Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 25 Jun 2014 12:37:20 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 101 - information leak via gnttab_setup_table
 on ARM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    Xen Security Advisory XSA-101
                            version 2

            information leak via gnttab_setup_table on ARM

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

When initialising an internal data structure on ARM platform Xen was
not correctly initialising the memory containing the list of a
domain's grant table pages. This list is returned by the
GNTTABOP_setup_table subhypercall, leading to an information leak.

IMPACT
======

Malicious guest administrators can obtain some of the memory contents
of other domains:

Up to 8*max_nr_grant_frames bytes of uninitialised memory can be
leaked to the calling domain. This memory may have been previously
used by either the hypervisor or other guests.

The default max_nr_grant_frames is 32, hence by default 256 bytes may
be leaked in this way.  However this can be overridden via the
"gnttab_max_nr_frames" hypervisor command line option.

VULNERABLE SYSTEMS
==================

Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward.

MITIGATION
==========

None.

CREDITS
=======

This issue was discovered by Julien Grall.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa101.patch        xen-unstable, Xen 4.4.x

$ sha256sum xsa101*.patch
12ea475265a0804a3a42f620d7065a7408a5ae4b017c871847424c7247c204e9  xsa101.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJTqsJaAAoJEIP+FMlX6CvZ0MkIALeL89QbVy7yAsLQ/JY6HhZA
Y61HLh7VX9rwZd2pQJoJC3dSPtMCfeo25yd8ryDB4QEQci5qSk/P5gnBkXMUjDTL
PbLHimTvGXdAOI3+TYGC6H/dHfqkMeOr/w9cNuS3GuvmpYGpDnb3iE14x5I+JKJJ
JPY1tMwettCU3aWmMd1DHzM3cY2qUxQBPN5Itwev6AjPu9w4eFUBV2/u1CsRIQKT
2UBl7uFPm70MmYAzhr30RHOZRQD70ixFDbs1RH1vQsIbF+J8dTOsuzRd03CwVe4A
ib0CUm6Emd8zvnGAFU7WZdY6roIukp/Qk5T4mdtlmFtKXuVfBhlCPuc45cBvwyM=
=uOne
-----END PGP SIGNATURE-----

Download attachment "xsa101.patch" of type "application/octet-stream" (690 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ