997731 – (CVE-2016-7154) VUL-0: CVE-2016-7154: xen: use after free in FIFO event channel code (XSA-188)

Bug 997731 (CVE-2016-7154) - VUL-0: CVE-2016-7154: xen: use after free in FIFO event channel code (XSA-188)

Summary: VUL-0: CVE-2016-7154: xen: use after free in FIFO event channel code (XSA-188)

Status:	RESOLVED FIXED

Alias:	CVE-2016-7154

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:SUSE:CVE-2016-7154:6.9:(AV:A/A...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-09-07 20:06 UTC by Andreas Stieger
Modified:	2016-10-13 19:19 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 2 Swamp Workflow Management 2016-09-07 22:00:26 UTC

bugbot adjusting priority

Comment 3 Johannes Segitz 2016-09-08 14:23:30 UTC

            Xen Security Advisory CVE-2016-7154 / XSA-188
                              version 3

               use after free in FIFO event channel code

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

When the EVTCHNOP_init_control operation is called with a bad guest
frame number, it takes an error path which frees a control structure
without also clearing the corresponding pointer.  Certain subsequent
operations (EVTCHNOP_expand_array or another EVTCHNOP_init_control),
upon finding the non-NULL pointer, continue operation assuming it
points to allocated memory.

IMPACT
======

A malicious guest administrator can crash the host, leading to a DoS.
Arbitrary code execution (and therefore privilege escalation), and
information leaks, cannot be excluded.

VULNERABLE SYSTEMS
==================

Only Xen 4.4 is vulnerable.  Xen versions 4.5 and later as well as Xen
versions 4.3 and earlier are not vulnerable.

MITIGATION
==========

There is no mitigation available.

CREDITS
=======

This issue was discovered by Mikhail Gorobets of Advanced Threat
Research, Intel Security.
RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa188.patch           Xen 4.4.x

$ sha256sum xsa188*
9f374c2e1437ad71369f41275e7b333e7b7691a783ba693ee567c899bd78c722  xsa188.patch

Comment 4 Charles Arnold 2016-10-03 17:17:32 UTC

Submitted for

Devel:Virt:SLE-11-SP4
Devel:Virt:SLE-12

Comment 5 Swamp Workflow Management 2016-10-11 17:30:37 UTC

openSUSE-SU-2016:2497-1: An update that solves 38 vulnerabilities and has 20 fixes is now available.

Category: security (important)
Bug References: 953339,953362,953518,954872,955399,958848,961100,961600,963161,964427,970135,971949,973188,973631,974038,975130,975138,975907,976058,976111,978164,978295,978413,979035,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,984981,985503,986586,988675,990843,990923,990970,991934,992224,994421,994625,994761,994772,994775,995785,995789,995792,997731
CVE References: CVE-2014-3615,CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3712,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4480,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6351,CVE-2016-6833,CVE-2016-6834,CVE-2016-6835,CVE-2016-6836,CVE-2016-6888,CVE-2016-7092,CVE-2016-7093,CVE-2016-7094,CVE-2016-7154
Sources used:
openSUSE 13.2 (src):    xen-4.4.4_05-49.1

Comment 6 Swamp Workflow Management 2016-10-12 13:14:29 UTC

SUSE-SU-2016:2507-1: An update that solves 10 vulnerabilities and has 8 fixes is now available.

Category: security (important)
Bug References: 966467,970135,971949,988675,990970,991934,992224,993507,994136,994421,994625,994761,994772,994775,995785,995789,995792,997731
CVE References: CVE-2016-6258,CVE-2016-6833,CVE-2016-6834,CVE-2016-6835,CVE-2016-6836,CVE-2016-6888,CVE-2016-7092,CVE-2016-7093,CVE-2016-7094,CVE-2016-7154
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_08-40.2
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_08-40.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_08-40.2

Comment 7 Andreas Stieger 2016-10-13 15:42:12 UTC

All done, closing

Comment 8 Swamp Workflow Management 2016-10-13 19:19:39 UTC

SUSE-SU-2016:2533-1: An update that solves 38 vulnerabilities and has 20 fixes is now available.

Category: security (important)
Bug References: 953339,953362,953518,954872,955399,957986,958848,961600,963161,964427,970135,971949,973188,973631,974038,975130,975138,975907,976058,976111,978164,978295,978413,979035,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,984981,985503,986586,988675,990843,990923,990970,991934,992224,994421,994625,994761,994772,994775,995785,995789,995792,997731
CVE References: CVE-2014-3615,CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3712,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4480,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6351,CVE-2016-6833,CVE-2016-6834,CVE-2016-6835,CVE-2016-6836,CVE-2016-6888,CVE-2016-7092,CVE-2016-7093,CVE-2016-7094,CVE-2016-7154
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    xen-4.4.4_04-22.22.2
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_04-22.22.2