Bug 895804 (CVE-2014-6268) - VUL-0: CVE-2014-6268: xen: XSA-107: Mishandling of uninitialised FIFO-based event channel control blocks
Summary: VUL-0: CVE-2014-6268: xen: XSA-107: Mishandling of uninitialised FIFO-based e...
Status: RESOLVED FIXED
Alias: CVE-2014-6268
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-09-09 12:59 UTC by Marcus Meissner
Modified: 2014-09-30 16:02 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
xsa107-4.4.patch (4.63 KB, patch)
2014-09-09 12:59 UTC, Marcus Meissner 		Details | Diff
xsa107-unstable.patch (4.59 KB, patch)
2014-09-09 12:59 UTC, Marcus Meissner 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-09-09 12:59:11 UTC 
public, via oss-sec

                    Xen Security Advisory XSA-107

    Mishandling of uninitialised FIFO-based event channel control blocks

ISSUE DESCRIPTION
=================

When using the FIFO-based event channels, there are no checks for the
existence of a control block when binding an event or moving it to a
different VCPU.  This is because events may be bound when the ABI is
in 2-level mode (e.g., by the toolstack before the domain is started).

The guest may trigger a Xen crash in evtchn_fifo_set_pending() if:

  a) the event is bound to a VCPU without a control block; or
  b) VCPU 0 does not have a control block.

In case (a), Xen will crash when looking up the current queue.  In
(b), Xen will crash when looking up the old queue (which defaults to a
queue on VCPU 0).

IMPACT
======

A buggy or malicious guest can crash the host.

VULNERABLE SYSTEMS
==================

Xen 4.4 and onward are vulnerable.

MITIGATION
==========

None.

CREDITS
=======

This issue was originally reported by Vitaly Kuznetsov at Red Hat and
diagnosed as a security issue by David Vrabel at Citrix.

NOTE REGARDING LACK OF EMBARGO
==============================

This bug was publicly reported on xen-devel, before it was appreciated
that there was a security problem.
that there was a security problem.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa107-unstable.patch        xen-unstable
xsa107-4.4.patch             Xen 4.4.x

$ sha256sum xsa107*.patch
b92ba8085b6684abbc8b012ae1a580b9e7ed7c8e67071a9e70381d4c1009638b  xsa107-4.4.patch
cd954a5bd742c751f8db884a3f31bd636a8c5850acddf5f1160dd6be1f706a09  xsa107-unstable.patch
$
Comment 1 Marcus Meissner 2014-09-09 12:59:36 UTC 
Created attachment 605562 [details]
xsa107-4.4.patch

4.4 patch
Comment 2 Marcus Meissner 2014-09-09 12:59:58 UTC 
Created attachment 605563 [details]
xsa107-unstable.patch

unstable patch
Comment 3 Swamp Workflow Management 2014-09-09 22:00:48 UTC 
bugbot adjusting priority
Comment 4 Marcus Meissner 2014-09-10 06:00:11 UTC 
CVE-2014-6268
Comment 5 Charles Arnold 2014-09-19 00:39:46 UTC 
This effects SLE12 only and has been submitted.  It will be in GMC when
accepted (SR#44270).
Comment 6 Alexander Bergmann 2014-09-30 16:02:35 UTC 
SLE-12 submission was already accepted. Closing bug.