826882 – (CVE-2013-1432) VUL-0: xen: CVE-2013-1432: XSA-58: Page reference counting error due to XSA-45/CVE-2013-1918 fixes

Bug 826882 (CVE-2013-1432) - VUL-0: xen: CVE-2013-1432: XSA-58: Page reference counting error due to XSA-45/CVE-2013-1918 fixes

Summary: VUL-0: xen: CVE-2013-1432: XSA-58: Page reference counting error due to XSA-4...

Status:	RESOLVED FIXED

Alias:	CVE-2013-1432

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:running:54856:moderate maint:re...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-06-26 07:45 UTC by Alexander Bergmann
Modified:	2014-03-25 22:09 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
XSA58 fix for 4.1. (4.11 KB, patch) 2013-06-26 07:47 UTC, Alexander Bergmann	Details \| Diff
XSA58 fix for 4.2. (4.52 KB, patch) 2013-06-26 07:48 UTC, Alexander Bergmann	Details \| Diff
XSA58 fix for unstable. (4.51 KB, patch) 2013-06-26 07:48 UTC, Alexander Bergmann	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2013-06-26 07:45:47 UTC

Public via Xen security:

Date: Wed, 26 Jun 2013 13:19:17 +0000
From: "Xen.org security team"
Subject: [oss-security] Xen Security Advisory 58 (CVE-2013-1432) - Page reference counting error due to XSA-45/CVE-2013-1918 fixes

             Xen Security Advisory CVE-2013-1432 / XSA-58
                            version 2

        Page reference counting error due to XSA-45/CVE-2013-1918 fixes

UPDATES IN VERSION 2
====================

Public release.  Credits section added.

ISSUE DESCRIPTION
=================

The XSA-45/CVE-2013-1918 patch making error handling paths preemptible broke
page reference counting by not retaining a reference on pages stored for
deferred cleanup. This would lead to the hypervisor prematurely attempting to
free the page, generally crashing upon finding the page still in use.

CREDITS
=======

Thanks to Andrew Cooper and the Citrix XenServer team for discovering
and reporting this vulnerability, and helping investigate it.

IMPACT
======

Malicious or buggy PV guest kernels can mount a denial of service attack
affecting the whole system. It can't be excluded that this could also be
exploited to mount a privilege escalation attack.

VULNERABLE SYSTEMS
==================

All Xen versions having the XSA-45/CVE-2013-1918 fixes applied are vulnerable.

The vulnerability is only exposed by PV guests.

MITIGATION
==========

Running only HVM guests, or PV guests with trusted kernels, will avoid this
vulnerability.

RESOLUTION
Applying the appropriate attached patch resolves this issue.

xsa58-4.1.patch             Xen 4.1.x
xsa58-4.2.patch             Xen 4.2.x
xsa58-unstable.patch        xen-unstable

$ sha256sum xsa58*.patch
3623ec87e5a2830f0d41de19a8e448d618954973c3264727a1f3a095f15a8641  xsa58-4.1.patch
194d6610fc38b767d643e5d58a1268f45921fb35e309b47aca6a388b861311c2  xsa58-4.2.patch
2c94b099d7144d03c0f7f44e892a521537fc040d11bc46f84a2438eece46a0f5  xsa58-unstable.patch
$

Comment 1 Alexander Bergmann 2013-06-26 07:47:41 UTC

Created attachment 545758 [details]
XSA58 fix for 4.1.

Comment 2 Alexander Bergmann 2013-06-26 07:48:05 UTC

Created attachment 545759 [details]
XSA58 fix for 4.2.

Comment 3 Alexander Bergmann 2013-06-26 07:48:25 UTC

Created attachment 545760 [details]
XSA58 fix for unstable.

Comment 4 Swamp Workflow Management 2013-06-26 16:00:08 UTC

bugbot adjusting priority

Comment 5 Charles Arnold 2013-07-12 16:09:50 UTC

Swamp: 53511

Xen and Libvirt have been submitted with the following requests;

Xen: SR#27695
Libvirt: SR#27703

Comment 6 Swamp Workflow Management 2013-08-30 14:09:30 UTC

openSUSE-SU-2013:1392-1: An update that solves 12 vulnerabilities and has 7 fixes is now available.

Category: security (moderate)
Bug References: 801663,803712,809662,813673,813675,813677,814709,816156,816159,816163,819416,820917,820919,820920,823011,823608,823786,824676,826882
CVE References: CVE-2013-1432,CVE-2013-1917,CVE-2013-1918,CVE-2013-1919,CVE-2013-1920,CVE-2013-1952,CVE-2013-1964,CVE-2013-2072,CVE-2013-2076,CVE-2013-2077,CVE-2013-2078,CVE-2013-2211
Sources used:
openSUSE 12.2 (src):    xen-4.1.5_04-5.29.1

Comment 7 Swamp Workflow Management 2013-09-04 13:10:34 UTC

openSUSE-SU-2013:1404-1: An update that solves 13 vulnerabilities and has 13 fixes is now available.

Category: security (moderate)
Bug References: 797285,797523,801663,802221,808085,808269,809662,813673,813675,814059,814709,816159,816163,817068,817210,817799,817904,818183,819416,820917,820919,820920,823011,823608,824676,826882
CVE References: CVE-2012-6075,CVE-2013-0151,CVE-2013-1432,CVE-2013-1917,CVE-2013-1918,CVE-2013-1919,CVE-2013-1922,CVE-2013-1952,CVE-2013-2007,CVE-2013-2072,CVE-2013-2076,CVE-2013-2077,CVE-2013-2078
Sources used:
openSUSE 12.3 (src):    xen-4.2.2_06-1.16.1

Comment 8 Swamp Workflow Management 2013-11-19 13:06:18 UTC

Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP2 (i386, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (i386, x86_64)
SLE-SERVER 11-SP2 (i386, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)

Comment 9 Marcus Meissner 2013-11-27 10:26:59 UTC

released and done I think

Comment 10 Swamp Workflow Management 2013-11-27 13:03:37 UTC

Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP3 (i386, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, x86_64)

Comment 11 Swamp Workflow Management 2013-11-29 16:05:16 UTC

Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-libs, xen-tools, xen-tools-domU
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)

Comment 12 Swamp Workflow Management 2014-03-25 18:48:31 UTC

Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP1 (i386, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, x86_64)

Comment 13 Swamp Workflow Management 2014-03-25 22:09:32 UTC

SUSE-SU-2014:0446-1: An update that fixes 47 vulnerabilities is now available.

Category: security (important)
Bug References: 777628,777890,779212,786516,786517,786519,786520,787163,789944,789945,789948,789950,789951,794316,797031,797523,800275,805094,813673,813675,813677,816156,816159,816163,819416,820917,820919,823011,823608,826882,831120,839596,839618,840592,841766,842511,848657,849667,849668,853049,860163
CVE References: CVE-2006-1056,CVE-2007-0998,CVE-2012-3497,CVE-2012-4411,CVE-2012-4535,CVE-2012-4537,CVE-2012-4538,CVE-2012-4539,CVE-2012-4544,CVE-2012-5510,CVE-2012-5511,CVE-2012-5513,CVE-2012-5514,CVE-2012-5515,CVE-2012-5634,CVE-2012-6075,CVE-2012-6333,CVE-2013-0153,CVE-2013-0154,CVE-2013-1432,CVE-2013-1442,CVE-2013-1917,CVE-2013-1918,CVE-2013-1919,CVE-2013-1920,CVE-2013-1952,CVE-2013-1964,CVE-2013-2072,CVE-2013-2076,CVE-2013-2077,CVE-2013-2194,CVE-2013-2195,CVE-2013-2196,CVE-2013-2211,CVE-2013-2212,CVE-2013-4329,CVE-2013-4355,CVE-2013-4361,CVE-2013-4368,CVE-2013-4494,CVE-2013-4553,CVE-2013-4554,CVE-2013-6885,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    xen-4.0.3_21548_16-0.5.1