[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Xen Security Advisory 155 (CVE-2015-8550) - paravirtualized drivers incautious about shared memory
MiniOS for QEMU stubdom has frontends, such as mini-os/blkfront.c and mini-os/netfront.c, not backends. Cheers, Stefano On Mon, 21 Dec 2015, Eric Shelton wrote: > Seeing as "All OSes providing PV backends are susceptible," doesn't this > include MiniOS for QEMU stubdom as well? > Are there patches available for mini-os/blkfront.c, mini-os/netfront.c, and > mini-os/pcifront.c? I didn't see > anything for this. > Best, > Eric > > On Thu, Dec 17, 2015 at 1:36 PM, Xen.org security team <security@xxxxxxx> > wrote: > > ----- Topal: Output generated on Tue Dec 22 12:23:44 GMT 2015 ----- > Topal: GPG output starts ----- gpg: > no valid OpenPGP data found. gpg: processing message failed: eof ----- > Topal: GPG output ends ----- > ----- Topal: Original message starts ----- -----BEGIN PGP SIGNED > MESSAGE----- > Hash: SHA1 > >       Xen Security Advisory CVE-2015-8550 / XSA-155 >                version 6 > >   paravirtualized drivers incautious about shared memory contents > > UPDATES IN VERSION 6 > ==================== > > Correct CREDITS section. > > ISSUE DESCRIPTION > ================= > > The compiler can emit optimizations in the PV backend drivers which > can lead to double fetch vulnerabilities. Specifically the shared > memory between the frontend and backend can be fetched twice (during > which time the frontend can alter the contents) possibly leading to > arbitrary code execution in backend. > > IMPACT > ====== > > Malicious guest administrators can cause denial of service. If driver > domains are not in use, the impact can be a host crash, or privilege > escalation. > > VULNERABLE SYSTEMS > ================== > > Systems running PV or HVM guests are vulnerable. > > ARM and x86 systems are vulnerable. > > All OSes providing PV backends are susceptible, this includes > Linux and NetBSD. By default the Linux distributions compile kernels > with optimizations. > > MITIGATION > ========== > > There is no mitigation. > > CREDITS > ======= > > This issue was discovered by Felix Wilhelm (ERNW Research, KIT / > Operating Systems Group). > > RESOLUTION > ========== > > Applying the appropriate attached patches should fix the problem for > PV backends. Note only that PV backends are fixed; PV frontend > patches will be developed and released (publicly) after the embargo > date. > > Please note that there is a bug in some versions of gcc, > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 which can cause the > construct used in RING_COPY_REQUEST() to be ineffective in some > circumstances. We have determined that this is only the case when the > structure being copied consists purely of bitfields. The Xen PV > protocols updated here do not use bitfields in this way and therefore > these patches are not subject to that bug. However authors of third > party PV protocols should take this into consideration. > > Linux v4.4: > xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch > > xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch > > xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch > > xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch > > xsa155-linux-xsa155-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch > xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch > > xsa155-linux-xsa155-0007-xen-pciback-Save-xen_pci_op-commands-before-processi.patch > Linux v4.[0,1,2,3] > All the above patches except #5 will apply, please use: > > xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch > Linux v3.19: > All the above patches except #5 and #6 will apply, please use: > > xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch > xsa155-linux319-0006-xen-scsiback-safely-copy-requests.patch > > qemu-xen: > xsa155-qemu-qdisk-double-access.patch > xsa155-qemu-xenfb.patch > > qemu-traditional: > xsa155-qemut-qdisk-double-access.patch > xsa155-qemut-xenfb.patch > > NetBSD 7.0: > xsa155-netbsd-xsa155-0001-netbsd-xen-Add-RING_COPY_REQUEST.patch > > xsa155-netbsd-xsa155-0002-netbsd-netback-Use-RING_COPY_REQUEST-instead-of-RING.patch > > xsa155-netbsd-xsa155-0003-netbsd-ring-Add-barrier-to-provide-an-compiler-barri.patch > > xsa155-netbsd-xsa155-0004-netbsd-block-only-read-request-operation-from-shared.patch > > xsa155-netbsd-xsa155-0005-netbsd-pciback-Operate-on-local-version-of-xen_pci_o.patch > > xen: > xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch > xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch > xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch > > xen 4.4: > All patches except #3 will apply, please use: > xsa155-xen44-0003-libvchan-Read-prod-cons-only-once.patch > > $ sha256sum xsa155* > d9fbc104ab2ae797971e351ee0e04e7b7e9c7c33385309bb406c7941dc9a33b4 > xsa155-linux319-xsa155-0006-xen-scsiback-safely-copy-requests.patch > 590656d83ad7b6052b54659eccb3469658b3942c0dc1366423a66f2f5ac643e1 > > xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch > 2bd18632178e09394c5cd06aded2c14bcc6b6e360ad6e81827d24860fe3e8ca4 > xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch > cecdeccb8e2551252c81fc5f164a8298005df714a574a7ba18b84e8ed5f2bb70 > > xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch > 3916b847243047f0e1053233ade742c14a7f29243584e60bf5db4842a8068855 > > xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch > 746c8eb0aeb200d76156c88dfbbd49db79f567b88b07eda70f7c7d095721f05a > > xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch > 18517a184a02f7441065b8d3423086320ec4c2345c00d551231f7976381767f5 > > xsa155-linux-xsa155-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch > 2e6d556d25b1cc16e71afde665ae3908f4fa8eab7e0d96283fc78400301baf92 > xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch > 5e130d8b61906015c6a94f8edd3cce97b172f96a265d97ecf370e7b45125b73d > > xsa155-linux-xsa155-0007-xen-pciback-Save-xen_pci_op-commands-before-processi.patch > 08c2d0f95dcc215165afbce623b6972b81dd45b091b5f40017579b00c8612e03 > xsa155-netbsd-xsa155-0001-netbsd-xen-Add-RING_COPY_REQUEST.patch > 0a66010f736092f91f70bb0fd220685e4395efef1db6d23a3d1eace31d144f51 > > xsa155-netbsd-xsa155-0002-netbsd-netback-Use-RING_COPY_REQUEST-instead-of-RING.patch > 5e913a8427cab6b4d384d1246e05116afc301eb117edd838101eb53a82c2f2ff > > xsa155-netbsd-xsa155-0003-netbsd-ring-Add-barrier-to-provide-an-compiler-barri.patch > 3b8f14eafaed3a7bc66245753a37af4249acf8129fbedb70653192252dc47dc9 > > xsa155-netbsd-xsa155-0004-netbsd-block-only-read-request-operation-from-shared.patch > 81ae5fa998243a78dad749fc561be647dc1dc1be799e8f18484fdf0989469705 > > xsa155-netbsd-xsa155-0005-netbsd-pciback-Operate-on-local-version-of-xen_pci_o.patch > 044ff74fa048df820d528f64f2791ec9cb3940bd313c1179020bd49a6cde2ca3 > xsa155-qemu-qdisk-double-access.patch > 1150504589eb7bfa108c80ce63395e57d0e627b12d9201219d968fdd026919a6 > xsa155-qemut-qdisk-double-access.patch > 63186246ab6913b54bfef5f09f33e815935ac40ff821c27a3efda62339bbbd5f > xsa155-qemut-xenfb.patch > e53b4ac298648cde79344192d5a58ca8d8724344f5105bec7c09eef095c668f6 > xsa155-qemu-xenfb.patch > e52467fcec73bcc86d3e96d06f8ca8085ae56a83d2c42a30c16bc3dc630d8f8a > xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch > eae34c8ccc096ad93a74190506b3d55020a88afb0cc504a3a514590e9fd746fd > xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch > 42780265014085a4221ad32b026214693d751789eb5219e2e83862c0006c66f4 > xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch > dfcaddb8a908a4fc1b048a43187e885117e67dc566f5c841037ee366dcd437d1 > xsa155-xen44-0003-libvchan-Read-prod-cons-only-once.patch > $ > > DEPLOYMENT DURING EMBARGO > ========================= > > Deployment of the patches and/or mitigations described above (or > others which are substantially similar) is permitted during the > embargo, even on public-facing systems with untrusted guest users and > administrators. > > But: Distribution of updated software is prohibited (except to other > members of the predisclosure list). > > Predisclosure list members who wish to deploy significantly different > patches and/or mitigations, please contact the Xen Project Security > Team. > > (Note: this during-embargo deployment notice is retained in > post-embargo publicly released Xen Project advisories, even though it > is then no longer applicable. This is to enable the community to have > oversight of the Xen Project Security Team's decisionmaking.) > > For more information about permissible uses of embargoed information, > consult the Xen Project community's agreed Security Policy: >  http://www.xenproject.org/security-policy.html > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.12 (GNU/Linux) > > iQEcBAEBAgAGBQJWcrpdAAoJEIP+FMlX6CvZ9soIALqQ/GHP6bZn2LqJTD9DIzsm > zVB4yCPiVfDqHSOq9QNCzBzqpvOX+RhKTzRH1jsZczr8CSnkePxaCrmZgH8SAygB > hFcF9xJGlJDjs647sgpQmYs++3mgD/57uml7IW/8NX46tXUelVByW7muNgUN2xlm > kjeD8auJEs+jK1iwpt/hOmYe4moRx3+3ujfgqMCNAWtqZz9D9wM5tao+p6yKYlhM > u8hSi1V3b7sAbf92mwzpzfpbwdgg25xeHtZ/oJxp/ZY0FhqDEsTxV+h8HjD/Eink > GwqPS19O77tMmz9fUUTyJDSsU7ayFRI0HyYmXju4eJktJkhXagjAdCSyGky9z5g= > =FlX2 > -----END PGP SIGNATURE----- > > ----- Topal: Original message ends ----- > _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |