[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Xen Security Advisory 155 (CVE-2015-8550) - paravirtualized drivers incautious about shared memory



MiniOS for QEMU stubdom has frontends, such as mini-os/blkfront.c and
mini-os/netfront.c, not backends.

Cheers,

Stefano


On Mon, 21 Dec 2015, Eric Shelton wrote:
> Seeing as "All OSes providing PV backends are susceptible," doesn't this 
> include MiniOS for QEMU stubdom as well?Â
> Are there patches available for mini-os/blkfront.c, mini-os/netfront.c, and 
> mini-os/pcifront.c? I didn't see
> anything for this.
> Best,
> Eric
>
> On Thu, Dec 17, 2015 at 1:36 PM, Xen.org security team <security@xxxxxxx> 
> wrote:
>
>       ----- Topal: Output generated on Tue Dec 22 12:23:44 GMT 2015 ----- 
> Topal: GPG output starts ----- gpg:
>       no valid OpenPGP data found. gpg: processing message failed: eof ----- 
> Topal: GPG output ends -----
>       ----- Topal: Original message starts ----- -----BEGIN PGP SIGNED 
> MESSAGE-----
>       Hash: SHA1
>
>       Â Â Â Â Â Â Xen Security Advisory CVE-2015-8550 / XSA-155
>       Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â version 6
>
>       Â Â paravirtualized drivers incautious about shared memory contents
>
>       UPDATES IN VERSION 6
>       ====================
>
>       Correct CREDITS section.
>
>       ISSUE DESCRIPTION
>       =================
>
>       The compiler can emit optimizations in the PV backend drivers which
>       can lead to double fetch vulnerabilities. Specifically the shared
>       memory between the frontend and backend can be fetched twice (during
>       which time the frontend can alter the contents) possibly leading to
>       arbitrary code execution in backend.
>
>       IMPACT
>       ======
>
>       Malicious guest administrators can cause denial of service. If driver
>       domains are not in use, the impact can be a host crash, or privilege 
> escalation.
>
>       VULNERABLE SYSTEMS
>       ==================
>
>       Systems running PV or HVM guests are vulnerable.
>
>       ARM and x86 systems are vulnerable.
>
>       All OSes providing PV backends are susceptible, this includes
>       Linux and NetBSD. By default the Linux distributions compile kernels
>       with optimizations.
>
>       MITIGATION
>       ==========
>
>       There is no mitigation.
>
>       CREDITS
>       =======
>
>       This issue was discovered by Felix Wilhelm (ERNW Research, KIT /
>       Operating Systems Group).
>
>       RESOLUTION
>       ==========
>
>       Applying the appropriate attached patches should fix the problem for
>       PV backends. Note only that PV backends are fixed; PV frontend
>       patches will be developed and released (publicly) after the embargo
>       date.
>
>       Please note that there is a bug in some versions of gcc,
>       https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 which can cause the
>       construct used in RING_COPY_REQUEST() to be ineffective in some
>       circumstances. We have determined that this is only the case when the
>       structure being copied consists purely of bitfields. The Xen PV
>       protocols updated here do not use bitfields in this way and therefore
>       these patches are not subject to that bug. However authors of third
>       party PV protocols should take this into consideration.
>
>       Linux v4.4:
>       xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch
>       
> xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch
>       
> xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch
>       
> xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch
>       
> xsa155-linux-xsa155-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
>       xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch
>       
> xsa155-linux-xsa155-0007-xen-pciback-Save-xen_pci_op-commands-before-processi.patch
>       Linux v4.[0,1,2,3]
>       All the above patches except #5 will apply, please use:
>       
> xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
>       Linux v3.19:
>       All the above patches except #5 and #6 will apply, please use:
>       
> xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
>       xsa155-linux319-0006-xen-scsiback-safely-copy-requests.patch
>
>       qemu-xen:
>       xsa155-qemu-qdisk-double-access.patch
>       xsa155-qemu-xenfb.patch
>
>       qemu-traditional:
>       xsa155-qemut-qdisk-double-access.patch
>       xsa155-qemut-xenfb.patch
>
>       NetBSD 7.0:
>       xsa155-netbsd-xsa155-0001-netbsd-xen-Add-RING_COPY_REQUEST.patch
>       
> xsa155-netbsd-xsa155-0002-netbsd-netback-Use-RING_COPY_REQUEST-instead-of-RING.patch
>       
> xsa155-netbsd-xsa155-0003-netbsd-ring-Add-barrier-to-provide-an-compiler-barri.patch
>       
> xsa155-netbsd-xsa155-0004-netbsd-block-only-read-request-operation-from-shared.patch
>       
> xsa155-netbsd-xsa155-0005-netbsd-pciback-Operate-on-local-version-of-xen_pci_o.patch
>
>       xen:
>       xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch
>       xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch
>       xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch
>
>       xen 4.4:
>       All patches except #3 will apply, please use:
>       xsa155-xen44-0003-libvchan-Read-prod-cons-only-once.patch
>
>       $ sha256sum xsa155*
>       d9fbc104ab2ae797971e351ee0e04e7b7e9c7c33385309bb406c7941dc9a33b4Â
>       xsa155-linux319-xsa155-0006-xen-scsiback-safely-copy-requests.patch
>       590656d83ad7b6052b54659eccb3469658b3942c0dc1366423a66f2f5ac643e1Â
>       
> xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
>       2bd18632178e09394c5cd06aded2c14bcc6b6e360ad6e81827d24860fe3e8ca4Â
>       xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch
>       cecdeccb8e2551252c81fc5f164a8298005df714a574a7ba18b84e8ed5f2bb70Â
>       
> xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch
>       3916b847243047f0e1053233ade742c14a7f29243584e60bf5db4842a8068855Â
>       
> xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch
>       746c8eb0aeb200d76156c88dfbbd49db79f567b88b07eda70f7c7d095721f05aÂ
>       
> xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch
>       18517a184a02f7441065b8d3423086320ec4c2345c00d551231f7976381767f5Â
>       
> xsa155-linux-xsa155-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
>       2e6d556d25b1cc16e71afde665ae3908f4fa8eab7e0d96283fc78400301baf92Â
>       xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch
>       5e130d8b61906015c6a94f8edd3cce97b172f96a265d97ecf370e7b45125b73dÂ
>       
> xsa155-linux-xsa155-0007-xen-pciback-Save-xen_pci_op-commands-before-processi.patch
>       08c2d0f95dcc215165afbce623b6972b81dd45b091b5f40017579b00c8612e03Â
>       xsa155-netbsd-xsa155-0001-netbsd-xen-Add-RING_COPY_REQUEST.patch
>       0a66010f736092f91f70bb0fd220685e4395efef1db6d23a3d1eace31d144f51Â
>       
> xsa155-netbsd-xsa155-0002-netbsd-netback-Use-RING_COPY_REQUEST-instead-of-RING.patch
>       5e913a8427cab6b4d384d1246e05116afc301eb117edd838101eb53a82c2f2ffÂ
>       
> xsa155-netbsd-xsa155-0003-netbsd-ring-Add-barrier-to-provide-an-compiler-barri.patch
>       3b8f14eafaed3a7bc66245753a37af4249acf8129fbedb70653192252dc47dc9Â
>       
> xsa155-netbsd-xsa155-0004-netbsd-block-only-read-request-operation-from-shared.patch
>       81ae5fa998243a78dad749fc561be647dc1dc1be799e8f18484fdf0989469705Â
>       
> xsa155-netbsd-xsa155-0005-netbsd-pciback-Operate-on-local-version-of-xen_pci_o.patch
>       044ff74fa048df820d528f64f2791ec9cb3940bd313c1179020bd49a6cde2ca3Â 
> xsa155-qemu-qdisk-double-access.patch
>       1150504589eb7bfa108c80ce63395e57d0e627b12d9201219d968fdd026919a6Â
>       xsa155-qemut-qdisk-double-access.patch
>       63186246ab6913b54bfef5f09f33e815935ac40ff821c27a3efda62339bbbd5f 
> xsa155-qemut-xenfb.patch
>       e53b4ac298648cde79344192d5a58ca8d8724344f5105bec7c09eef095c668f6Â 
> xsa155-qemu-xenfb.patch
>       e52467fcec73bcc86d3e96d06f8ca8085ae56a83d2c42a30c16bc3dc630d8f8aÂ
>       xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch
>       eae34c8ccc096ad93a74190506b3d55020a88afb0cc504a3a514590e9fd746fdÂ
>       xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch
>       42780265014085a4221ad32b026214693d751789eb5219e2e83862c0006c66f4Â
>       xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch
>       dfcaddb8a908a4fc1b048a43187e885117e67dc566f5c841037ee366dcd437d1Â
>       xsa155-xen44-0003-libvchan-Read-prod-cons-only-once.patch
>       $
>
>       DEPLOYMENT DURING EMBARGO
>       =========================
>
>       Deployment of the patches and/or mitigations described above (or
>       others which are substantially similar) is permitted during the
>       embargo, even on public-facing systems with untrusted guest users and
>       administrators.
>
>       But: Distribution of updated software is prohibited (except to other
>       members of the predisclosure list).
>
>       Predisclosure list members who wish to deploy significantly different
>       patches and/or mitigations, please contact the Xen Project Security
>       Team.
>
>       (Note: this during-embargo deployment notice is retained in
>       post-embargo publicly released Xen Project advisories, even though it
>       is then no longer applicable. This is to enable the community to have
>       oversight of the Xen Project Security Team's decisionmaking.)
>
>       For more information about permissible uses of embargoed information,
>       consult the Xen Project community's agreed Security Policy:
>       Â http://www.xenproject.org/security-policy.html
>       -----BEGIN PGP SIGNATURE-----
>       Version: GnuPG v1.4.12 (GNU/Linux)
>
>       iQEcBAEBAgAGBQJWcrpdAAoJEIP+FMlX6CvZ9soIALqQ/GHP6bZn2LqJTD9DIzsm
>       zVB4yCPiVfDqHSOq9QNCzBzqpvOX+RhKTzRH1jsZczr8CSnkePxaCrmZgH8SAygB
>       hFcF9xJGlJDjs647sgpQmYs++3mgD/57uml7IW/8NX46tXUelVByW7muNgUN2xlm
>       kjeD8auJEs+jK1iwpt/hOmYe4moRx3+3ujfgqMCNAWtqZz9D9wM5tao+p6yKYlhM
>       u8hSi1V3b7sAbf92mwzpzfpbwdgg25xeHtZ/oJxp/ZY0FhqDEsTxV+h8HjD/Eink
>       GwqPS19O77tMmz9fUUTyJDSsU7ayFRI0HyYmXju4eJktJkhXagjAdCSyGky9z5g=
>       =FlX2
>       -----END PGP SIGNATURE-----
>
> ----- Topal: Original message ends -----
> 
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.