[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Xen Security Advisory 155 (CVE-2015-8550) - paravirtualized drivers incautious about shared memory



The XSA mentions that "PV frontend patches will be developed and
released (publicly) after the embargo date."  Has anything been done
towards this that should also be incorporated into MiniOS?  On a
system utilizing a "driver domain," where a backend is running on a
domain that is considered unprivileged and untrusted (such as the
example described in http://wiki.xenproject.org/wiki/Driver_Domain),
it seems XSA-155-style double fetch vulnerabilities in the frontends
are also a potential security concern, and should be eliminated.
However, perhaps that does not include pcifront, since pciback would
always be running in dom0.

Eric

On Tue, Dec 22, 2015 at 7:24 AM, Stefano Stabellini
<stefano.stabellini@xxxxxxxxxxxxx> wrote:
> MiniOS for QEMU stubdom has frontends, such as mini-os/blkfront.c and
> mini-os/netfront.c, not backends.
>
> Cheers,
>
> Stefano
>
>
> On Mon, 21 Dec 2015, Eric Shelton wrote:
>> Seeing as "All OSes providing PV backends are susceptible," doesn't this 
>> include MiniOS for QEMU stubdom as well?
>> Are there patches available for mini-os/blkfront.c, mini-os/netfront.c, and 
>> mini-os/pcifront.c?  I didn't see
>> anything for this.
>> Best,
>> Eric
>>
>> On Thu, Dec 17, 2015 at 1:36 PM, Xen.org security team <security@xxxxxxx> 
>> wrote:
>>
>>       ----- Topal: Output generated on Tue Dec 22 12:23:44 GMT 2015 ----- 
>> Topal: GPG output starts ----- gpg:
>>       no valid OpenPGP data found. gpg: processing message failed: eof ----- 
>> Topal: GPG output ends -----
>>       ----- Topal: Original message starts ----- -----BEGIN PGP SIGNED 
>> MESSAGE-----
>>       Hash: SHA1
>>
>>                   Xen Security Advisory CVE-2015-8550 / XSA-155
>>                                     version 6
>>
>>           paravirtualized drivers incautious about shared memory contents
>>
>>       UPDATES IN VERSION 6
>>       ====================
>>
>>       Correct CREDITS section.
>>
>>       ISSUE DESCRIPTION
>>       =================
>>
>>       The compiler can emit optimizations in the PV backend drivers which
>>       can lead to double fetch vulnerabilities. Specifically the shared
>>       memory between the frontend and backend can be fetched twice (during
>>       which time the frontend can alter the contents) possibly leading to
>>       arbitrary code execution in backend.
>>
>>       IMPACT
>>       ======
>>
>>       Malicious guest administrators can cause denial of service.  If driver
>>       domains are not in use, the impact can be a host crash, or privilege 
>> escalation.
>>
>>       VULNERABLE SYSTEMS
>>       ==================
>>
>>       Systems running PV or HVM guests are vulnerable.
>>
>>       ARM and x86 systems are vulnerable.
>>
>>       All OSes providing PV backends are susceptible, this includes
>>       Linux and NetBSD. By default the Linux distributions compile kernels
>>       with optimizations.
>>
>>       MITIGATION
>>       ==========
>>
>>       There is no mitigation.
>>
>>       CREDITS
>>       =======
>>
>>       This issue was discovered by Felix Wilhelm (ERNW Research, KIT /
>>       Operating Systems Group).
>>
>>       RESOLUTION
>>       ==========
>>
>>       Applying the appropriate attached patches should fix the problem for
>>       PV backends.  Note only that PV backends are fixed; PV frontend
>>       patches will be developed and released (publicly) after the embargo
>>       date.
>>
>>       Please note that there is a bug in some versions of gcc,
>>       https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 which can cause the
>>       construct used in RING_COPY_REQUEST() to be ineffective in some
>>       circumstances. We have determined that this is only the case when the
>>       structure being copied consists purely of bitfields. The Xen PV
>>       protocols updated here do not use bitfields in this way and therefore
>>       these patches are not subject to that bug. However authors of third
>>       party PV protocols should take this into consideration.
>>
>>       Linux v4.4:
>>       xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch
>>       
>> xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch
>>       
>> xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch
>>       
>> xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch
>>       
>> xsa155-linux-xsa155-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
>>       xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch
>>       
>> xsa155-linux-xsa155-0007-xen-pciback-Save-xen_pci_op-commands-before-processi.patch
>>       Linux v4.[0,1,2,3]
>>       All the above patches except #5 will apply, please use:
>>       
>> xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
>>       Linux v3.19:
>>       All the above patches except #5 and #6 will apply, please use:
>>       
>> xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
>>       xsa155-linux319-0006-xen-scsiback-safely-copy-requests.patch
>>
>>       qemu-xen:
>>       xsa155-qemu-qdisk-double-access.patch
>>       xsa155-qemu-xenfb.patch
>>
>>       qemu-traditional:
>>       xsa155-qemut-qdisk-double-access.patch
>>       xsa155-qemut-xenfb.patch
>>
>>       NetBSD 7.0:
>>       xsa155-netbsd-xsa155-0001-netbsd-xen-Add-RING_COPY_REQUEST.patch
>>       
>> xsa155-netbsd-xsa155-0002-netbsd-netback-Use-RING_COPY_REQUEST-instead-of-RING.patch
>>       
>> xsa155-netbsd-xsa155-0003-netbsd-ring-Add-barrier-to-provide-an-compiler-barri.patch
>>       
>> xsa155-netbsd-xsa155-0004-netbsd-block-only-read-request-operation-from-shared.patch
>>       
>> xsa155-netbsd-xsa155-0005-netbsd-pciback-Operate-on-local-version-of-xen_pci_o.patch
>>
>>       xen:
>>       xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch
>>       xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch
>>       xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch
>>
>>       xen 4.4:
>>       All patches except #3 will apply, please use:
>>       xsa155-xen44-0003-libvchan-Read-prod-cons-only-once.patch
>>
>>       $ sha256sum xsa155*
>>       d9fbc104ab2ae797971e351ee0e04e7b7e9c7c33385309bb406c7941dc9a33b4
>>       xsa155-linux319-xsa155-0006-xen-scsiback-safely-copy-requests.patch
>>       590656d83ad7b6052b54659eccb3469658b3942c0dc1366423a66f2f5ac643e1
>>       
>> xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
>>       2bd18632178e09394c5cd06aded2c14bcc6b6e360ad6e81827d24860fe3e8ca4
>>       xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch
>>       cecdeccb8e2551252c81fc5f164a8298005df714a574a7ba18b84e8ed5f2bb70
>>       
>> xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch
>>       3916b847243047f0e1053233ade742c14a7f29243584e60bf5db4842a8068855
>>       
>> xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch
>>       746c8eb0aeb200d76156c88dfbbd49db79f567b88b07eda70f7c7d095721f05a
>>       
>> xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch
>>       18517a184a02f7441065b8d3423086320ec4c2345c00d551231f7976381767f5
>>       
>> xsa155-linux-xsa155-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
>>       2e6d556d25b1cc16e71afde665ae3908f4fa8eab7e0d96283fc78400301baf92
>>       xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch
>>       5e130d8b61906015c6a94f8edd3cce97b172f96a265d97ecf370e7b45125b73d
>>       
>> xsa155-linux-xsa155-0007-xen-pciback-Save-xen_pci_op-commands-before-processi.patch
>>       08c2d0f95dcc215165afbce623b6972b81dd45b091b5f40017579b00c8612e03
>>       xsa155-netbsd-xsa155-0001-netbsd-xen-Add-RING_COPY_REQUEST.patch
>>       0a66010f736092f91f70bb0fd220685e4395efef1db6d23a3d1eace31d144f51
>>       
>> xsa155-netbsd-xsa155-0002-netbsd-netback-Use-RING_COPY_REQUEST-instead-of-RING.patch
>>       5e913a8427cab6b4d384d1246e05116afc301eb117edd838101eb53a82c2f2ff
>>       
>> xsa155-netbsd-xsa155-0003-netbsd-ring-Add-barrier-to-provide-an-compiler-barri.patch
>>       3b8f14eafaed3a7bc66245753a37af4249acf8129fbedb70653192252dc47dc9
>>       
>> xsa155-netbsd-xsa155-0004-netbsd-block-only-read-request-operation-from-shared.patch
>>       81ae5fa998243a78dad749fc561be647dc1dc1be799e8f18484fdf0989469705
>>       
>> xsa155-netbsd-xsa155-0005-netbsd-pciback-Operate-on-local-version-of-xen_pci_o.patch
>>       044ff74fa048df820d528f64f2791ec9cb3940bd313c1179020bd49a6cde2ca3  
>> xsa155-qemu-qdisk-double-access.patch
>>       1150504589eb7bfa108c80ce63395e57d0e627b12d9201219d968fdd026919a6
>>       xsa155-qemut-qdisk-double-access.patch
>>       63186246ab6913b54bfef5f09f33e815935ac40ff821c27a3efda62339bbbd5f  
>> xsa155-qemut-xenfb.patch
>>       e53b4ac298648cde79344192d5a58ca8d8724344f5105bec7c09eef095c668f6  
>> xsa155-qemu-xenfb.patch
>>       e52467fcec73bcc86d3e96d06f8ca8085ae56a83d2c42a30c16bc3dc630d8f8a
>>       xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch
>>       eae34c8ccc096ad93a74190506b3d55020a88afb0cc504a3a514590e9fd746fd
>>       xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch
>>       42780265014085a4221ad32b026214693d751789eb5219e2e83862c0006c66f4
>>       xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch
>>       dfcaddb8a908a4fc1b048a43187e885117e67dc566f5c841037ee366dcd437d1
>>       xsa155-xen44-0003-libvchan-Read-prod-cons-only-once.patch
>>       $
>>
>>       DEPLOYMENT DURING EMBARGO
>>       =========================
>>
>>       Deployment of the patches and/or mitigations described above (or
>>       others which are substantially similar) is permitted during the
>>       embargo, even on public-facing systems with untrusted guest users and
>>       administrators.
>>
>>       But: Distribution of updated software is prohibited (except to other
>>       members of the predisclosure list).
>>
>>       Predisclosure list members who wish to deploy significantly different
>>       patches and/or mitigations, please contact the Xen Project Security
>>       Team.
>>
>>       (Note: this during-embargo deployment notice is retained in
>>       post-embargo publicly released Xen Project advisories, even though it
>>       is then no longer applicable.  This is to enable the community to have
>>       oversight of the Xen Project Security Team's decisionmaking.)
>>
>>       For more information about permissible uses of embargoed information,
>>       consult the Xen Project community's agreed Security Policy:
>>         http://www.xenproject.org/security-policy.html
>>       -----BEGIN PGP SIGNATURE-----
>>       Version: GnuPG v1.4.12 (GNU/Linux)
>>
>>       iQEcBAEBAgAGBQJWcrpdAAoJEIP+FMlX6CvZ9soIALqQ/GHP6bZn2LqJTD9DIzsm
>>       zVB4yCPiVfDqHSOq9QNCzBzqpvOX+RhKTzRH1jsZczr8CSnkePxaCrmZgH8SAygB
>>       hFcF9xJGlJDjs647sgpQmYs++3mgD/57uml7IW/8NX46tXUelVByW7muNgUN2xlm
>>       kjeD8auJEs+jK1iwpt/hOmYe4moRx3+3ujfgqMCNAWtqZz9D9wM5tao+p6yKYlhM
>>       u8hSi1V3b7sAbf92mwzpzfpbwdgg25xeHtZ/oJxp/ZY0FhqDEsTxV+h8HjD/Eink
>>       GwqPS19O77tMmz9fUUTyJDSsU7ayFRI0HyYmXju4eJktJkhXagjAdCSyGky9z5g=
>>       =FlX2
>>       -----END PGP SIGNATURE-----
>>
>> ----- Topal: Original message ends -----
>>

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.