Bugzilla – Bug 860163
VUL-0: xen: XSA-84: integer overflow in several XSM/Flask hypercalls
Last modified: 2015-02-19 01:46:53 UTC
bugbot adjusting priority
Public now: Xen Security Advisory XSA-84 version 2 integer overflow in several XSM/Flask hypercalls UPDATES IN VERSION 2 ==================== Public release. The patch for 4.1 was extended to cover a few further similar issues. ISSUE DESCRIPTION ================= The FLASK_{GET,SET}BOOL, FLASK_USER and FLASK_CONTEXT_TO_SID suboperations of the flask hypercall are vulnerable to an integer overflow on the input size. The hypercalls attempt to allocate a buffer which is 1 larger than this size and is therefore vulnerable to integer overflow and an attempt to allocate then access a zero byte buffer. Xen 3.3 through 4.1, while not affected by the above overflow, have a different overflow issue on FLASK_{GET,SET}BOOL and expose unreasonably large memory allocation to aribitrary guests. Xen 3.2 (and presumably earlier) exhibit both problems, with the overflow issue being present for more than just the suboperations listed above. The FLASK_GETBOOL op is available to all domains. The FLASK_SETBOOL op is only available to domains which are granted access via the Flask policy. However the permissions check is performed only after running the vulnerable code and the vulnerability via this subop is exposed to all domains. The FLASK_USER and FLASK_CONTEXT_TO_SID ops are only available to domains which are granted access via the Flask policy. IMPACT ====== Attempting to access the result of a zero byte allocation results in a processor fault leading to a denial of service. VULNERABLE SYSTEMS ================== All Xen versions back to at least 3.2 are vulnerable to this issue when built with XSM/Flask support. XSM support is disabled by default and is enabled by building with XSM_ENABLE=y. We have not checked earlier versions of Xen, but it is likely that they are vulnerable to this or related vulnerabilities. All Xen versions built with XSM_ENABLE=y are vulnerable. MITIGATION ========== There is no useful mitigation available in installations where XSM support is actually in use. In other systems, compiling it out (with XSM_ENABLE=n) will avoid the vulnerability. CREDITS ======= This issue was discovered by Matthew Daley. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa84-unstable-4.3.patch xen-unstable,Xen 4.3.x xsa84-4.2.patch Xen 4.2.x xsa84-4.1.patch Xen 4.1.x $ sha256sum xsa84*.patch e33dd94499959363ad01bebefda9733683c49fd42a9641cf2d7edcd87f853d55 xsa84-4.1.patch 433f3c8a202482c51a48dc0e9e47ac8751d1c0d0759b7bcd22804e1856279a89 xsa84-4.2.patch 64ae433eb606c5446184c08e6fceb9f660ed9a9c28ec112c8cc529251b3b49fb xsa84-unstable-4.3.patch
Four CVEs where assigned to this issues: CVE-2014-1891 CVE-2014-1892 CVE-2014-1893 CVE-2014-1894
XSM_ENABLE is not enabled in SLE or openSUSE, so this XSA is not affecting us.
Xen package submitted for this bug with the following requests: SUSE:SLE-11-SP3:Update:Test: SR#33408 SUSE:SLE-11-SP2:Update:Test: SR#33409 SUSE:SLE-11-SP1:Update:Teradata:Test: SR#33410 openSUSE:13.1:Update: MR#223835 openSUSE:12.3:Update: MR#223847
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-libs-x86, xen-tools, xen-tools-domU Products: SLE-DEBUGINFO 11-SP2 (i386, x86_64) SLE-SERVER 11-SP2-LTSS (i386, x86_64)
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-libs-x86, xen-tools, xen-tools-domU Products: SLE-DEBUGINFO 11-SP3 (i386, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, x86_64) SLE-SERVER 11-SP3 (i386, x86_64)
SUSE-SU-2014:0372-1: An update that solves 10 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 831120,833483,842417,846849,848014,849667,849668,853049,860163,860302,861256 CVE References: CVE-2013-2212,CVE-2013-4553,CVE-2013-4554,CVE-2013-6885,CVE-2014-1666,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894,CVE-2014-1950 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): xen-4.1.6_06-0.5.1
SUSE-SU-2014:0373-1: An update that solves 12 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 831120,833251,848014,853048,853049,858311,860092,860163,860165,860300,860302,861256,863297 CVE References: CVE-2013-2212,CVE-2013-6400,CVE-2013-6885,CVE-2014-1642,CVE-2014-1666,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894,CVE-2014-1895,CVE-2014-1896,CVE-2014-1950 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): xen-4.2.4_02-0.7.1 SUSE Linux Enterprise Server 11 SP3 (src): xen-4.2.4_02-0.7.1 SUSE Linux Enterprise Desktop 11 SP3 (src): xen-4.2.4_02-0.7.1
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-libs, xen-tools, xen-tools-domU Products: SLE-DEBUGINFO 11-SP1-TERADATA (x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU Products: SLE-DEBUGINFO 11-SP1 (i386, x86_64) SLE-SERVER 11-SP1-LTSS (i386, x86_64)
SUSE-SU-2014:0446-1: An update that fixes 47 vulnerabilities is now available. Category: security (important) Bug References: 777628,777890,779212,786516,786517,786519,786520,787163,789944,789945,789948,789950,789951,794316,797031,797523,800275,805094,813673,813675,813677,816156,816159,816163,819416,820917,820919,823011,823608,826882,831120,839596,839618,840592,841766,842511,848657,849667,849668,853049,860163 CVE References: CVE-2006-1056,CVE-2007-0998,CVE-2012-3497,CVE-2012-4411,CVE-2012-4535,CVE-2012-4537,CVE-2012-4538,CVE-2012-4539,CVE-2012-4544,CVE-2012-5510,CVE-2012-5511,CVE-2012-5513,CVE-2012-5514,CVE-2012-5515,CVE-2012-5634,CVE-2012-6075,CVE-2012-6333,CVE-2013-0153,CVE-2013-0154,CVE-2013-1432,CVE-2013-1442,CVE-2013-1917,CVE-2013-1918,CVE-2013-1919,CVE-2013-1920,CVE-2013-1952,CVE-2013-1964,CVE-2013-2072,CVE-2013-2076,CVE-2013-2077,CVE-2013-2194,CVE-2013-2195,CVE-2013-2196,CVE-2013-2211,CVE-2013-2212,CVE-2013-4329,CVE-2013-4355,CVE-2013-4361,CVE-2013-4368,CVE-2013-4494,CVE-2013-4553,CVE-2013-4554,CVE-2013-6885,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894 Sources used: SUSE Linux Enterprise Server 11 SP1 LTSS (src): xen-4.0.3_21548_16-0.5.1
Fixed and released. Closing Bug.
openSUSE-SU-2014:0483-1: An update that solves 16 vulnerabilities and has 5 fixes is now available. Category: security (moderate) Bug References: 831120,833251,833483,840997,842417,846849,848014,848657,849665,849667,849668,853048,853049,858311,858496,860163,860165,860300,860302,861256,863297 CVE References: CVE-2013-2212,CVE-2013-4494,CVE-2013-4551,CVE-2013-4553,CVE-2013-4554,CVE-2013-6400,CVE-2013-6885,CVE-2014-1642,CVE-2014-1666,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894,CVE-2014-1895,CVE-2014-1896,CVE-2014-1950 Sources used: openSUSE 12.3 (src): xen-4.2.4_02-1.26.2