Bugzilla – Bug 860165
VUL-0: CVE-2014-1895: xen: XSA-85: Off-by-one error in FLASK_AVC_CACHESTAT hypercall
Last modified: 2015-02-19 01:47:02 UTC
bugbot adjusting priority
Public now: Xen Security Advisory XSA-85 version 2 Off-by-one error in FLASK_AVC_CACHESTAT hypercall UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The FLASK_AVC_CACHESTAT hypercall, which provides access to per-cpu statistics on the Flask security policy, incorrectly validates the CPU for which statistics are being requested. IMPACT ====== An attacker can cause the hypervisor to read past the end of an array. This may result in either a host crash, leading to a denial of service, or access to a small and static region of hypervisor memory, leading to an information leak. VULNERABLE SYSTEMS ================== Xen version 4.2 and later are vulnerable to this issue when built with XSM/Flask support. XSM support is disabled by default and is enabled by building with XSM_ENABLE=y. Only systems with the maximum supported number of physical CPUs are vulnerable. Systems with a greater number of physical CPUs will only make use of the maximum supported number and are therefore vulnerable. By default the following maximums apply: * x86_32: 128 (only until Xen 4.2.x) * x86_64: 256 These defaults can be overridden at build time via max_phys_cpus=N. The vulnerable hypercall is exposed to all domains. MITIGATION ========== Rebuilding Xen with more supported physical CPUs can avoid the vulnerability; provided that the supported number is strictly greater than the actual number of CPUs on any host on which the hypervisor is to run. If XSM is compiled in, but not actually in use, compiling it out (with XSM_ENABLE=n) will avoid the vulnerability. CREDITS ======= This issue was discovered by Matthew Daley. RESOLUTION ========== Applying the attached patch resolves this issue. xsa85.patch xen-unstable, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa85*.patch 20571024e6815eeb40d2f92a3d70ae699047cffafb5431ec74b652e0843a5315 xsa85.patch $
CVE-2014-1895 was assigned to this issue.
Xen version 4.2 and later are vulnerable only if build with XSM_ENABLE=y. XSM_ENABLE is not enabled in SLE or openSUSE, so this XSA is not affecting us.
Xen package submitted for this bug with the following requests: SUSE:SLE-11-SP3:Update:Test: SR#33408 openSUSE:13.1:Update: MR#223835 openSUSE:12.3:Update: MR#223847
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-libs-x86, xen-tools, xen-tools-domU Products: SLE-DEBUGINFO 11-SP3 (i386, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, x86_64) SLE-SERVER 11-SP3 (i386, x86_64)
SUSE-SU-2014:0373-1: An update that solves 12 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 831120,833251,848014,853048,853049,858311,860092,860163,860165,860300,860302,861256,863297 CVE References: CVE-2013-2212,CVE-2013-6400,CVE-2013-6885,CVE-2014-1642,CVE-2014-1666,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894,CVE-2014-1895,CVE-2014-1896,CVE-2014-1950 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): xen-4.2.4_02-0.7.1 SUSE Linux Enterprise Server 11 SP3 (src): xen-4.2.4_02-0.7.1 SUSE Linux Enterprise Desktop 11 SP3 (src): xen-4.2.4_02-0.7.1
Fixed and released. Closing Bug.
openSUSE-SU-2014:0483-1: An update that solves 16 vulnerabilities and has 5 fixes is now available. Category: security (moderate) Bug References: 831120,833251,833483,840997,842417,846849,848014,848657,849665,849667,849668,853048,853049,858311,858496,860163,860165,860300,860302,861256,863297 CVE References: CVE-2013-2212,CVE-2013-4494,CVE-2013-4551,CVE-2013-4553,CVE-2013-4554,CVE-2013-6400,CVE-2013-6885,CVE-2014-1642,CVE-2014-1666,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894,CVE-2014-1895,CVE-2014-1896,CVE-2014-1950 Sources used: openSUSE 12.3 (src): xen-4.2.4_02-1.26.2