Xen project Mailing List

[Xen-users] Xen Security Advisory 107 (CVE-2014-6268) - Mishandling of uninitialised FIFO-based event channel control blocks

To: xen-announce@xxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxx, xen-users@xxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx

From: Xen.org security team <security@xxxxxxx>

Date: Thu, 11 Sep 2014 13:00:13 +0000

Cc: "Xen.org security team" <security@xxxxxxx>

Delivery-date: Thu, 11 Sep 2014 13:01:29 +0000

List-id: Xen user discussion <xen-users.lists.xen.org>

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-6268 / XSA-107 version 2 Mishandling of uninitialised FIFO-based event channel control blocks UPDATES IN VERSION 2 ==================== CVE assigned. ISSUE DESCRIPTION ================= When using the FIFO-based event channels, there are no checks for the existence of a control block when binding an event or moving it to a different VCPU. This is because events may be bound when the ABI is in 2-level mode (e.g., by the toolstack before the domain is started). The guest may trigger a Xen crash in evtchn_fifo_set_pending() if: a) the event is bound to a VCPU without a control block; or b) VCPU 0 does not have a control block. In case (a), Xen will crash when looking up the current queue. In (b), Xen will crash when looking up the old queue (which defaults to a queue on VCPU 0). IMPACT ====== A buggy or malicious guest can crash the host. VULNERABLE SYSTEMS ================== Xen 4.4 and onward are vulnerable. MITIGATION ========== None. CREDITS ======= This issue was originally reported by Vitaly Kuznetsov at Red Hat and diagnosed as a security issue by David Vrabel at Citrix. NOTE REGARDING LACK OF EMBARGO ============================== This bug was publicly reported on xen-devel, before it was appreciated that there was a security problem. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa107-unstable.patch xen-unstable xsa107-4.4.patch Xen 4.4.x $ sha256sum xsa107*.patch b92ba8085b6684abbc8b012ae1a580b9e7ed7c8e67071a9e70381d4c1009638b xsa107-4.4.patch cd954a5bd742c751f8db884a3f31bd636a8c5850acddf5f1160dd6be1f706a09 xsa107-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUEXRHAAoJEIP+FMlX6CvZknQIAIzPCOwG07XrKR7yu00lhCin TSppBKJ3y7XkIdmBF/3QSnev61yJ4MYdpWl7qiK4xpDP3IyH0mrtIYBQVwxKCV/R l/E2ztiEMugq86eCwvX5p/fAoyfqf1pBoVplqwcarS4vcmnnkOpK278TD2dPdw69 G5VaFxOqVo4Z6xQyFIGHtinN00tbb/lVQTpldah7ZfqXknPAcSeZqEBuqmVSLGIo o9EgTAQm1wbh4tNn+O2KHeAbejjOTM7NYoidRqQY3qfN4m13MdAKliUbXIRdGggQ aMKU2n7eNga4Aly720cD6hkJAOKxG/dGUb8lm1qHsG01VjhP2zqGn41tkqsiSAs= =cld0 -----END PGP SIGNATURE-----

Attachment: xsa107-4.4.patch
Description: Binary data

Attachment: xsa107-unstable.patch
Description: Binary data

_______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx http://lists.xen.org/xen-users

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.