04488e7b3bd6c3448ab60599566eb7c6177a libelf: move include of <asm/guest_access.h> to top of file 83ec905922b496e1a5756e3a88405eb6c2c6ba88 libelf: abolish elf_sval and elf_access_signed 035634047d10c678cbb8801c4263747bdaf4e5b1 libelf: add `struct elf_binary*'' parameter to elf_load_image 8c738fa5c1f3cfcd935b6191b3526f7ac8b2a5bd libxc: Fix range checking in xc_dom_pfn_to_ptr etc. a672da4b2d58ef12be9d7407160e9fb43cac75d9 libxc: introduce xc_dom_seg_to_ptr_pages 9737484becab4a25159f1e985700eaee89690d34 libelf: abolish libelf-relocate.c Xen 4.1.x: ac63ddd70a5ccf5ebf790f06ea4cd4ed794c3978 libxc: check blob size before proceeding in xc_dom_check_gzip 6eca85d5c144ee8c899ee3cf8791f9087b15f2e8 libxc: range checks in xc_dom_p2m_host and _guest a2986a7959919bc748784bb75970bfbd42697d3b libxc: check return values from malloc 117a538dbef62f8d39159dea652e633e01b50a9a libxc: check failure of xc_dom_*_to_ptr, xc_map_foreign_range 40b76f1fb04af421c1415f7bcb168dfaa6960d0d libxc: Add range checking to xc_dom_binloader 4a3a60d8caee49af6951a672c55b08436a8d1f86 libelf: abolish obsolete macros 968c0399159c65e24bb8b9969259e18791e1f4d8 libelf: check loops for running away 282188ea84b9e0f9c4865f0609e7740f2f28e7b0 libxc: Introduce xc_bitops.h 86e39ce58e91fe55d4fdbc914cb1955c45acc20e libelf: use only unsigned integers bd3dba9f435fa59f305407f7d9b34e1e164ddd98 libelf: use C99 bool for booleans 44c74b1ed31c75ed9026abf62ab7427a46d8027a libelf: Make all callers call elf_check_broken 9962d7ffcce97ec2d69a15ef861996b1ead33694 libelf: Check pointer references in elf_is_elfbinary 39923542bb43e67776c4e8292d4a5a1adef2bd3b libelf: check all pointer accesses 8ce60b35beaac91a97b79c004ca6bf5d58e7390b libelf: check nul-terminated strings properly 4e46085972d2367dff2345a73361c1c17b47ce73 tools/xcutils/readnotes: adjust print_l1_mfn_valid_note de49d6e83c3a8c753646b007972140ddbb746ba8 libelf: introduce macros for memory access and pointer handling 4d3339de1fe3cbf7b05487fdb6cadd7267950948 libelf/xc_dom_load_elf_symtab: Do not use "syms" uninitialised e719b136b750e5eee87c4647d1846e4e1e70eac0 libelf: abolish elf_sval and elf_access_signed f7fb94409c562beec06094141ef262dc85f28dac libxc: Fix range checking in xc_dom_pfn_to_ptr etc. bbf40e6b6d47809f4289a866d7d167c25104ecc0 libxc: introduce xc_dom_seg_to_ptr_pages 64a0206c451920b72a9c5721a6f2427baf99e3dd libelf: abolish libelf-relocate.c -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRwticAAoJEIP+FMlX6CvZFbEIAMjbI64TpgYSm3cRSFmdHol/ FC2d4mo/aeb8e24RCTnJvxP3oE+o1Oar5FGJi+AATDynzbqcuv7yK7iDQ9ZfwGm5 xZR+knkFKymWLsutb8uhDRT8eYCgmK8aQEXorvcjr69sxrxJascPGv4aHesNihxO t4tRqRbqGhAzkm9Gm32LaVz3UYCW2ZRs4lxDBjtW5HmsugaOarCYNTqSpftAiAkn XE8UChNUVO95PAJKRtmihLQ+TGJ9cyujBACrl6RsxdD8JZU6EP4rq7fccdzyqD6D +c5pw859mtukyy56fwfP5Ji6G9O2VrrZyf4kq13V74SPZ/LV3VKDalfaVVItLGQ=RVh5 -----END PGP SIGNATURE----- _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users