Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 20 Jun 2013 01:09:38 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Xen.org security team" <security@....org>, xen-announce@...ts.xen.org,
        xen-devel@...ts.xen.org, xen-users@...ts.xen.org
Subject: Re: Xen Security Advisory 55 - Multiple vulnerabilities
 in libelf PV kernel handling

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/14/2013 10:46 AM, Xen.org security team wrote:
> Xen Security Advisory XSA-55 version 4
> 
> Multiple vulnerabilities in libelf PV kernel handling
> 
> UPDATES IN VERSION 4 ====================
> 
> We are sending out a version 4 of this advisory with no files 
> attached.  This is because the size of the version 3 advisory
> email caused delivery problems for some recipients.
> 
> This version instead quotes the patchset git changeset ids in
> xen.git.
> 
> UPDATES IN VERSION 3 ====================
> 
> Fixed patch series provided.  These patches have been as
> thoroughly reviewed as possible and subjected to various regression
> testing.
> 
> NOTE REGARDING CVE ==================
> 
> We have not yet been assigned a CVE number for this issue.
> 
> ISSUE DESCRIPTION =================
> 
> The ELF parser used by the Xen tools to read domains' kernels and 
> construct domains has multiple integer overflows, pointer
> dereferences based on calculations from unchecked input values, and
> other problems.

Apologies for the delay on this, I tried to tease all the issues apart
and ended up taking the cowards way out (which I should have in the
first place, apologies to the Xen guys). Please use:

CVE-2013-2194 XEN XSA-55 integer overflows
CVE-2013-2195 XEN XSA-55 pointer dereferences
CVE-2013-2196 XEN XSA-55 other problems





> IMPACT ======
> 
> A malicious PV domain administrator who can specify their own
> kernel can escalate their privilege to that of the domain
> construction tools (i.e., normally, to control of the host).
> 
> Additionally a malicious HVM domain administrator who is able to 
> supply their own firmware ("hvmloader") can do likewise; however
> we think this would be very unusual and it is unlikely that such 
> configurations exist in production systems.
> 
> VULNERABLE SYSTEMS ==================
> 
> All Xen versions are affected.
> 
> Installations which only allow the use of trustworthy kernels for
> PV domains are not affected.
> 
> MITIGATION ==========
> 
> Ensuring that PV guests use only trustworthy kernels will avoid
> this problem.
> 
> RESOLUTION ==========
> 
> Applying the appropriate patch series will resolve this issue.
> 
> These were attached to v3 of the advisory which can be found here: 
> http://lists.xen.org/archives/html/xen-devel/2013-06/msg01626.html
> 
> These are available in xen.git 
> http://xenbits.xen.org/gitweb/?p=xen.git 
> git://xenbits.xen.org/xen.git 
> http://xenbits.xen.org/git-http/xen.git in the git changesets
> listed below.
> 
> xen-unstable:
> 
> 82cb4113b6ace16de192021de20f6cbd991e478f libxc: Better range check
> in xc_dom_alloc_segment 966070058d02cce9684e30073b61d6465e4b351c
> libxc: check blob size before proceeding in xc_dom_check_gzip 
> de7911eaef98b6643d80e4612fe4dcd4528d15b9 libxc: range checks in
> xc_dom_p2m_host and _guest 3d5a1d4733e55e33521cd5004cab1313e5c5d5ff
> libxc: check return values from malloc 
> aaebaba5ae225f591e0602e071037a935bb281b6 libxc: check failure of
> xc_dom_*_to_ptr, xc_map_foreign_range 
> 2bcee4b3c316379f4b52cb308947eb6db3faf1a0 libxc: Add range checking
> to xc_dom_binloader 66fe2726fe8492676f9970b9c2c511bce6186ece
> libelf: abolish obsolete macros 
> 39bf7b9d0ae534491745e54df5232127c0bddaf1 libelf: check loops for
> running away a004800f8fc607b96527815c8e3beabcb455d8e0 libelf: use
> only unsigned integers 7a549a6aa04dba807f8dd4c1577ab6a7592c4c76
> libelf: use C99 bool for booleans 
> c84481fbc7de7d15ff7476b3b9cd2713f81feaa3 libelf: Make all callers
> call elf_check_broken 943de71cf07d9d04ccb215bd46153b04930e9f25
> libelf: Check pointer references in elf_is_elfbinary 
> 65808a8ed41cc7c044f588bd6cab5af0fdc0e029 libelf: check all pointer
> accesses 04877847ade4ac9216e9f408fd544ade8f90cf9a libelf: check
> nul-terminated strings properly 
> 50421bd56bf164f490d7d0bf5741e58936de41e8 tools/xcutils/readnotes:
> adjust print_l1_mfn_valid_note 
> 85256359995587df00001dca22e9a76ba6ea8258 libelf: introduce macros
> for memory access and pointer handling 
> 95dd49bed681af93f71a401b0a35bf2f917c6e68
> libelf/xc_dom_load_elf_symtab: Do not use "syms" uninitialised 
> f7aa72ec00aec71eed055dac5e8a151966d75c9c libelf: move include of
> <asm/guest_access.h> to top of file 
> 13e2c808f7ea721c8f200062e2b9b977ee924471 libelf: abolish elf_sval
> and elf_access_signed 009ddca51504ce80889937e485d44ac0f9290d63
> libelf: add `struct elf_binary*' parameter to elf_load_image 
> b5a869209998fedadfe205d37addbd50a802998b libxc: Fix range checking
> in xc_dom_pfn_to_ptr etc. 53bfcf585b09eb4ac2240f89d1ade77421cd2451
> libxc: introduce xc_dom_seg_to_ptr_pages 
> 14573b974850d82de7aebad17e6471d27d847f2c libelf: abolish
> libelf-relocate.c
> 
> Xen 4.2.x:
> 
> d21d36e84354c04638b60a739a5f7c3d9f8adaf8 libxc: Better range check
> in xc_dom_alloc_segment 2a548e22915535ac13694eb38222903bca7245e3
> libxc: check blob size before proceeding in xc_dom_check_gzip 
> 052a689aa526ca51fd70528d4b0f83dfb2de99c1 libxc: range checks in
> xc_dom_p2m_host and _guest 8dc90d163650ce8aa36ae0b46debab83cc61edb6
> libxc: check return values from malloc 
> 77c0829fa751f052f7b8ec08287aef6e7ba97bc5 libxc: check failure of
> xc_dom_*_to_ptr, xc_map_foreign_range 
> b06e277b1fc08c7da3befeb3ac3950e1d941585d libxc: Add range checking
> to xc_dom_binloader 3baaa4ffcd3e7dd6227f9bdf817f90e5b75aeda2
> libelf: abolish obsolete macros 
> 52d8cc2dd3bb3e0f6d51e00280da934e8d91653a libelf: check loops for
> running away e673ca50127b6c1263727aa31de0b8bb966ca7a2 libelf: use
> only unsigned integers 3fb6ccf2faccaf5e22e33a3155ccc72d732896d8
> libelf: use C99 bool for booleans 
> a965b8f80388603d439ae2b8ee7b9b018a079f90 libelf: Make all callers
> call elf_check_broken d0790bdad7496e720416b2d4a04563c4c27e7b95
> libelf: Check pointer references in elf_is_elfbinary 
> cc8761371aac432318530c2ddfe2c8234bc0621f libelf: check all pointer
> accesses db14d5bd9b6508adfcd2b910f454fae12fa4ba00 libelf: check
> nul-terminated strings properly 
> 59f66d58180832af6b99a9e4489031b5c2f627ab tools/xcutils/readnotes:
> adjust print_l1_mfn_valid_note 
> 40020ab55a1e9a1674ddecdb70299fab4fe8579d libelf: introduce macros
> for memory access and pointer handling 
> de9089b449d2508b1ba05590905c7ebaee00c8c4
> libelf/xc_dom_load_elf_symtab: Do not use "syms" uninitialised 
> 682a04488e7b3bd6c3448ab60599566eb7c6177a libelf: move include of
> <asm/guest_access.h> to top of file 
> 83ec905922b496e1a5756e3a88405eb6c2c6ba88 libelf: abolish elf_sval
> and elf_access_signed 035634047d10c678cbb8801c4263747bdaf4e5b1
> libelf: add `struct elf_binary*' parameter to elf_load_image 
> 8c738fa5c1f3cfcd935b6191b3526f7ac8b2a5bd libxc: Fix range checking
> in xc_dom_pfn_to_ptr etc. a672da4b2d58ef12be9d7407160e9fb43cac75d9
> libxc: introduce xc_dom_seg_to_ptr_pages 
> 9737484becab4a25159f1e985700eaee89690d34 libelf: abolish
> libelf-relocate.c
> 
> Xen 4.1.x:
> 
> ac63ddd70a5ccf5ebf790f06ea4cd4ed794c3978 libxc: check blob size
> before proceeding in xc_dom_check_gzip 
> 6eca85d5c144ee8c899ee3cf8791f9087b15f2e8 libxc: range checks in
> xc_dom_p2m_host and _guest a2986a7959919bc748784bb75970bfbd42697d3b
> libxc: check return values from malloc 
> 117a538dbef62f8d39159dea652e633e01b50a9a libxc: check failure of
> xc_dom_*_to_ptr, xc_map_foreign_range 
> 40b76f1fb04af421c1415f7bcb168dfaa6960d0d libxc: Add range checking
> to xc_dom_binloader 4a3a60d8caee49af6951a672c55b08436a8d1f86
> libelf: abolish obsolete macros 
> 968c0399159c65e24bb8b9969259e18791e1f4d8 libelf: check loops for
> running away 282188ea84b9e0f9c4865f0609e7740f2f28e7b0 libxc:
> Introduce xc_bitops.h 86e39ce58e91fe55d4fdbc914cb1955c45acc20e
> libelf: use only unsigned integers 
> bd3dba9f435fa59f305407f7d9b34e1e164ddd98 libelf: use C99 bool for
> booleans 44c74b1ed31c75ed9026abf62ab7427a46d8027a libelf: Make all
> callers call elf_check_broken 
> 9962d7ffcce97ec2d69a15ef861996b1ead33694 libelf: Check pointer
> references in elf_is_elfbinary 
> 39923542bb43e67776c4e8292d4a5a1adef2bd3b libelf: check all pointer
> accesses 8ce60b35beaac91a97b79c004ca6bf5d58e7390b libelf: check
> nul-terminated strings properly 
> 4e46085972d2367dff2345a73361c1c17b47ce73 tools/xcutils/readnotes:
> adjust print_l1_mfn_valid_note 
> de49d6e83c3a8c753646b007972140ddbb746ba8 libelf: introduce macros
> for memory access and pointer handling 
> 4d3339de1fe3cbf7b05487fdb6cadd7267950948
> libelf/xc_dom_load_elf_symtab: Do not use "syms" uninitialised 
> e719b136b750e5eee87c4647d1846e4e1e70eac0 libelf: abolish elf_sval
> and elf_access_signed f7fb94409c562beec06094141ef262dc85f28dac
> libxc: Fix range checking in xc_dom_pfn_to_ptr etc. 
> bbf40e6b6d47809f4289a866d7d167c25104ecc0 libxc: introduce
> xc_dom_seg_to_ptr_pages 64a0206c451920b72a9c5721a6f2427baf99e3dd
> libelf: abolish libelf-relocate.c
> 

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRwqqxAAoJEBYNRVNeJnmTHsIP+gMjk22r1tou75ZcDHamVxB4
aOMPuzMa8AwQrzMjVUK9H+VSNPPlchYQF3IWd/pyy5aHRf5FnQPUMlLFV+PB9RHD
i81FvKlq9KEKoLVl5WMpgqQFn1mV+A7tR5g73btgux5Pd49OV0xnVXQPp8R9tln0
TDd7bb21xZhd+8qOCa4I416beC4/B7SLD8fFaHQ0ZtOE7f7pUn7Reqo/DjDhgGnd
Bfi42LQxeKjU87Rw4k3u7hDSvYEh9rFxYs0NZBWh3i4WIsWY9L4kOsZvnDJJUMaB
lu4jhLTmfHDT8350WKdJmUgrPzgZcfavTakviiLlSxaBTd/mphf/sUF0PoftCykZ
HqjXv8DFFg+xOBq8DfTMdEZGsBh4NS+xSSsI8pS0qU8my6BtJONKfVDMPP+B7I7F
qY3tY+ns7AZgCavbCYGbNsrGpHWCNyzmN94755fvvz31lxqtWaGRiHqYySqwExDO
f+uLajX/4jcHq9E42zZoBOcOcV/C+3O7GhaI4sgCrFQe3Ie2dBPgo1rXTlbXgRsW
Wl1t6l1m4qv61KoQYvULL+zgzF82r3j3kTTcMYNYchpPNi7VDw1mRs2H2wwhkOTw
9IZA7IOdoKlyvOi/NiTHXRxyzYAoemJDqEqsjHAfTwUlS0WDOTJj/DgBJ/zfk06V
WRz82P+Iq2h8wVFhlw7h
=nUHR
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ