[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Xen Security Advisory 134 (CVE-2015-4163) - GNTTABOP_swap_grant_ref operation misbehavior



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2015-4163 / XSA-134
                              version 3

             GNTTABOP_swap_grant_ref operation misbehavior

UPDATES IN VERSION 3
====================

Public release.

Added email header syntax to patches, for e.g. git-am.

ISSUE DESCRIPTION
=================

With the introduction of version 2 grant table operations, a version
check became necessary for most grant table related hypercalls.  The
GNTTABOP_swap_grant_ref call was lacking such a check.  As a result,
the subsequent code behaved as if version 2 was in use, when a guest
issued this hypercall without a prior GNTTABOP_setup_table or
GNTTABOP_set_version.

The effect is a possible NULL pointer dereferences.  However, this
cannot be exploited to elevate privileges of the attacking domain, as
the maximum memory address that can be wrongly accessed this way is
bounded to far below the start of hypervisor memory.

IMPACT
======

Malicious or buggy guest domain kernels can mount a denial of service
attack which, if successful, can affect the whole system.

VULNERABLE SYSTEMS
==================

Xen versions from 4.2 onwards are vulnerable.

MITIGATION
==========

There is no mitigation available.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa134.patch        xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa134*.patch
fff911a994a5031831cabd574bcba281eff438559706414a1886502eaa05ee12  xsa134.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJVeX71AAoJEIP+FMlX6CvZ67gIALM9l5JdS8BN9b1/CsXSr246
kwuTcDX/dmvVeoMMU5tYag5H6HbpFaI4GX5rvTIVS1fqHRygyRCGJmgQQQf2EmOh
E6PKeCzfYoUh6t8YoV5RtYFcUA8qPG6AmXjQGU5tbrCgM7kGYcHU+dFHUu7VEoBH
7Rjzwkht/u64nFRJOU7zBLiCc0/yB1K0JystM1m5przdcTTfawl1bdknG3wGxAuk
+jSQk6+rBATZgRY3r2mjvUnXvSJfsV/UklRhJCRXT0jz4O+gdgP4AU33RtGx8Evc
64wIORu50Imvo5ZR4yCwElw/TnIJeyY3Nbq6vltMvWhhqxhyNhG+a+t2BrsD8Sc=
=sqdZ
-----END PGP SIGNATURE-----

Attachment: xsa134.patch
Description: Binary data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.