Bugzilla – Bug 956409
VUL-0: CVE-2015-8341: xen: libxl leak of pv kernel and initrd on error (XSA-160)
Last modified: 2016-04-27 19:47:50 UTC
An update workflow for this issue was started. This issue was rated as "moderate". Please submit fixed packages until "Dec. 8, 2015". When done, reassign the bug to "security-team@suse.de". /update/121035/.
bugbot adjusting priority
CVE-2015-8341 was assigned to this issue.
is public Xen Security Advisory CVE-2015-8341 / XSA-160 version 3 libxl leak of pv kernel and initrd on error UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= When constructing a guest which is configured to use a PV bootloader which runs as a userspace process in the toolstack domain (e.g. pygrub) libxl creates a mapping of the files to be used as kernel and initial ramdisk when building the guest domain. However if building the domain subsequently fails these mappings would not be released leading to a leak of virtual address space in the calling process, as well as preventing the recovery of the temporary disk files containing the kernel and initial ramdisk. IMPACT ====== For toolstacks which manage multiple domains within the same process, an attacker who is able to repeatedly start a suitable domain (or many such domains) can cause an out-of-memory condition in the toolstack process, leading to a denial of service. Under the same circumstances an attacker can also cause files to accumulate on the toolstack domain filesystem (usually under /var in dom0) used to temporarily store the kernel and initial ramdisk, perhaps leading to a denial of service against arbitrary other services using that filesystem. VULNERABLE SYSTEMS ================== Both ARM and x86 systems using a libxl based toolstack are potentially vulnerable. Only libxl-based toolstacks which manage multiple domains in the same process (such as `libvirt') are vulnerable. libxl-based toolstacks which manage only a single domain per process and which exit on failure to create a domain (such as `xl') are not vulnerable. Toolstacks not using libxl are not vulnerable to this issue. Only domains configured to use a PV bootloader in the toolstack domain (e.g. pygrub) will expose this issue. Domains configured to use pvgrub (a totally different program) are not vulnerable. x86 HVM domains are not vulnerable. Systems where the kernel and initial ramdisk are provided by the host administrator from files in domain 0 are not vulnerable. Xen versions 4.1.x and later are vulnerable. MITIGATION ========== Avoiding the use of the PV bootloader mechanisms which run as processes in the toolstack domain (pygrub), either by providing kernels directly from the toolstack domain or using a PV bootloader which runs in guest context (such as pvgrub) will prevent exposure of this issue. CREDITS ======= This issue was discovered by George Dunlap of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa160.patch xen-unstable xsa160-4.6.patch Xen 4.5.x, 4.6.x xsa160-4.4.patch Xen 4.3.x, 4.4.x $ sha256sum xsa160* 470811aeead5e942d6fedad5b4e21bee85f2160b022bcab315520014b6aa39a6 xsa160.patch d0ce9e3c2b951ac3d25da4a0f6f232b13980625a249ed9c4cd6e9484721943a5 xsa160-4.4.patch 40362873b7fa2c1450596ef9ea23c73f80608b77ca50b89e62daf46c131fcee6 xsa160-4.6.patch $
SUSE-SU-2015:2324-1: An update that fixes 14 vulnerabilities is now available. Category: security (moderate) Bug References: 947165,954018,954405,956408,956409,956411,956592,956832 CVE References: CVE-2015-3259,CVE-2015-4106,CVE-2015-5154,CVE-2015-5239,CVE-2015-5307,CVE-2015-6815,CVE-2015-7311,CVE-2015-7504,CVE-2015-7835,CVE-2015-8104,CVE-2015-8339,CVE-2015-8340,CVE-2015-8341,CVE-2015-8345 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): xen-4.5.2_02-4.1 SUSE Linux Enterprise Server 12-SP1 (src): xen-4.5.2_02-4.1 SUSE Linux Enterprise Desktop 12-SP1 (src): xen-4.5.2_02-4.1
SUSE-SU-2015:2326-1: An update that solves 12 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 947165,950703,950704,950705,950706,951845,954018,954405,956408,956409,956411,956592,956832 CVE References: CVE-2015-5307,CVE-2015-7311,CVE-2015-7504,CVE-2015-7969,CVE-2015-7970,CVE-2015-7971,CVE-2015-7972,CVE-2015-8104,CVE-2015-8339,CVE-2015-8340,CVE-2015-8341,CVE-2015-8345 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP3 (src): xen-4.2.5_18-21.1 SUSE Linux Enterprise Server 11-SP3 (src): xen-4.2.5_18-21.1 SUSE Linux Enterprise Desktop 11-SP3 (src): xen-4.2.5_18-21.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): xen-4.2.5_18-21.1
SUSE-SU-2015:2328-1: An update that fixes 13 vulnerabilities is now available. Category: security (moderate) Bug References: 947165,950703,950704,950705,950706,951845,954018,954405,956408,956409,956411,956592,956832 CVE References: CVE-2015-5307,CVE-2015-7311,CVE-2015-7504,CVE-2015-7835,CVE-2015-7969,CVE-2015-7970,CVE-2015-7971,CVE-2015-7972,CVE-2015-8104,CVE-2015-8339,CVE-2015-8340,CVE-2015-8341,CVE-2015-8345 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): xen-4.4.3_06-22.15.1 SUSE Linux Enterprise Server 12 (src): xen-4.4.3_06-22.15.1 SUSE Linux Enterprise Desktop 12 (src): xen-4.4.3_06-22.15.1
released
SUSE-SU-2015:2338-1: An update that solves 13 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 947165,950703,950704,950705,950706,951845,954018,954405,955399,956408,956409,956411,956592,956832 CVE References: CVE-2015-5307,CVE-2015-7311,CVE-2015-7504,CVE-2015-7835,CVE-2015-7969,CVE-2015-7970,CVE-2015-7971,CVE-2015-7972,CVE-2015-8104,CVE-2015-8339,CVE-2015-8340,CVE-2015-8341,CVE-2015-8345 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): xen-4.4.3_06-29.1 SUSE Linux Enterprise Server 11-SP4 (src): xen-4.4.3_06-29.1 SUSE Linux Enterprise Desktop 11-SP4 (src): xen-4.4.3_06-29.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): xen-4.4.3_06-29.1
openSUSE-SU-2016:0123-1: An update that fixes 14 vulnerabilities is now available. Category: security (important) Bug References: 954018,956408,956409,956411,956592,956832,957988,958007,958009,958493,958523,958918,959006,959387 CVE References: CVE-2015-5307,CVE-2015-7504,CVE-2015-7549,CVE-2015-8339,CVE-2015-8340,CVE-2015-8341,CVE-2015-8345,CVE-2015-8504,CVE-2015-8550,CVE-2015-8554,CVE-2015-8555,CVE-2015-8558,CVE-2015-8567,CVE-2015-8568 Sources used: openSUSE 13.2 (src): xen-4.4.3_08-36.1
openSUSE-SU-2016:0124-1: An update that solves 15 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 947165,950704,954018,954405,956408,956409,956411,956592,956832,957988,958007,958009,958493,958523,958918,959006 CVE References: CVE-2015-5307,CVE-2015-7311,CVE-2015-7504,CVE-2015-7549,CVE-2015-7970,CVE-2015-8104,CVE-2015-8339,CVE-2015-8340,CVE-2015-8341,CVE-2015-8345,CVE-2015-8504,CVE-2015-8550,CVE-2015-8554,CVE-2015-8555,CVE-2015-8558 Sources used: openSUSE 13.1 (src): xen-4.3.4_10-53.1
openSUSE-SU-2016:0126-1: An update that fixes 14 vulnerabilities is now available. Category: security (important) Bug References: 954018,956408,956409,956411,956592,956832,957988,958007,958009,958493,958523,958918,959006,959387 CVE References: CVE-2015-5307,CVE-2015-7504,CVE-2015-7549,CVE-2015-8339,CVE-2015-8340,CVE-2015-8341,CVE-2015-8345,CVE-2015-8504,CVE-2015-8550,CVE-2015-8554,CVE-2015-8555,CVE-2015-8558,CVE-2015-8567,CVE-2015-8568 Sources used: openSUSE Leap 42.1 (src): xen-4.5.2_04-9.2