[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Xen-users] Scripts to check XSA patch-level on xen trees (xen.git, qemu-xen.git & qemu-xen-traditional.git)
- To: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, xen-users <xen-users@xxxxxxxxxxxxxxxxxxxx>
- From: Lars Kurth <lars.kurth@xxxxxxxxxx>
- Date: Mon, 7 Aug 2017 12:19:54 +0000
- Accept-language: en-GB, en-US
- Delivery-date: Mon, 07 Aug 2017 12:48:48 +0000
- List-id: Xen user discussion <xen-users.lists.xen.org>
- Thread-index: AQHTD3d5lapn3aqw6U+xSsUnG712ZA==
- Thread-topic: Scripts to check XSA patch-level on xen trees (xen.git, qemu-xen.git & qemu-xen-traditional.git)
Hi everyone,
I created a number of scripts primarily for checking whether we have applied
all patches correctly for point and major releases. However, these may be
useful for developers, users and xen packagers.
The tool will be run as part of the Release Manager Checklist: see
https://lists.xenproject.org/archives/html/xen-devel/2017-07/threads.html#03091
Feedback is very welcome.
I can make changes as needed when I have some spare cycles, but am
ultimately looking for someone who is willing to act as maintainer for the
scripts in the long run (as I am not really a developer any more).
Best Regards
Lars
== Script location ==
https://xenbits.xenproject.org/gitweb/?p=people/larsk/xen-release-scripts.git
README in top level directory
== Attached files ==
I attached the output and input of a test run on Xen 4.8.1 to the tip of the
stable branch.
Input: xsa-213-225
Output: 481-stable-xsamatch-smartd.html
However, the DEBUG links won’t work unless you actually run
the script and have the generated directory. To make it easier,
I attached screenshots of actual diffs:
xsa218-diff.png & xsa224-diff.png
./match-xsa --version 4 --major 8 --since 1 --html --smart --debug -xsa
xsa-213-225 > 481-stable-xsamatch-smartd.html
== Analysis of results ==
For the attached example, I did a quick sample analysis
> XSA 214 : All patches found => check as advisory text may be ambiguous
> or cannot be fully parsed
In this case the published advisory text contains a typo in the RESOLUTION
section of the advisory, which is why the script asks for a manual check
> XSA 215 : No patch found => check
In this case “Xen versions 4.7 and later are not vulnerable”. However, the
tool does not parse sentences, which is why this has been picked up as
a potential issue by the tool.
> XSA 218 : Some patches not applied => check
In this case, one of the patches in the advisory has been modified by the
committer at check-in into the 4.8 tree.
See xsa218-diff.png for the relevant difference
> XSA 221 : All patches found => check as advisory text may be ambiguous
> or cannot be fully parsed
In this case “Xen versions 4.4 and newer are vulnerable”. However, the
tool does not parse sentences, which is why this has been picked up as
a potential issue by the tool.
> XSA 224 : Some patches not applied => check
In this case, one of the patches in the advisory has been modified by the
committer at check-in into the 4.8 tree.
See xsa224-diff.png for the relevant difference
== Possible improvements ==
Right now, the tool either scrapes xenbits.xenproject.org/xsa for advisory
information, or it uses information that is only available to Xen Project
security team members. This means that there is somewhat of a gap
in terms of tool usability for people on the pre-disclosure list.
In addition, XSA Advisories do not yet have a metadata section that is
easily machine readable. However, George Dunlap has been working on
this, which will appear in Advisory Texts in the future, at which point the
tool can be updated. This would avoid a few manual checks that are
Necessary now. But even without, one picks up on possible issues very
quickly.
Attachment:
xsa-213-225
Description: xsa-213-225
CHECKING '../xsa-lists/xsa-213-225' against 'xen_481-stable.log', 'qemuu_481-stable.log' and 'qemut_481-stable.log'.
SUMMARYApplied XSAs
- XSA 213 : All patches found (no need to check)
- XSA 214 : All patches found => check as advisory text may be ambiguous or cannot be fully parsed
- XSA 215 : No patch found => check
- XSA 216 : All patches found (no need to check)
- XSA 217 : All patches found (no need to check)
- XSA 218 : Some patches not applied => check
- XSA 219 : All patches found (no need to check)
- XSA 220 : All patches found (no need to check)
- XSA 221 : All patches found => check as advisory text may be ambiguous or cannot be fully parsed
- XSA 222 : All patches found (no need to check)
- XSA 223 : All patches found (no need to check)
- XSA 224 : Some patches not applied => check
- XSA 225 : All patches found (no need to check)
DETAILSComparisons specific to 4.8:
Other comparisons (can probably be ignored):
Other comparisons (can probably be ignored):
Excerpt from XSA VULNERABLE SYSTEMS
==================
All Xen versions are vulnerable.
Only x86 systems are affected. ARM systems are not vulnerable.
RESOLUTION
==========
Applying the attached patch resolves this issue.
xsa124.patch xen-unstable, Xen 4.8.x, 4.7.x, 4.6.x, 4.5.x
$ sha256sum xsa214*
1c038c3927d08e6abdf3ce320bb8b0b68a106e6ac86b4e8194035dc5e4726d64 xsa214.patch
$
Other comparisons (can probably be ignored):
Excerpt from XSA VULNERABLE SYSTEMS
==================
64-bit Xen versions 4.6 and earlier are vulnerable. Xen versions 4.7
and later are not vulnerable.
Only x86 systems are affected. ARM systems are not vulnerable.
Only x86 systems with physical memory extending to a configuration
dependent boundary (5Tb or 3.5Tb) may be affected. Whether they are
actually affected depends on actual physical memory layout.
The vulnerability is only exposed to 64-bit PV guests. HVM guests and
32-bit PV guests can't exploit the vulnerability.
Comparisons specific to 4.8:
Other comparisons (can probably be ignored):
Comparisons specific to 4.8:
Other comparisons (can probably be ignored):
Comparisons specific to 4.8:
Other comparisons (can probably be ignored):
Excerpt from XSA VULNERABLE SYSTEMS
==================
All versions of Xen are vulnerable.
Both ARM and x86 are vulnerable.
On x86, systems with either PV or HVM guests are vulnerable.
RESOLUTION
==========
Applying the appropriate set of attached patches resolves this issue.
xsa218-unstable/*.patch xen-unstable
xsa218-4.8/*.patch Xen 4.8.x
xsa218-4.7/*.patch Xen 4.7.x
xsa218-4.6/*.patch Xen 4.6.x
xsa218-4.5/*.patch Xen 4.5.x
$ sha256sum xsa218*/*
6f5e588edb6d3f0a37b89235e95cdcc7ca73cdff236d86b65e6f608bd15b03ec xsa218-unstable/0001-gnttab-fix-unmap-pin-accounting-race.patch
5cb85f0aaa19ff343fc51b08addbf37d62352774115acd28eb18a73f67507e21 xsa218-unstable/0002-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch
f5f3d27ce2829b3aa5e09b216bf9afcb1dc6b1f9f3b3a0f3ebfe5a68b4948aef xsa218-unstable/0003-gnttab-correct-maptrack-table-accesses.patch
fafb8773957bbffb21ab43c7a3559efe15f52d234afba5f2ad2739411946c021 xsa218-4.5/0001-IOMMU-handle-IOMMU-mapping-and-unmapping-failures.patch
4398ad7111421dbf954ede651cb7f9acd83c654c7fa93d54a4e5f9b7b25fe918 xsa218-4.5/0002-gnttab-fix-unmap-pin-accounting-race.patch
9d23946afb96a70c574b8c7ff42ed8b30b72e9a1f751ff617a7578c79645c094 xsa218-4.5/0003-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch
27d92c6f4d89de3fd9e9311337823370303c1ef985cce2bd9bea28f00cd6c184 xsa218-4.5/0004-gnttab-correct-maptrack-table-accesses.patch
99ac090d7955a46c6c9c73ca62b64cef6b8f05439961e52278c662f030a36ee2 xsa218-4.6/0001-IOMMU-handle-IOMMU-mapping-and-unmapping-failures.patch
e0f0839336e055c1422cf0f76c37f6d9cc8474b0140ffef2451dca6697a9f20f xsa218-4.6/0002-gnttab-fix-unmap-pin-accounting-race.patch
5f6f63211b18bb6ec157353b9e8b844abe3fd767ef1780e6d28731e935559fbc xsa218-4.6/0003-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch
6a786a8c4b916b6f99092598bd4d60381907cd7e728c98a79e999afeec4f45a6 xsa218-4.6/0004-gnttab-correct-maptrack-table-accesses.patch
58354eec5f4f0b87640c702c6e1ce0eeb57dffbd09394a96e88bd6ff42c53e7e xsa218-4.7/0001-IOMMU-handle-IOMMU-mapping-and-unmapping-failures.patch
0683d7ffdbe60dc8e1d161adeb0c5465df1840e86353b5cbb96dd204f2dbb526 xsa218-4.7/0002-gnttab-fix-unmap-pin-accounting-race.patch
6bfef9e1653a305e49653c5b81acb57ca41ee8410ea085d49c9bc7e4ccd31e54 xsa218-4.7/0003-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch
b4ede29e3a94d9e7992c90b8b7c8d489e071764218b28962b5755a444040e1ae xsa218-4.7/0004-gnttab-correct-maptrack-table-accesses.patch
c2a1b40e76764333f3ee34dd9bc7d3e34bab91f8b44eaae7aa6f187bbddb358f xsa218-4.8/0001-gnttab-fix-unmap-pin-accounting-race.patch
a210ff17a0ca1a81f2c98cce84a104ac7dd2f1a72fa3855ca5f3b3d13e95468c xsa218-4.8/0002-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch
0b8fa3d6a0f3ccb43c8134db2240867d5a850ee0821d4124a1642596b4d6cb5a xsa218-4.8/0003-gnttab-correct-maptrack-table-accesses.patch
$
Comparisons specific to 4.8:
Other comparisons (can probably be ignored):
Comparisons specific to 4.8:
Other comparisons (can probably be ignored):
Other comparisons (can probably be ignored):
Excerpt from XSA VULNERABLE SYSTEMS
==================
Xen versions 4.4 and newer are vulnerable. Xen versions 4.3 and
earlier are not affected.
Both x86 and ARM systems are vulnerable.
While all guest kinds can cause a Denial of Service, only x86 PV guests
may be able to leverage the possible information leaks.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa221.patch Xen 4.4.x and later, including xen-unstable
$ sha256sum xsa221*
2425396a713466808b0f75f91337be4dd20a4dee7733972b04489773c6e97655 xsa221.patch
$
Comparisons specific to 4.8:
Other comparisons (can probably be ignored):
Comparisons specific to 4.8:
Comparisons specific to 4.8:
Other comparisons (can probably be ignored):
Excerpt from XSA VULNERABLE SYSTEMS
==================
All versions of Xen are vulnerable.
Only x86 systems are vulnerable.
Any system running untrusted PV guests is vulnerable.
Systems with untrusted HVM guests are only vulnerable if those guests
are served by a trusted PV backend which is vulnerable: Namely, one
which calls grant_map() with both the GNTMAP_device_map and
GNTMAP_host_map flags. The security team is not aware of any backends
which are vulnerable.
RESOLUTION
==========
Applying the appropriate set of attached patched resolves this issue.
Note that these patches are assumed to be applied on top of the XSA-218
ones; not doing so may cause at least mechanical problems of applying
the ones here.
xsa224-unstable/*.patch xen-unstable
xsa224-4.8/*.patch Xen 4.8.x
xsa224-4.7/*.patch Xen 4.7.x
xsa224-4.6/*.patch Xen 4.6.x
xsa224-4.5/*.patch Xen 4.5.x
$ sha256sum xsa224*/*
db39535185c1879775b62873fbed1e6285300ec1e1bd5d09ac2d96a98ac6443c xsa224-unstable/0001-gnttab-Fix-handling-of-dev_bus_addr-during-unmap.patch
1588257f5b0c7113cd478475014f56fbeb6e79de7acbe67cf6d7a265e2b3fa15 xsa224-unstable/0002-gnttab-never-create-host-mapping-unless-asked-to.patch
a7517ca0e253fb9fb5b1ea1e56d04167f32ef87be145462a15241af26e4e0d65 xsa224-unstable/0003-gnttab-correct-logic-to-get-page-references-during-m.patch
951217a88f9c945eb9f7933cd66615aef955206fab955020334ac54da05663fa xsa224-unstable/0004-gnttab-__gnttab_unmap_common_complete-is-all-or-noth.patch
190470fbd77fca58aab89a9bd034732525ce8f7ce7c417a0ca5d25b366639baa xsa224-4.5/0001-gnttab-Fix-handling-of-dev_bus_addr-during-unmap.patch
9374e4dd6666a63fb32e6cfbdc95071b0cc153ff7cb2d2efdd98468e0e079605 xsa224-4.5/0002-gnttab-never-create-host-mapping-unless-asked-to.patch
d825e6fa5827e28e3755c92b274044666cc91b6a8cbc16e2081f43e0371991d4 xsa224-4.5/0003-gnttab-correct-logic-to-get-page-references-during-m.patch
d3aaffaf487a84e43fe10f7dec5af72b64d1b2315440c36335a0ed8ec1439ca1 xsa224-4.5/0004-gnttab-__gnttab_unmap_common_complete-is-all-or-noth.patch
c6cd6b82ef774bec5eaad5f32e767c917bc7ad2a73ee81d3f7eef67aaf1a1330 xsa224-4.6/0001-gnttab-Fix-handling-of-dev_bus_addr-during-unmap.patch
db32d15757c9d147c7e89eebd10a16324e59141fbb5ce3feb87fc9bf01864a6a xsa224-4.6/0002-gnttab-never-create-host-mapping-unless-asked-to.patch
6bc9bbcf320d673822bd41545a014bd998294d06c5b38d79a6badf1a154ed0d6 xsa224-4.6/0003-gnttab-correct-logic-to-get-page-references-during-m.patch
088064fec3192928f205b34b808ca40fd685a8ba5037bb665ed0a4f87d6d4035 xsa224-4.6/0004-gnttab-__gnttab_unmap_common_complete-is-all-or-noth.patch
cdd93fb950b823cf96fe52685f6394c1b5e0a1e3d7d3c961a5e781da83551a9f xsa224-4.7/0001-gnttab-Fix-handling-of-dev_bus_addr-during-unmap.patch
0583da31891084b2557a9623bc2b11a480e296004a8716b91c79fe28a824a6e0 xsa224-4.7/0002-gnttab-never-create-host-mapping-unless-asked-to.patch
2323bf581a835f152285b98ed2e4b5b503b0f67bd8e3449d33e8fe03b14ce064 xsa224-4.7/0003-gnttab-correct-logic-to-get-page-references-during-m.patch
b4f4adb1ea850e0174e51f76da7e97769211977c71809bd62102d33d90444b09 xsa224-4.7/0004-gnttab-__gnttab_unmap_common_complete-is-all-or-noth.patch
88b20e6765f0bfffe7598215f3a8e25c0931dbe3c7223cb3c08f998842cfc14b xsa224-4.8/0001-gnttab-Fix-handling-of-dev_bus_addr-during-unmap.patch
ce62c97f470d6fbf557f50be8936051e91592a6330527515b7cdb187a0d633b2 xsa224-4.8/0002-gnttab-never-create-host-mapping-unless-asked-to.patch
5fd8cd67737c6a038d6c47fcf3c5bd2d238f4ac361538d650292ee185bda8000 xsa224-4.8/0003-gnttab-correct-logic-to-get-page-references-during-m.patch
f9c65c7f04063872602c609d2fc3caffc44716b3d378569969a7884abe881a19 xsa224-4.8/0004-gnttab-__gnttab_unmap_common_complete-is-all-or-noth.patch
$
Comparisons specific to 4.8:
Attachment:
xsa218-diff.png
Description: xsa218-diff.png
Attachment:
xsa224-diff.png
Description: xsa224-diff.png
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
https://lists.xen.org/xen-users
|