Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 06 Feb 2014 12:38:51 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 85 - Off-by-one error in FLASK_AVC_CACHESTAT
 hypercall

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                     Xen Security Advisory XSA-85
                              version 2

          Off-by-one error in FLASK_AVC_CACHESTAT hypercall

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

The FLASK_AVC_CACHESTAT hypercall, which provides access to per-cpu
statistics on the Flask security policy, incorrectly validates the
CPU for which statistics are being requested.

IMPACT
======

An attacker can cause the hypervisor to read past the end of an
array. This may result in either a host crash, leading to a denial of
service, or access to a small and static region of hypervisor memory,
leading to an information leak.

VULNERABLE SYSTEMS
==================

Xen version 4.2 and later are vulnerable to this issue when built with
XSM/Flask support. XSM support is disabled by default and is enabled
by building with XSM_ENABLE=y.

Only systems with the maximum supported number of physical CPUs are
vulnerable. Systems with a greater number of physical CPUs will only
make use of the maximum supported number and are therefore vulnerable.

By default the following maximums apply:
 * x86_32: 128 (only until Xen 4.2.x)
 * x86_64: 256
These defaults can be overridden at build time via max_phys_cpus=N.

The vulnerable hypercall is exposed to all domains.

MITIGATION
==========

Rebuilding Xen with more supported physical CPUs can avoid the
vulnerability; provided that the supported number is strictly greater
than the actual number of CPUs on any host on which the hypervisor is
to run.

If XSM is compiled in, but not actually in use, compiling it out (with
XSM_ENABLE=n) will avoid the vulnerability.

CREDITS
=======

This issue was discovered by Matthew Daley.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa85.patch        xen-unstable, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa85*.patch
20571024e6815eeb40d2f92a3d70ae699047cffafb5431ec74b652e0843a5315  xsa85.patch
$

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJS84H+AAoJEIP+FMlX6CvZXy8H/An+HT3e3Av9G3PWIv+i10O3
FE7fhT53tBCbDlcqDghoO9PE6YctWV8glJHdg5TfpzXkjbVL2Go/poUhwvVqxePj
ja5x5saXHvXoKwglc7sZmryil5bhecTKspNL5AfTlvP4dyNZMnOAvlbnyCtKUS45
bH0TSonTL50yRH1tCEaIKYDnOisIk3E5yduIpkRnqwamKw+DbHMGlmq5sPZq4rLH
EYa/yhqh4bDStGAlRuBHG8ms+F7SgxH8dTjXhCbTe5BeAxYg1cP5yGX61y14xJJt
KAObUS4E1KOcP1jRWIQ1HhHQxwWwEDdRk+ZQspGuIt34hY1SfMcbpFu7LutcI4Y=
=SiDW
-----END PGP SIGNATURE-----

Download attachment "xsa85.patch" of type "application/octet-stream" (948 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.