[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Xen Security Advisory 355 v2 - stack corruption from XSA-346 change
- To: Xen.org security team <security@xxxxxxx>
- From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
- Date: Tue, 24 Nov 2020 13:44:43 +0100
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bNiiNcKeu69XwjDnhN0RCQkefm9PB3+H4JgnQ+jvX+A=; b=XIbARE+jo6nK76OhUOBC14Oh9thzAOuS66Rh3AawtqDUgHGKuGbfXUTTTf29rBizqizNWOzS6uqB/Q7r++r5voVbSJ9Q18n4l3uKjp7wqfPNtuR9TazOGX9LeKTBnx+6h7LyaAQvCQRMwlT36MyhH3hAOahb7E04y4KrYCmOjHK+HYkH1vqHIWbWJXG1kpTD64yNVNYEXkOYnlwu1GH16etL0RJRLEnHjTbxI1hXh9sVSogMYU2zXoGr16dDadLBVZurtSel/SczS4hXWyrWygQQh9R/81QdUxTL2KvnYm5NPoNAw3UEHBi+MwMmf6bkwEG7SNls9ebFW0CQntiSeQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AcyiBqK8YdNNzsr4yjSWsiGDDzUY0wVk+uWRBRKSQu6vvvJzboiEYqS3WBdUOjrNM+566a1QP3Eta/6QH/fx9cJkfRuHQWxVyk8J7ayBlfqofwiH4vLWInAMNBg6c24aS0iDJ0F/6R9mqfai3tzNkvGPKdBYjXjWN2Fu0FhVCnetkLQZCgNQqpM3gEEVOGjA3Y0fQJHDuzlqs2spKX/EMkZAvBQ68oAYWeJdNbm1N0VTxn9c7vMq7NPrJVcXQye9aYaVQQlylwmko2EsH+lOu/yuXcaULrfYojBzzPO4cRm0nzphEADoUkNFmbZdxCfpHue+iVrbudVFP8onU8JW1Q==
- Authentication-results: esa1.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
- Cc: <xen-announce@xxxxxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxx>, <xen-users@xxxxxxxxxxxxx>, <oss-security@xxxxxxxxxxxxxxxxxx>, Xen.org security team <security-team-members@xxxxxxx>
- Delivery-date: Tue, 24 Nov 2020 12:45:35 +0000
- Ironport-sdr: eKs0eZxbg0+zgHMPFHr9cMPGlBuwKOFKxUkti8i7fsjECZsruRuki7+T5vsXTSbpVveOryn+nw 70n5WDvmk4SYc4JtS9wQAG8IJpRldZQ1kgpG4qROZktsFUlVGyifu19b62s7Ows6a2sIeYBXQ5 GWTB9pXAHz+fkO/FYuYzYC7EXxJfpxYCqGv2WHBcJ5bc4+lE80YMPhiWdZglHTjR31dFOlXPr4 72LWOUGusSSKHq6sCW5vBatreC8Pv45jRHM1mtTvLgNoTgD9P8bNHiQuAKC6jueEFfX7q4j/lB IAM=
- List-id: Xen user discussion <xen-users.lists.xenproject.org>
On Tue, Nov 24, 2020 at 12:03:45PM +0000, Xen.org security team wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Xen Security Advisory XSA-355
> version 2
>
> stack corruption from XSA-346 change
>
> UPDATES IN VERSION 2
> ====================
>
> Added metadata file.
>
> Public release.
>
> ISSUE DESCRIPTION
> =================
>
> One of the two changes for XSA-346 introduced an on-stack array. The
> check for guarding against overrunning this array was off by one,
> allowing for corruption of the first stack slot immediately following
> this array.
>
> IMPACT
> ======
>
> A malicious or buggy HVM or PVH guest can cause Xen to crash, resulting
> in a Denial of Service (DoS) to the entire host. Privilege escalation
> as well as information leaks cannot be excluded.
>
> VULNERABLE SYSTEMS
> ==================
>
> All Xen versions which have the patches for XSA-346 applied are
> vulnerable.
>
> Only x86 HVM and PVH guests can leverage the vulnerability. Arm guests
> and x86 PV guests cannot leverage the vulnerability.
>
> Only x86 HVM and PVH guests which have physical devices passed through
> to them can leverage the vulnerability.
There's no support for passthrough for x86 PVH guests yet, so this
issue only affects x86 HVM with passthrough.
Roger.
|