Bugzilla – Bug 905465
VUL-0: CVE-2014-8866: XSA-111: xen: Excessive checking in compatibility mode hypercall argument translation
Last modified: 2016-11-22 17:19:16 UTC
*** EMBARGOED UNTIL 2014-11-27 12:00 UTC *** ISSUE DESCRIPTION ================= The hypercall argument translation needed for 32-bit guests running on 64-bit hypervisors performs checks on the final register state. These checks cover all registers potentially holding hypercall arguments, not just the ones actually doing so for the hypercall being processed, since the code was originally intended for use only by PV guests. While this is not a problem for PV guests (as they can't enter 64-bit mode and hence can't alter the high halves of any of the registers), the subsequent reuse of the same functionality for HVM guests exposed those checks to values (specifically, unexpected values for the high halves of registers not holding hypercall arguments) controlled by guest software. IMPACT ====== A buggy or malicious HVM guest can crash the host. VULNERABLE SYSTEMS ================== Xen 3.3 and onward are vulnerable. Only x86 systems are vulnerable. ARM systems are not vulnerable. MITIGATION ========== Running only PV guests will avoid this issue. There is no mitigation available for HVM guests on any version of Xen so far released by xenproject.org. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa111-unstable.patch xen-unstable, Xen 4.4.x xsa111-4.3.patch Xen 4.3.x xsa111-4.2.patch Xen 4.2.x $ sha256sum xsa111*.patch f6e1bf166ebed6235802e4e42853430d2f5b456c1837908a4f7ed6d4d150e4b4 xsa111-4.2.patch e9b03a4443a40142cc5c21848dc9589770620dde8924344c4a00028c4dace9f2 xsa111-4.3.patch 3c418f065cd452c225af34c3cccf9bdbc37efb6c6a5fc5940fd83ad8620510d3 xsa111.patch
Created attachment 613677 [details] xen-unstable, Xen 4.4.x
Created attachment 613678 [details] Xen 4.3.x
Created attachment 613679 [details] Xen 4.2.x
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-11-27. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/59647
bugbot adjusting priority
Xen has been submitted with the following MR/SR numbers: SLE12: MR#46616 SLE11-SP3: SR#46617 SLE11-SP2: SR#46618 SLE11-SP1: SR#46619 SLE11-SP1-Teradata: SR#46622
is public
SUSE-SU-2014:1700-1: An update that solves 5 vulnerabilities and has 5 fixes is now available. Category: security (moderate) Bug References: 866902,882089,896023,901317,903850,903967,903970,905465,905467,906439 CVE References: CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): xen-4.2.5_02-0.7.1 SUSE Linux Enterprise Server 11 SP3 (src): xen-4.2.5_02-0.7.1 SUSE Linux Enterprise Desktop 11 SP3 (src): xen-4.2.5_02-0.7.1
SUSE-SU-2014:1710-1: An update that solves 13 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 826717,867910,875668,880751,895798,895799,895802,897657,901317,903850,903967,903970,905465,905467,906439 CVE References: CVE-2013-3495,CVE-2014-2599,CVE-2014-3124,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): xen-4.1.6_08-0.5.1
SUSE-SU-2015:0022-1: An update that solves 8 vulnerabilities and has 10 fixes is now available. Category: security (important) Bug References: 826717,866902,882089,889526,896023,897614,897906,898772,900292,901317,903357,903359,903850,903967,903970,905465,905467,906439 CVE References: CVE-2013-3495,CVE-2014-5146,CVE-2014-5149,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): xen-4.4.1_08-5.2 SUSE Linux Enterprise Server 12 (src): xen-4.4.1_08-5.2 SUSE Linux Enterprise Desktop 12 (src): xen-4.4.1_08-5.2
openSUSE-SU-2015:0226-1: An update that solves 11 vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 826717,866902,882089,889526,900292,901317,903357,903359,903850,903967,903970,905465,905467,906439,906996,910681 CVE References: CVE-2013-3495,CVE-2014-5146,CVE-2014-5149,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030,CVE-2014-9065,CVE-2014-9066,CVE-2015-0361 Sources used: openSUSE 13.1 (src): xen-4.3.3_04-34.1
close
openSUSE-SU-2015:0256-1: An update that solves 11 vulnerabilities and has 9 fixes is now available. Category: security (important) Bug References: 826717,866902,882089,889526,896023,897906,898772,900292,901317,903357,903359,903850,903967,903970,904255,905465,905467,906439,906996,910681 CVE References: CVE-2013-3495,CVE-2014-5146,CVE-2014-5149,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030,CVE-2014-9065,CVE-2014-9066,CVE-2015-0361 Sources used: openSUSE 13.2 (src): xen-4.4.1_08-9.1