Xen.org security team
2014-Feb-10 11:26 UTC
Xen Security Advisory 86 (CVE-2014-1896) - libvchan failure handling malicious ring indexes
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2014-1896 / XSA-86
version 3
libvchan failure handling malicious ring indexes
UPDATES IN VERSION 3
===================
CVE assigned.
ISSUE DESCRIPTION
================
libvchan (a library for inter-domain communication) does not correctly
handle unusual or malicious contents in the xenstore ring. A
malicious guest can exploit this to cause a libvchan-using facility to
read or write past the end of the ring.
IMPACT
=====
libvchan-using facilities are vulnerable to denial of service and
perhaps privilege escalation.
There are no such services provided in the upstream Xen Project
codebase.
VULNERABLE SYSTEMS
=================
All versions of libvchan are vulnerable. Only installations which use
libvchan for communication involving untrusted domains are vulnerable.
libvirt, xapi, xend, libxl and xl do not use libvchan. If your
installation contains other Xen-related software components it is
possible that they use libvchan and might be vulnerable.
Xen versions 4.1 and earlier do not contain libvchan.
MITIGATION
=========
Disabling libvchan-based facilities could be used to mitigate the
vulnerability.
CREDITS
======
This issue was discovered by Marek Marczykowski-Górecki of Invisible
Things Lab.
RESOLUTION
=========
Applying the appropriate attached patch resolves this issue.
After the patch is applied to the Xen tree and built, any software
which is statically linked against libvchan will need to be relinked
against the new libvchan.a for the fix to take effect.
xsa86.patch Xen 4.2.x, 4.3.x, 4.4-RC series, and xen-unstable
$ sha256sum xsa86*.patch
cd2df017e42717dd2a1b6f2fdd3ad30a38d3c0fbdd9d08b5f56ee0a01cd87b51 xsa86.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJS+LcuAAoJEIP+FMlX6CvZBjgH/RdmdarkaX/Bravq46egUtWT
OohBLoP+tnkg3w3DSvWlD45dlnwH2ptD/PTxyoH7XMoiajX0h3WRYf8ddu63Nwtl
qghb6EDuYF+iLf9nthdYqreVLdKQOJYXCv6c3i6odHRzGadb3cWTIv1xSDZcn+Qw
djSk2huXpuRVkpJeX05PNCkBktRe0Shwy0zgTUNC0GjWItma+NIKdvRODkON1Ai9
ilRsmlQXc2BJ7RcJGmvtcHEdIgLMJ8MzRZWspFPTuqRbQ1+XUJUxxQvJBAqIYRQ3
29iS0GxqXZDSWtTlY4xwAEdwtzsqVZx8VMQioxLUSB4fqm1s4XEfQEkH5VwoBs8=HSDt
-----END PGP SIGNATURE-----
--=separator
Content-Type: application/octet-stream; name="xsa86.patch"
Content-Disposition: attachment; filename="xsa86.patch"
Content-Transfer-Encoding: base64
RnJvbSBiNGM0NTI2NDZlZmQzN2I0Y2QwOTk2MjU2ZGQwYWI3YmY2Y2NiN2Y2
IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiA9P1VURi04P3E/TWFy
ZWs9MjBNYXJjenlrb3dza2ktRz1DMz1CM3JlY2tpPz0KIDxtYXJtYXJla0Bp
bnZpc2libGV0aGluZ3NsYWIuY29tPgpEYXRlOiBNb24sIDIwIEphbiAyMDE0
IDE1OjUxOjU2ICswMDAwClN1YmplY3Q6IFtQQVRDSF0gbGlidmNoYW46IEZp
eCBoYW5kbGluZyBvZiBpbnZhbGlkIHJpbmcgYnVmZmVyIGluZGljZXMKTUlN
RS1WZXJzaW9uOiAxLjAKQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFy
c2V0PVVURi04CkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDhiaXQKClRo
ZSByZW1vdGUgKGhvc3RpbGUpIHByb2Nlc3MgY2FuIHNldCByaW5nIGJ1ZmZl
ciBpbmRpY2VzIHRvIGFueSB2YWx1ZQphdCBhbnkgdGltZS4gSWYgdGhhdCBo
YXBwZW5zLCBpdCBpcyBwb3NzaWJsZSB0byBnZXQgImJ1ZmZlciBzcGFjZSIK
KGVpdGhlciBmb3Igd3JpdGluZyBkYXRhLCBvciByZWFkeSBmb3IgcmVhZGlu
ZykgbmVnYXRpdmUgb3IgZ3JlYXRlcgp0aGFuIGJ1ZmZlciBzaXplLiAgVGhp
cyB3aWxsIGVuZCB1cCB3aXRoIGJ1ZmZlciBvdmVyZmxvdyBpbiB0aGUgc2Vj
b25kCm1lbWNweSBpbnNpZGUgb2YgZG9fc2VuZC9kb19yZWN2LgoKRml4IHRo
aXMgYnkgaW50cm9kdWNpbmcgbmV3IGF2YWlsYWJsZSBieXRlcyBhY2Nlc3Nv
ciBmdW5jdGlvbnMKcmF3X2dldF9kYXRhX3JlYWR5IGFuZCByYXdfZ2V0X2J1
ZmZlcl9zcGFjZSB3aGljaCBhcmUgcm9idXN0IGFnYWluc3QKbWFkIHJpbmcg
c3RhdGVzLCBhbmQgb25seSByZXR1cm4gc2FuaXRpc2VkIHZhbHVlcy4KClBy
b29mIHNrZXRjaCBvZiBjb3JyZWN0bmVzczoKCk5vdyB7cmQsd3J9X3tjb25z
LHByb2R9IGFyZSBvbmx5IGV2ZXIgdXNlZCBpbiB0aGUgcmF3IGF2YWlsYWJs
ZSBieXRlcwpmdW5jdGlvbnMsIGFuZCBpbiBkb19zZW5kIGFuZCBkb19yZWN2
LgoKVGhlIHJhdyBhdmFpbGFibGUgYnl0ZXMgZnVuY3Rpb25zIGRvIHVuc2ln
bmVkIGFyaXRobWV0aWMgb24gdGhlCnJldHVybmVkIHZhbHVlcy4gIElmIHRo
ZSByZXN1bHQgaXMgIm5lZ2F0aXZlIiBvciB0b28gYmlnIGl0IHdpbGwgYmUK
PnJpbmdfc2l6ZSAoc2luY2Ugd2UgdXNlZCB1bnNpZ25lZCBhcml0aG1ldGlj
KS4gIE90aGVyd2lzZSB0aGUgcmVzdWx0CmlzIGEgcG9zaXRpdmUgaW4tcmFu
Z2UgdmFsdWUgcmVwcmVzZW50aW5nIGEgcmVhc29uYWJsZSByaW5nIHN0YXRl
LCBpbgp3aGljaCBjYXNlIHdlIGNhbiBzYWZlbHkgY29udmVydCBpdCB0byBp
bnQgKGFzIHRoZSByZXN0IG9mIHRoZSBjb2RlCmV4cGVjdHMpLgoKZG9fc2Vu
ZCBhbmQgZG9fcmVjdiBpbW1lZGlhdGVseSBtYXNrIHRoZSByaW5nIGluZGV4
IHZhbHVlIHdpdGggdGhlCnJpbmcgc2l6ZS4gIFRoZSByZXN1bHQgaXMgYWx3
YXlzIGdvaW5nIHRvIGJlIHBsYXVzaWJsZS4gIElmIHRoZSByaW5nCnN0YXRl
IGhhcyBiZWNvbWUgbWFkLCB0aGUgd29yc3QgY2FzZSBpcyB0aGF0IG91ciBi
ZWhhdmlvdXIgaXMKaW5jb25zaXN0ZW50IHdpdGggdGhlIHBlZXIncyByaW5n
IHBvaW50ZXIuICBJLmUuIHdlIHJlYWQgb3Igd3JpdGUgdG8KYXJndWFibHkt
aW5jb3JyZWN0IHBhcnRzIG9mIHRoZSByaW5nIC0gYnV0IGFsd2F5cyBwYXJ0
cyBvZiB0aGUgcmluZy4KQW5kIG9mIGNvdXJzZSBpZiBhIHBlZXIgbWlzb3Bl
cmF0ZXMgdGhlIHJpbmcgdGhleSBjYW4gYWNoaWV2ZSB0aGlzCmVmZmVjdCBh
bnl3YXkuCgpTbyB0aGUgc2VjdXJpdHkgcHJvYmxlbSBpcyBmaXhlZC4KClRo
aXMgaXMgWFNBLTg2LgoKKFRoZSBwYXRjaCBpcyBlc3NlbnRpYWxseSBJYW4g
SmFja3NvbidzIHdvcmssIGFsdGhvdWdoIHBhcnRzIG9mIHRoZQpjb21taXQg
bWVzc2FnZSBhcmUgYnkgTWFyZWsuKQoKU2lnbmVkLW9mZi1ieTogTWFyZWsg
TWFyY3p5a293c2tpLUfDs3JlY2tpIDxtYXJtYXJla0BpbnZpc2libGV0aGlu
Z3NsYWIuY29tPgpTaWduZWQtb2ZmLWJ5OiBJYW4gSmFja3NvbiA8aWFuLmph
Y2tzb25AZXUuY2l0cml4LmNvbT4KQ2M6IE1hcmVrIE1hcmN6eWtvd3NraS1H
w7NyZWNraSA8bWFybWFyZWtAaW52aXNpYmxldGhpbmdzbGFiLmNvbT4KQ2M6
IEpvYW5uYSBSdXRrb3dza2EgPGpvYW5uYUBpbnZpc2libGV0aGluZ3NsYWIu
Y29tPgotLS0KIHRvb2xzL2xpYnZjaGFuL2lvLmMgfCAgIDQ3ICsrKysrKysr
KysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrLS0tLS0tCiAxIGZp
bGUgY2hhbmdlZCwgNDEgaW5zZXJ0aW9ucygrKSwgNiBkZWxldGlvbnMoLSkK
CmRpZmYgLS1naXQgYS90b29scy9saWJ2Y2hhbi9pby5jIGIvdG9vbHMvbGli
dmNoYW4vaW8uYwppbmRleCAyMzgzMzY0Li44MDRjNjNjIDEwMDY0NAotLS0g
YS90b29scy9saWJ2Y2hhbi9pby5jCisrKyBiL3Rvb2xzL2xpYnZjaGFuL2lv
LmMKQEAgLTExMSwxMiArMTExLDI2IEBAIHN0YXRpYyBpbmxpbmUgaW50IHNl
bmRfbm90aWZ5KHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3RybCwgdWludDhfdCBi
aXQpCiAJCXJldHVybiAwOwogfQogCisvKgorICogR2V0IHRoZSBhbW91bnQg
b2YgYnVmZmVyIHNwYWNlIGF2YWlsYWJsZSwgYW5kIGRvIG5vdGhpbmcgYWJv
dXQKKyAqIG5vdGlmaWNhdGlvbnMuCisgKi8KK3N0YXRpYyBpbmxpbmUgaW50
IHJhd19nZXRfZGF0YV9yZWFkeShzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwp
Cit7CisJdWludDMyX3QgcmVhZHkgPSByZF9wcm9kKGN0cmwpIC0gcmRfY29u
cyhjdHJsKTsKKwlpZiAocmVhZHkgPj0gcmRfcmluZ19zaXplKGN0cmwpKQor
CQkvKiBXZSBoYXZlIG5vIHdheSB0byByZXR1cm4gZXJyb3JzLiAgTG9ja2lu
ZyB1cCB0aGUgcmluZyBpcworCQkgKiBiZXR0ZXIgdGhhbiB0aGUgYWx0ZXJu
YXRpdmVzLiAqLworCQlyZXR1cm4gMDsKKwlyZXR1cm4gcmVhZHk7Cit9CisK
IC8qKgogICogR2V0IHRoZSBhbW91bnQgb2YgYnVmZmVyIHNwYWNlIGF2YWls
YWJsZSBhbmQgZW5hYmxlIG5vdGlmaWNhdGlvbnMgaWYgbmVlZGVkLgogICov
CiBzdGF0aWMgaW5saW5lIGludCBmYXN0X2dldF9kYXRhX3JlYWR5KHN0cnVj
dCBsaWJ4ZW52Y2hhbiAqY3RybCwgc2l6ZV90IHJlcXVlc3QpCiB7Ci0JaW50
IHJlYWR5ID0gcmRfcHJvZChjdHJsKSAtIHJkX2NvbnMoY3RybCk7CisJaW50
IHJlYWR5ID0gcmF3X2dldF9kYXRhX3JlYWR5KGN0cmwpOwogCWlmIChyZWFk
eSA+PSByZXF1ZXN0KQogCQlyZXR1cm4gcmVhZHk7CiAJLyogV2UgcGxhbiB0
byBjb25zdW1lIGFsbCBkYXRhOyBwbGVhc2UgdGVsbCB1cyBpZiB5b3Ugc2Vu
ZCBtb3JlICovCkBAIC0xMjYsNyArMTQwLDcgQEAgc3RhdGljIGlubGluZSBp
bnQgZmFzdF9nZXRfZGF0YV9yZWFkeShzdHJ1Y3QgbGlieGVudmNoYW4gKmN0
cmwsIHNpemVfdCByZXF1ZXN0KQogCSAqIHdpbGwgbm90IGdldCBub3RpZmll
ZCBldmVuIHRob3VnaCB0aGUgYWN0dWFsIGFtb3VudCBvZiBkYXRhIHJlYWR5
IGlzCiAJICogYWJvdmUgcmVxdWVzdC4gUmVyZWFkIHJkX3Byb2QgdG8gY292
ZXIgdGhpcyBjYXNlLgogCSAqLwotCXJldHVybiByZF9wcm9kKGN0cmwpIC0g
cmRfY29ucyhjdHJsKTsKKwlyZXR1cm4gcmF3X2dldF9kYXRhX3JlYWR5KGN0
cmwpOwogfQogCiBpbnQgbGlieGVudmNoYW5fZGF0YV9yZWFkeShzdHJ1Y3Qg
bGlieGVudmNoYW4gKmN0cmwpCkBAIC0xMzUsNyArMTQ5LDIxIEBAIGludCBs
aWJ4ZW52Y2hhbl9kYXRhX3JlYWR5KHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3Ry
bCkKIAkgKiB3aGVuIGl0IGNoYW5nZXMKIAkgKi8KIAlyZXF1ZXN0X25vdGlm
eShjdHJsLCBWQ0hBTl9OT1RJRllfV1JJVEUpOwotCXJldHVybiByZF9wcm9k
KGN0cmwpIC0gcmRfY29ucyhjdHJsKTsKKwlyZXR1cm4gcmF3X2dldF9kYXRh
X3JlYWR5KGN0cmwpOworfQorCisvKioKKyAqIEdldCB0aGUgYW1vdW50IG9m
IGJ1ZmZlciBzcGFjZSBhdmFpbGFibGUsIGFuZCBkbyBub3RoaW5nCisgKiBh
Ym91dCBub3RpZmljYXRpb25zCisgKi8KK3N0YXRpYyBpbmxpbmUgaW50IHJh
d19nZXRfYnVmZmVyX3NwYWNlKHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3RybCkK
K3sKKwl1aW50MzJfdCByZWFkeSA9IHdyX3Jpbmdfc2l6ZShjdHJsKSAtICh3
cl9wcm9kKGN0cmwpIC0gd3JfY29ucyhjdHJsKSk7CisJaWYgKHJlYWR5ID4g
d3JfcmluZ19zaXplKGN0cmwpKQorCQkvKiBXZSBoYXZlIG5vIHdheSB0byBy
ZXR1cm4gZXJyb3JzLiAgTG9ja2luZyB1cCB0aGUgcmluZyBpcworCQkgKiBi
ZXR0ZXIgdGhhbiB0aGUgYWx0ZXJuYXRpdmVzLiAqLworCQlyZXR1cm4gMDsK
KwlyZXR1cm4gcmVhZHk7CiB9CiAKIC8qKgpAQCAtMTQzLDcgKzE3MSw3IEBA
IGludCBsaWJ4ZW52Y2hhbl9kYXRhX3JlYWR5KHN0cnVjdCBsaWJ4ZW52Y2hh
biAqY3RybCkKICAqLwogc3RhdGljIGlubGluZSBpbnQgZmFzdF9nZXRfYnVm
ZmVyX3NwYWNlKHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3RybCwgc2l6ZV90IHJl
cXVlc3QpCiB7Ci0JaW50IHJlYWR5ID0gd3JfcmluZ19zaXplKGN0cmwpIC0g
KHdyX3Byb2QoY3RybCkgLSB3cl9jb25zKGN0cmwpKTsKKwlpbnQgcmVhZHkg
PSByYXdfZ2V0X2J1ZmZlcl9zcGFjZShjdHJsKTsKIAlpZiAocmVhZHkgPj0g
cmVxdWVzdCkKIAkJcmV0dXJuIHJlYWR5OwogCS8qIFdlIHBsYW4gdG8gZmls
bCB0aGUgYnVmZmVyOyBwbGVhc2UgdGVsbCB1cyB3aGVuIHlvdSd2ZSByZWFk
IGl0ICovCkBAIC0xNTMsNyArMTgxLDcgQEAgc3RhdGljIGlubGluZSBpbnQg
ZmFzdF9nZXRfYnVmZmVyX3NwYWNlKHN0cnVjdCBsaWJ4ZW52Y2hhbiAqY3Ry
bCwgc2l6ZV90IHJlcXVlc3QKIAkgKiB3aWxsIG5vdCBnZXQgbm90aWZpZWQg
ZXZlbiB0aG91Z2ggdGhlIGFjdHVhbCBhbW91bnQgb2YgYnVmZmVyIHNwYWNl
CiAJICogaXMgYWJvdmUgcmVxdWVzdC4gUmVyZWFkIHdyX2NvbnMgdG8gY292
ZXIgdGhpcyBjYXNlLgogCSAqLwotCXJldHVybiB3cl9yaW5nX3NpemUoY3Ry
bCkgLSAod3JfcHJvZChjdHJsKSAtIHdyX2NvbnMoY3RybCkpOworCXJldHVy
biByYXdfZ2V0X2J1ZmZlcl9zcGFjZShjdHJsKTsKIH0KIAogaW50IGxpYnhl
bnZjaGFuX2J1ZmZlcl9zcGFjZShzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwp
CkBAIC0xNjIsNyArMTkwLDcgQEAgaW50IGxpYnhlbnZjaGFuX2J1ZmZlcl9z
cGFjZShzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwpCiAJICogd2hlbiBpdCBj
aGFuZ2VzCiAJICovCiAJcmVxdWVzdF9ub3RpZnkoY3RybCwgVkNIQU5fTk9U
SUZZX1JFQUQpOwotCXJldHVybiB3cl9yaW5nX3NpemUoY3RybCkgLSAod3Jf
cHJvZChjdHJsKSAtIHdyX2NvbnMoY3RybCkpOworCXJldHVybiByYXdfZ2V0
X2J1ZmZlcl9zcGFjZShjdHJsKTsKIH0KIAogaW50IGxpYnhlbnZjaGFuX3dh
aXQoc3RydWN0IGxpYnhlbnZjaGFuICpjdHJsKQpAQCAtMTc2LDYgKzIwNCw4
IEBAIGludCBsaWJ4ZW52Y2hhbl93YWl0KHN0cnVjdCBsaWJ4ZW52Y2hhbiAq
Y3RybCkKIAogLyoqCiAgKiByZXR1cm5zIC0xIG9uIGVycm9yLCBvciBzaXpl
IG9uIHN1Y2Nlc3MKKyAqCisgKiBjYWxsZXIgbXVzdCBoYXZlIGNoZWNrZWQg
dGhhdCBlbm91Z2ggc3BhY2UgaXMgYXZhaWxhYmxlCiAgKi8KIHN0YXRpYyBp
bnQgZG9fc2VuZChzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwsIGNvbnN0IHZv
aWQgKmRhdGEsIHNpemVfdCBzaXplKQogewpAQCAtMjQ4LDYgKzI3OCwxMSBA
QCBpbnQgbGlieGVudmNoYW5fd3JpdGUoc3RydWN0IGxpYnhlbnZjaGFuICpj
dHJsLCBjb25zdCB2b2lkICpkYXRhLCBzaXplX3Qgc2l6ZSkKIAl9CiB9CiAK
Ky8qKgorICogcmV0dXJucyAtMSBvbiBlcnJvciwgb3Igc2l6ZSBvbiBzdWNj
ZXNzCisgKgorICogY2FsbGVyIG11c3QgaGF2ZSBjaGVja2VkIHRoYXQgZW5v
dWdoIGRhdGEgaXMgYXZhaWxhYmxlCisgKi8KIHN0YXRpYyBpbnQgZG9fcmVj
dihzdHJ1Y3QgbGlieGVudmNoYW4gKmN0cmwsIHZvaWQgKmRhdGEsIHNpemVf
dCBzaXplKQogewogCWludCByZWFsX2lkeCA9IHJkX2NvbnMoY3RybCkgJiAo
cmRfcmluZ19zaXplKGN0cmwpIC0gMSk7Ci0tIAoxLjcuMTAuNAoK
--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Xen-users mailing list
Xen-users@lists.xen.org
http://lists.xen.org/xen-users
--=separator--