Xen.org security team
2014-Nov-18 12:24 UTC
Xen Security Advisory 109 (CVE-2014-8594) - Insufficient restrictions on certain MMU update hypercalls
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2014-8594 / XSA-109
version 3
Insufficient restrictions on certain MMU update hypercalls
UPDATES IN VERSION 3
===================
Public release.
ISSUE DESCRIPTION
================
MMU update operations targeting page tables are intended to be used on
PV guests only. The lack of a respective check made it possible for
such operations to access certain function pointers which remain NULL
when the target guest is using Hardware Assisted Paging (HAP).
IMPACT
=====
Malicious or buggy stub domain kernels or tool stacks otherwise living
outside of Domain0 can mount a denial of service attack which, if
successful, can affect the whole system.
Only PV domains with privilege over other guests can exploit this
vulnerability; and only when those other guests are HVM using HAP, or
PVH. The vulnerability is therefore exposed to PV domains providing
hardware emulation services to HVM guests.
VULNERABLE SYSTEMS
=================
Xen 4.0 and onward are vulnerable.
Only x86 systems are vulnerable. ARM systems are not vulnerable.
The vulnerability is only exposed to PV service domains for HVM or
PVH guests which have privilege over the guest. In a usual
configuration that means only device model emulators (qemu-dm).
In the case of HVM guests whose device model is running in an
unrestricted dom0 process, qemu-dm already has the ability to cause
problems for the whole system. So in that case the vulnerability is
not applicable.
The situation is more subtle for an HVM guest with a stub qemu-dm.
That is, where the device model runs in a separate domain (in the case
of xl, as requested by "device_model_stubdomain_override=1" in the xl
domain configuration file). The same applies with a qemu-dm in a dom0
process subjected to some kind kernel-based process privilege
limitation (eg the chroot technique as found in some versions of
XCP/XenServer).
In those latter situations this issue means that the extra isolation
does not provide as good a defence (against denial of service) as
intended. That is the essence of this vulnerability.
However, the security is still better than with a qemu-dm running as
an unrestricted dom0 process. Therefore users with these
configurations should not switch to an unrestricted dom0 qemu-dm.
Finally, in a radically disaggregated system: where the HVM or PVH
service domain software (probably, the device model domain image in the
HVM case) is not always supplied by the host administrator, a malicious
service domain administrator can exercise this vulnerability.
MITIGATION
=========
Running only PV guests or HVM guests with shadow paging enabled will
avoid this issue.
In a radically disaggregated system, restricting HVM service domains
to software images approved by the host administrator will avoid the
vulnerability.
CREDITS
======
This issue was discovered by Roger Pau Monné of Citrix and Jan Beulich
of SUSE.
RESOLUTION
=========
Applying the appropriate attached patch resolves this issue.
xsa109.patch xen-unstable, Xen 4.4.x, Xen 4.3.x
xsa109-4.2.patch Xen 4.2.x
$ sha256sum xsa109*.patch
759d1b8cb8c17e53d17ad045ab89c5aaf52cb85fd93eef07e7acbe230365c56d
xsa109-4.2.patch
729b87c2b9979fbda47c96e934db6fcfaeb10e07b4cfd66bb1e9f746a908576b xsa109.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJUazogAAoJEIP+FMlX6CvZ5NQH/25lTqtBGu5Xt0JwHnLenfv0
z0gVJ5o8YB6aqzV+GHWei0QV/PtCLteykm/K8LJK4my9OtDqI/WPzusyrGB6aNhD
xCQUhRF5/j2c++u4UCBitibttSwKK/CCrswBMWZYqEI/1fJazVw3huyyFv56Wt+K
32geEcIUnWs6lJD+z97W8LPPNLoaF/m6uSh4I2LrT3uBnvEFq5oGgzdWNtEKkSGC
fAuga2m1NhfbCsMD6JSv9/EDSKHTiByZ5Z/zicWrButHfRp4fmGO/pPMwPFkERs1
T/FX/UAfnvisS1SjgMwqufWlzIka5JDzi/Nc5Utgcvo9+9EsI1PCJDzYTJpOSa8=yb1z
-----END PGP SIGNATURE-----
--=separator
Content-Type: application/octet-stream; name="xsa109-4.2.patch"
Content-Disposition: attachment; filename="xsa109-4.2.patch"
Content-Transfer-Encoding: base64
eDg2OiBkb24ndCBhbGxvdyBwYWdlIHRhYmxlIHVwZGF0ZXMgb24gbm9uLVBW
IHBhZ2UgdGFibGVzIGluIGRvX21tdV91cGRhdGUoKQoKcGFnaW5nX3dyaXRl
X2d1ZXN0X2VudHJ5KCkgYW5kIHBhZ2luZ19jbXB4Y2hnX2d1ZXN0X2VudHJ5
KCkgYXJlbid0CmNvbnNpc3RlbnRseSBzdXBwb3J0ZWQgZm9yIG5vbi1QViBn
dWVzdHMgKHRoZXknZCBkZXJlZiBOVUxMIGZvciBQVkggb3IKbm9uLUhBUCBI
Vk0gb25lcykuIERvbid0IGFsbG93IHJlc3BlY3RpdmUgTU1VXyogb3BlcmF0
aW9ucyBvbiB0aGUKcGFnZSB0YWJsZXMgb2Ygc3VjaCBkb21haW5zLgoKVGhp
cyBpcyBYU0EtMTA5LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpi
ZXVsaWNoQHN1c2UuY29tPgpBY2tlZC1ieTogVGltIERlZWdhbiA8dGltQHhl
bi5vcmc+CgotLS0gYS94ZW4vYXJjaC94ODYvbW0uYworKysgYi94ZW4vYXJj
aC94ODYvbW0uYwpAQCAtMzgwMCw2ICszODAwLDEwIEBAIGxvbmcgZG9fbW11
X3VwZGF0ZSgKICAgICAgICAgewogICAgICAgICAgICAgcDJtX3R5cGVfdCBw
Mm10OwogCisgICAgICAgICAgICByYyA9IC1FT1BOT1RTVVBQOworICAgICAg
ICAgICAgaWYgKCB1bmxpa2VseShwYWdpbmdfbW9kZV9yZWZjb3VudHMocHRf
b3duZXIpKSApCisgICAgICAgICAgICAgICAgYnJlYWs7CisKICAgICAgICAg
ICAgIHJjID0geHNtX21tdV9ub3JtYWxfdXBkYXRlKGQsIHB0X293bmVyLCBw
Z19vd25lciwgcmVxLnZhbCk7CiAgICAgICAgICAgICBpZiAoIHJjICkKICAg
ICAgICAgICAgICAgICBicmVhazsK
--=separator
Content-Type: application/octet-stream; name="xsa109.patch"
Content-Disposition: attachment; filename="xsa109.patch"
Content-Transfer-Encoding: base64
eDg2OiBkb24ndCBhbGxvdyBwYWdlIHRhYmxlIHVwZGF0ZXMgb24gbm9uLVBW
IHBhZ2UgdGFibGVzIGluIGRvX21tdV91cGRhdGUoKQoKcGFnaW5nX3dyaXRl
X2d1ZXN0X2VudHJ5KCkgYW5kIHBhZ2luZ19jbXB4Y2hnX2d1ZXN0X2VudHJ5
KCkgYXJlbid0CmNvbnNpc3RlbnRseSBzdXBwb3J0ZWQgZm9yIG5vbi1QViBn
dWVzdHMgKHRoZXknZCBkZXJlZiBOVUxMIGZvciBQVkggb3IKbm9uLUhBUCBI
Vk0gb25lcykuIERvbid0IGFsbG93IHJlc3BlY3RpdmUgTU1VXyogb3BlcmF0
aW9ucyBvbiB0aGUKcGFnZSB0YWJsZXMgb2Ygc3VjaCBkb21haW5zLgoKVGhp
cyBpcyBYU0EtMTA5LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpi
ZXVsaWNoQHN1c2UuY29tPgpBY2tlZC1ieTogVGltIERlZWdhbiA8dGltQHhl
bi5vcmc+CgotLS0gYS94ZW4vYXJjaC94ODYvbW0uYworKysgYi94ZW4vYXJj
aC94ODYvbW0uYwpAQCAtMzQ5Myw2ICszNDkzLDEwIEBAIGxvbmcgZG9fbW11
X3VwZGF0ZSgKICAgICAgICAgewogICAgICAgICAgICAgcDJtX3R5cGVfdCBw
Mm10OwogCisgICAgICAgICAgICByYyA9IC1FT1BOT1RTVVBQOworICAgICAg
ICAgICAgaWYgKCB1bmxpa2VseShwYWdpbmdfbW9kZV9yZWZjb3VudHMocHRf
b3duZXIpKSApCisgICAgICAgICAgICAgICAgYnJlYWs7CisKICAgICAgICAg
ICAgIHhzbV9uZWVkZWQgfD0gWFNNX01NVV9OT1JNQUxfVVBEQVRFOwogICAg
ICAgICAgICAgaWYgKCBnZXRfcHRlX2ZsYWdzKHJlcS52YWwpICYgX1BBR0Vf
UFJFU0VOVCApCiAgICAgICAgICAgICB7Cg=
--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Xen-users mailing list
Xen-users@lists.xen.org
http://lists.xen.org/xen-users
--=separator--