Bug 932790 (CVE-2015-4163) - VUL-0: CVE-2015-4163: xen: GNTTABOP_swap_grant_ref operation misbehavior (XSA-134)
Summary: VUL-0: CVE-2015-4163: xen: GNTTABOP_swap_grant_ref operation misbehavior (XSA...
Status: RESOLVED FIXED
Alias: CVE-2015-4163
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle11-sp3:61876 CVSSv2...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-05-29 09:20 UTC by Andreas Stieger
Modified: 2015-12-08 14:12 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Swamp Workflow Management 2015-05-29 22:00:15 UTC 
bugbot adjusting priority
Comment 4 Andreas Stieger 2015-06-02 16:04:41 UTC 
CVE-2015-4163 assigned
Comment 5 Andreas Stieger 2015-06-11 12:39:38 UTC 
public at http://xenbits.xen.org/xsa/advisory-134.html


            Xen Security Advisory CVE-2015-4163 / XSA-134
                              version 3

             GNTTABOP_swap_grant_ref operation misbehavior

UPDATES IN VERSION 3
====================

Public release.

Added email header syntax to patches, for e.g. git-am.

ISSUE DESCRIPTION
=================

With the introduction of version 2 grant table operations, a version
check became necessary for most grant table related hypercalls.  The
GNTTABOP_swap_grant_ref call was lacking such a check.  As a result,
the subsequent code behaved as if version 2 was in use, when a guest
issued this hypercall without a prior GNTTABOP_setup_table or
GNTTABOP_set_version.

The effect is a possible NULL pointer dereferences.  However, this
cannot be exploited to elevate privileges of the attacking domain, as
the maximum memory address that can be wrongly accessed this way is
bounded to far below the start of hypervisor memory.

IMPACT
======

Malicious or buggy guest domain kernels can mount a denial of service
attack which, if successful, can affect the whole system.

VULNERABLE SYSTEMS
==================

Xen versions from 4.2 onwards are vulnerable.

MITIGATION
==========

There is no mitigation available.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa134.patch        xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa134*.patch
fff911a994a5031831cabd574bcba281eff438559706414a1886502eaa05ee12  xsa134.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
Comment 6 Swamp Workflow Management 2015-06-11 15:06:53 UTC 
SUSE-SU-2015:1042-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 906689,931625,931626,931627,931628,932770,932790,932996
CVE References: CVE-2015-3209,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xen-4.4.2_06-21.1
SUSE Linux Enterprise Server 12 (src):    xen-4.4.2_06-21.1
SUSE Linux Enterprise Desktop 12 (src):    xen-4.4.2_06-21.1
Comment 7 Swamp Workflow Management 2015-06-11 18:06:04 UTC 
SUSE-SU-2015:1045-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 931625,931626,931627,931628,932770,932790,932996
CVE References: CVE-2015-3209,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    xen-4.2.5_08-0.9.1
SUSE Linux Enterprise Server 11 SP3 (src):    xen-4.2.5_08-0.9.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    xen-4.2.5_08-0.9.1
Comment 8 Swamp Workflow Management 2015-06-22 10:10:45 UTC 
openSUSE-SU-2015:1092-1: An update that solves 17 vulnerabilities and has 10 fixes is now available.

Category: security (important)
Bug References: 861318,882089,895528,901488,903680,906689,910254,912011,918995,918998,919098,919464,919663,921842,922705,922706,922709,923758,927967,929339,931625,931626,931627,931628,932770,932790,932996
CVE References: CVE-2014-3615,CVE-2015-2044,CVE-2015-2045,CVE-2015-2151,CVE-2015-2152,CVE-2015-2751,CVE-2015-2752,CVE-2015-2756,CVE-2015-3209,CVE-2015-3340,CVE-2015-3456,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164
Sources used:
openSUSE 13.2 (src):    xen-4.4.2_06-23.1
Comment 9 Swamp Workflow Management 2015-06-22 12:06:05 UTC 
openSUSE-SU-2015:1094-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 922709,931625,931626,931627,931628,932770,932790,932996
CVE References: CVE-2015-2751,CVE-2015-3209,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164
Sources used:
openSUSE 13.1 (src):    xen-4.3.4_05-47.1
Comment 10 Marcus Meissner 2015-12-08 14:12:29 UTC 
released