Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 20 Jun 2013 01:09:38 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Xen.org security team" <security@....org>, xen-announce@...ts.xen.org,
        xen-devel@...ts.xen.org, xen-users@...ts.xen.org
Subject: Re: Xen Security Advisory 55 - Multiple vulnerabilities
 in libelf PV kernel handling

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/14/2013 10:46 AM, Xen.org security team wrote:
> Xen Security Advisory XSA-55 version 4
> 
> Multiple vulnerabilities in libelf PV kernel handling
> 
> UPDATES IN VERSION 4 ====================
> 
> We are sending out a version 4 of this advisory with no files 
> attached.  This is because the size of the version 3 advisory
> email caused delivery problems for some recipients.
> 
> This version instead quotes the patchset git changeset ids in
> xen.git.
> 
> UPDATES IN VERSION 3 ====================
> 
> Fixed patch series provided.  These patches have been as
> thoroughly reviewed as possible and subjected to various regression
> testing.
> 
> NOTE REGARDING CVE ==================
> 
> We have not yet been assigned a CVE number for this issue.
> 
> ISSUE DESCRIPTION =================
> 
> The ELF parser used by the Xen tools to read domains' kernels and 
> construct domains has multiple integer overflows, pointer
> dereferences based on calculations from unchecked input values, and
> other problems.

Apologies for the delay on this, I tried to tease all the issues apart
and ended up taking the cowards way out (which I should have in the
first place, apologies to the Xen guys). Please use:

CVE-2013-2194 XEN XSA-55 integer overflows
CVE-2013-2195 XEN XSA-55 pointer dereferences
CVE-2013-2196 XEN XSA-55 other problems





> IMPACT ======
> 
> A malicious PV domain administrator who can specify their own
> kernel can escalate their privilege to that of the domain
> construction tools (i.e., normally, to control of the host).
> 
> Additionally a malicious HVM domain administrator who is able to 
> supply their own firmware ("hvmloader") can do likewise; however
> we think this would be very unusual and it is unlikely that such 
> configurations exist in production systems.
> 
> VULNERABLE SYSTEMS ==================
> 
> All Xen versions are affected.
> 
> Installations which only allow the use of trustworthy kernels for
> PV domains are not affected.
> 
> MITIGATION ==========
> 
> Ensuring that PV guests use only trustworthy kernels will avoid
> this problem.
> 
> RESOLUTION ==========
> 
> Applying the appropriate patch series will resolve this issue.
> 
> These were attached to v3 of the advisory which can be found here: 
> http://lists.xen.org/archives/html/xen-devel/2013-06/msg01626.html
> 
> These are available in xen.git 
> http://xenbits.xen.org/gitweb/?p=xen.git 
> git://xenbits.xen.org/xen.git 
> http://xenbits.xen.org/git-http/xen.git in the git changesets
> listed below.
> 
> xen-unstable:
> 
> 82cb4113b6ace16de192021de20f6cbd991e478f libxc: Better range check
> in xc_dom_alloc_segment 966070058d02cce9684e30073b61d6465e4b351c
> libxc: check blob size before proceeding in xc_dom_check_gzip 
> de7911eaef98b6643d80e4612fe4dcd4528d15b9 libxc: range checks in
> xc_dom_p2m_host and _guest 3d5a1d4733e55e33521cd5004cab1313e5c5d5ff
> libxc: check return values from malloc 
> aaebaba5ae225f591e0602e071037a935bb281b6 libxc: check failure of
> xc_dom_*_to_ptr, xc_map_foreign_range 
> 2bcee4b3c316379f4b52cb308947eb6db3faf1a0 libxc: Add range checking
> to xc_dom_binloader 66fe2726fe8492676f9970b9c2c511bce6186ece
> libelf: abolish obsolete macros 
> 39bf7b9d0ae534491745e54df5232127c0bddaf1 libelf: check loops for
> running away a004800f8fc607b96527815c8e3beabcb455d8e0 libelf: use
> only unsigned integers 7a549a6aa04dba807f8dd4c1577ab6a7592c4c76
> libelf: use C99 bool for booleans 
> c84481fbc7de7d15ff7476b3b9cd2713f81feaa3 libelf: Make all callers
> call elf_check_broken 943de71cf07d9d04ccb215bd46153b04930e9f25
> libelf: Check pointer references in elf_is_elfbinary 
> 65808a8ed41cc7c044f588bd6cab5af0fdc0e029 libelf: check all pointer
> accesses 04877847ade4ac9216e9f408fd544ade8f90cf9a libelf: check
> nul-terminated strings properly 
> 50421bd56bf164f490d7d0bf5741e58936de41e8 tools/xcutils/readnotes:
> adjust print_l1_mfn_valid_note 
> 85256359995587df00001dca22e9a76ba6ea8258 libelf: introduce macros
> for memory access and pointer handling 
> 95dd49bed681af93f71a401b0a35bf2f917c6e68
> libelf/xc_dom_load_elf_symtab: Do not use "syms" uninitialised 
> f7aa72ec00aec71eed055dac5e8a151966d75c9c libelf: move include of
> <asm/guest_access.h> to top of file 
> 13e2c808f7ea721c8f200062e2b9b977ee924471 libelf: abolish elf_sval
> and elf_access_signed 009ddca51504ce80889937e485d44ac0f9290d63
> libelf: add `struct elf_binary*' parameter to elf_load_image 
> b5a869209998fedadfe205d37addbd50a802998b libxc: Fix range checking
> in xc_dom_pfn_to_ptr etc. 53bfcf585b09eb4ac2240f89d1ade77421cd2451
> libxc: introduce xc_dom_seg_to_ptr_pages 
> 14573b974850d82de7aebad17e6471d27d847f2c libelf: abolish
> libelf-relocate.c
> 
> Xen 4.2.x:
> 
> d21d36e84354c04638b60a739a5f7c3d9f8adaf8 libxc: Better range check
> in xc_dom_alloc_segment 2a548e22915535ac13694eb38222903bca7245e3
> libxc: check blob size before proceeding in xc_dom_check_gzip 
> 052a689aa526ca51fd70528d4b0f83dfb2de99c1 libxc: range checks in
> xc_dom_p2m_host and _guest 8dc90d163650ce8aa36ae0b46debab83cc61edb6
> libxc: check return values from malloc 
> 77c0829fa751f052f7b8ec08287aef6e7ba97bc5 libxc: check failure of
> xc_dom_*_to_ptr, xc_map_foreign_range 
> b06e277b1fc08c7da3befeb3ac3950e1d941585d libxc: Add range checking
> to xc_dom_binloader 3baaa4ffcd3e7dd6227f9bdf817f90e5b75aeda2
> libelf: abolish obsolete macros 
> 52d8cc2dd3bb3e0f6d51e00280da934e8d91653a libelf: check loops for
> running away e673ca50127b6c1263727aa31de0b8bb966ca7a2 libelf: use
> only unsigned integers 3fb6ccf2faccaf5e22e33a3155ccc72d732896d8
> libelf: use C99 bool for booleans 
> a965b8f80388603d439ae2b8ee7b9b018a079f90 libelf: Make all callers
> call elf_check_broken d0790bdad7496e720416b2d4a04563c4c27e7b95
> libelf: Check pointer references in elf_is_elfbinary 
> cc8761371aac432318530c2ddfe2c8234bc0621f libelf: check all pointer
> accesses db14d5bd9b6508adfcd2b910f454fae12fa4ba00 libelf: check
> nul-terminated strings properly 
> 59f66d58180832af6b99a9e4489031b5c2f627ab tools/xcutils/readnotes:
> adjust print_l1_mfn_valid_note 
> 40020ab55a1e9a1674ddecdb70299fab4fe8579d libelf: introduce macros
> for memory access and pointer handling 
> de9089b449d2508b1ba05590905c7ebaee00c8c4
> libelf/xc_dom_load_elf_symtab: Do not use "syms" uninitialised 
> 682a04488e7b3bd6c3448ab60599566eb7c6177a libelf: move include of
> <asm/guest_access.h> to top of file 
> 83ec905922b496e1a5756e3a88405eb6c2c6ba88 libelf: abolish elf_sval
> and elf_access_signed 035634047d10c678cbb8801c4263747bdaf4e5b1
> libelf: add `struct elf_binary*' parameter to elf_load_image 
> 8c738fa5c1f3cfcd935b6191b3526f7ac8b2a5bd libxc: Fix range checking
> in xc_dom_pfn_to_ptr etc. a672da4b2d58ef12be9d7407160e9fb43cac75d9
> libxc: introduce xc_dom_seg_to_ptr_pages 
> 9737484becab4a25159f1e985700eaee89690d34 libelf: abolish
> libelf-relocate.c
> 
> Xen 4.1.x:
> 
> ac63ddd70a5ccf5ebf790f06ea4cd4ed794c3978 libxc: check blob size
> before proceeding in xc_dom_check_gzip 
> 6eca85d5c144ee8c899ee3cf8791f9087b15f2e8 libxc: range checks in
> xc_dom_p2m_host and _guest a2986a7959919bc748784bb75970bfbd42697d3b
> libxc: check return values from malloc 
> 117a538dbef62f8d39159dea652e633e01b50a9a libxc: check failure of
> xc_dom_*_to_ptr, xc_map_foreign_range 
> 40b76f1fb04af421c1415f7bcb168dfaa6960d0d libxc: Add range checking
> to xc_dom_binloader 4a3a60d8caee49af6951a672c55b08436a8d1f86
> libelf: abolish obsolete macros 
> 968c0399159c65e24bb8b9969259e18791e1f4d8 libelf: check loops for
> running away 282188ea84b9e0f9c4865f0609e7740f2f28e7b0 libxc:
> Introduce xc_bitops.h 86e39ce58e91fe55d4fdbc914cb1955c45acc20e
> libelf: use only unsigned integers 
> bd3dba9f435fa59f305407f7d9b34e1e164ddd98 libelf: use C99 bool for
> booleans 44c74b1ed31c75ed9026abf62ab7427a46d8027a libelf: Make all
> callers call elf_check_broken 
> 9962d7ffcce97ec2d69a15ef861996b1ead33694 libelf: Check pointer
> references in elf_is_elfbinary 
> 39923542bb43e67776c4e8292d4a5a1adef2bd3b libelf: check all pointer
> accesses 8ce60b35beaac91a97b79c004ca6bf5d58e7390b libelf: check
> nul-terminated strings properly 
> 4e46085972d2367dff2345a73361c1c17b47ce73 tools/xcutils/readnotes:
> adjust print_l1_mfn_valid_note 
> de49d6e83c3a8c753646b007972140ddbb746ba8 libelf: introduce macros
> for memory access and pointer handling 
> 4d3339de1fe3cbf7b05487fdb6cadd7267950948
> libelf/xc_dom_load_elf_symtab: Do not use "syms" uninitialised 
> e719b136b750e5eee87c4647d1846e4e1e70eac0 libelf: abolish elf_sval
> and elf_access_signed f7fb94409c562beec06094141ef262dc85f28dac
> libxc: Fix range checking in xc_dom_pfn_to_ptr etc. 
> bbf40e6b6d47809f4289a866d7d167c25104ecc0 libxc: introduce
> xc_dom_seg_to_ptr_pages 64a0206c451920b72a9c5721a6f2427baf99e3dd
> libelf: abolish libelf-relocate.c
> 

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRwqqxAAoJEBYNRVNeJnmTHsIP+gMjk22r1tou75ZcDHamVxB4
aOMPuzMa8AwQrzMjVUK9H+VSNPPlchYQF3IWd/pyy5aHRf5FnQPUMlLFV+PB9RHD
i81FvKlq9KEKoLVl5WMpgqQFn1mV+A7tR5g73btgux5Pd49OV0xnVXQPp8R9tln0
TDd7bb21xZhd+8qOCa4I416beC4/B7SLD8fFaHQ0ZtOE7f7pUn7Reqo/DjDhgGnd
Bfi42LQxeKjU87Rw4k3u7hDSvYEh9rFxYs0NZBWh3i4WIsWY9L4kOsZvnDJJUMaB
lu4jhLTmfHDT8350WKdJmUgrPzgZcfavTakviiLlSxaBTd/mphf/sUF0PoftCykZ
HqjXv8DFFg+xOBq8DfTMdEZGsBh4NS+xSSsI8pS0qU8my6BtJONKfVDMPP+B7I7F
qY3tY+ns7AZgCavbCYGbNsrGpHWCNyzmN94755fvvz31lxqtWaGRiHqYySqwExDO
f+uLajX/4jcHq9E42zZoBOcOcV/C+3O7GhaI4sgCrFQe3Ie2dBPgo1rXTlbXgRsW
Wl1t6l1m4qv61KoQYvULL+zgzF82r3j3kTTcMYNYchpPNi7VDw1mRs2H2wwhkOTw
9IZA7IOdoKlyvOi/NiTHXRxyzYAoemJDqEqsjHAfTwUlS0WDOTJj/DgBJ/zfk06V
WRz82P+Iq2h8wVFhlw7h
=nUHR
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.