932996 – (CVE-2015-4164) VUL-0: CVE-2015-4164: xen: DoS through iret hypercall handler (XSA-136)

Bug 932996 (CVE-2015-4164) - VUL-0: CVE-2015-4164: xen: DoS through iret hypercall handler (XSA-136)

Summary: VUL-0: CVE-2015-4164: xen: DoS through iret hypercall handler (XSA-136)

Status:	RESOLVED FIXED

Alias:	CVE-2015-4164

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Deadline:	2016-01-26
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle11-sp1:61879 maint:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-05-31 08:17 UTC by Andreas Stieger
Modified:	2016-03-07 12:43 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 1 Swamp Workflow Management 2015-05-31 22:00:14 UTC

bugbot adjusting priority

Comment 3 Andreas Stieger 2015-06-02 16:03:45 UTC

CVE assigned

Comment 4 Swamp Workflow Management 2015-06-03 10:14:17 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-06-10.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61875

Comment 5 Andreas Stieger 2015-06-11 12:41:27 UTC

public via http://xenbits.xen.org/xsa/advisory-136.html

             Xen Security Advisory CVE-2015-4164 / XSA-136
                              version 3

              vulnerability in the iret hypercall handler

UPDATES IN VERSION 3
====================

Public release.

Added email header syntax to patches, for e.g. git-am.

ISSUE DESCRIPTION
=================

A buggy loop in Xen's compat_iret() function iterates the wrong way
around a 32-bit index.  Any 32-bit PV guest kernel can trigger this
vulnerability by attempting a hypercall_iret with EFLAGS.VM set.

Given the use of __get/put_user(), and that the virtual addresses in
question are contained within the lower canonical half, the guest
cannot clobber any hypervisor data.  Instead, Xen will take up to 2^33
pagefaults, in sequence, effectively hanging the host.

IMPACT
======

Malicious guest administrators can cause a denial of service affecting
the whole system.

VULNERABLE SYSTEMS
==================

Only 64-bit x86 (ARCH=x86_64) builds of Xen are vulnerable.  32-bit
builds (ARCH=x86_32) (necessarily of Xen 4.2 or earlier), are not
affected.

Xen versions 3.1 or later are vulnerable.

ARM systems are not vulnerable.

Only 32-bit PV guests can exploit the vulnerability.

MITIGATION
==========

Systems which only need to run 32-bit guests and are running Xen 4.2
or earlier can avoid the vulnerability by using a 32-bit build of Xen
instead of a 64-bit build.  (The dom0 operating system would have to
be 32-bit too.)

If the boot process and kernel for the guest can be controlled,
forcing it to use a 64-bit kernel will avoid the vulnerability.

CREDITS
=======

This issue was discovered by Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the attached patch resolves this issue.

$ sha256sum xsa136*.patch
b54a71cf41d333345a9b8fd5f3f1aa644000a24e20343b54e5a41cd51d14af04  xsa136.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html

Comment 6 Swamp Workflow Management 2015-06-11 15:07:08 UTC

SUSE-SU-2015:1042-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 906689,931625,931626,931627,931628,932770,932790,932996
CVE References: CVE-2015-3209,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xen-4.4.2_06-21.1
SUSE Linux Enterprise Server 12 (src):    xen-4.4.2_06-21.1
SUSE Linux Enterprise Desktop 12 (src):    xen-4.4.2_06-21.1

Comment 7 Swamp Workflow Management 2015-06-11 18:06:13 UTC

SUSE-SU-2015:1045-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 931625,931626,931627,931628,932770,932790,932996
CVE References: CVE-2015-3209,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    xen-4.2.5_08-0.9.1
SUSE Linux Enterprise Server 11 SP3 (src):    xen-4.2.5_08-0.9.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    xen-4.2.5_08-0.9.1

Comment 8 Swamp Workflow Management 2015-06-22 10:10:56 UTC

openSUSE-SU-2015:1092-1: An update that solves 17 vulnerabilities and has 10 fixes is now available.

Category: security (important)
Bug References: 861318,882089,895528,901488,903680,906689,910254,912011,918995,918998,919098,919464,919663,921842,922705,922706,922709,923758,927967,929339,931625,931626,931627,931628,932770,932790,932996
CVE References: CVE-2014-3615,CVE-2015-2044,CVE-2015-2045,CVE-2015-2151,CVE-2015-2152,CVE-2015-2751,CVE-2015-2752,CVE-2015-2756,CVE-2015-3209,CVE-2015-3340,CVE-2015-3456,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164
Sources used:
openSUSE 13.2 (src):    xen-4.4.2_06-23.1

Comment 9 Swamp Workflow Management 2015-06-22 12:06:15 UTC

openSUSE-SU-2015:1094-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 922709,931625,931626,931627,931628,932770,932790,932996
CVE References: CVE-2015-2751,CVE-2015-3209,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164
Sources used:
openSUSE 13.1 (src):    xen-4.3.4_05-47.1

Comment 10 Swamp Workflow Management 2015-06-29 12:06:27 UTC

SUSE-SU-2015:1156-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 931625,931626,931627,931628,932770,932996
CVE References: CVE-2015-3209,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4164
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    xen-4.0.3_21548_18-0.25.1

Comment 11 Swamp Workflow Management 2015-06-29 13:06:19 UTC

SUSE-SU-2015:1157-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 931625,931626,931627,931628,932770,932996
CVE References: CVE-2015-3209,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    xen-4.1.6_08-0.13.1

Comment 12 Swamp Workflow Management 2015-07-08 15:08:31 UTC

SUSE-SU-2015:1206-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 932770,932996
CVE References: CVE-2015-3209,CVE-2015-4164
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    xen-3.2.3_17040_46-0.17.1

Comment 14 Swamp Workflow Management 2015-09-02 16:10:12 UTC

SUSE-SU-2015:1479-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 922709,932996,935634,938344,939709,939712
CVE References: CVE-2015-2751,CVE-2015-3259,CVE-2015-4164,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    xen-4.2.5_12-15.1
SUSE Linux Enterprise Server 11-SP3 (src):    xen-4.2.5_12-15.1
SUSE Linux Enterprise Desktop 11-SP3 (src):    xen-4.2.5_12-15.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_12-15.1

Comment 15 Swamp Workflow Management 2015-09-02 17:09:56 UTC

SUSE-SU-2015:1479-2: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 922709,932996,935634,938344,939709,939712
CVE References: CVE-2015-2751,CVE-2015-3259,CVE-2015-4164,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166
Sources used:
SUSE Linux Enterprise Desktop 11-SP3 (src):    xen-4.2.5_12-15.1

Comment 16 Swamp Workflow Management 2015-09-25 19:10:48 UTC

SUSE-SU-2015:1643-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 932770,932996,938344,939712
CVE References: CVE-2015-3209,CVE-2015-4164,CVE-2015-5154,CVE-2015-5165
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    xen-3.2.3_17040_46-0.21.1

Comment 17 Swamp Workflow Management 2015-11-11 14:07:25 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-11-25.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62332

Comment 18 Marcus Meissner 2015-12-08 14:12:43 UTC

rekleased

Comment 19 Swamp Workflow Management 2016-01-19 11:50:17 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-01-26.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62448