Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 13 Mar 2015 11:38:49 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 98 (CVE-2014-3969) - insufficient
 permissions checks accessing guest memory on ARM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2014-3969 / XSA-98
                              version 4

       insufficient permissions checks accessing guest memory on ARM

UPDATES IN VERSION 4
====================

Supply an additional patch for arm64. The original patches had the
permissions check backwards, meaning that a guest could read a
write-only mapping and vice versa, rendering the original fix
ineffective an inparticular not closing down the ability for a guest
to write to a readonly page via the hypervisor.

This issue was discussed on a public IRC channel and therefore it has
been agreed with the discoverer that it should not subject to a new
embargo.

32-bit ARM systems are not affected by this mistake; the original fix
remains correct for 32-bit.

ISSUE DESCRIPTION
=================

When accessing guest memory Xen does not correctly perform permissions
checks on the (possibly guest provided) virtual address: it only
checks that the mapping is readable by the guest, even when writing on
behalf of the guest.  This allows a guest to write to memory which
it should only be able to read.

A guest running on a vulnerable system is able to write to memory
which should be read-only.  This includes supposedly read only foreign
mappings established using the grant table mechanism.  Such read-only
mappings are commonly used as part of the paravirtualised I/O drivers
(such as guest disk write and network transmit).

In order to exploit this vulnerability the guest must have a mapping
of the memory; it does not allow access to arbitrary addresses.

In the event that a guest executes code from a page which has been
shared read-only with another guest it would be possible to mount a
take over attack on that guest.

IMPACT
======

A domain which is deliberately exchanging data with another,
malicious, domain, may be vulnerable to privilege escalation.  The
vulnerability depends on the precise behaviour of the victim domain.

In a typical configuration this means that, depending on the behaviour
of the toolstack or device driver domain, a malicious guest
administrator might be able to escalate their privilege to that of the
whole host.

VULNERABLE SYSTEMS
==================

Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward.

MITIGATION
==========

None.

CREDITS
=======

This issue was discovered by Julien Grall.

RESOLUTION
==========

Applying the appropriate pair of attached patches along with the
additional update resolves this issue.

xsa98-unstable-{01,02}.patch        xen-unstable
xsa98-4.4-{01,02}.patch             Xen 4.4.x
xsa98-update.patch                  Additional update for both unstable and 4.4

$ sha256sum xsa98*.patch
b8535aad5ae969675d59781a81ce0b24491f1abc01aaf36c3620fd7fb6cc84eb  xsa98-unstable-01.patch
f5e8a93525a8905653da6377097f77681ff8121b973063ff6081e27547ceaa67  xsa98-unstable-02.patch
6f63bc2e0a0a39bbd9137513a5d130ae2c78d1fd2ebf9172bf49456f73f0a67b  xsa98-4.4-01.patch
b338472ecce3c31a55d1a936eebbd4e46cb3ad989b91a64d4b8c5d3ca80d875d  xsa98-4.4-02.patch
8bb4a23174c0c9b1a23a41d4669900877483fd526d331d0c377c32845feb2eb8  xsa98-update.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJVAswXAAoJEIP+FMlX6CvZHBQIAJGGvIhPc7ZKa1uVGvY/wpbX
C3mjzLksdFVtIYfmMxTctuZytpA+s4DwrIRg2qfL1KA+2Qz/jjJP6HtzPM9Er8JJ
zEz9UUFreccDNHVxZW2vmHxKJ4T3SIPlmx/E3dsr9kiHLGalW3XvKwCgRJ5ZceID
nvasZuCPYK1zlTYnIQERQDjXVmUd2mipHBFI69o81dyZkLEtlB9OGXC+OZKPVE0A
GdvkEXhca6GYSvdD3t1nEoDrpsqMwpi1bYpd0dPoQbSW6cY7DomzcT5f4zmOJRxB
L/SYOqsl4SomH/FO0tYw1IrFQ1VVShmFlIre3EIeXWGa8LwAQUVt+qdYgvSPncc=
=slo3
-----END PGP SIGNATURE-----

Download attachment "xsa98-unstable-01.patch" of type "application/octet-stream" (5701 bytes)

Download attachment "xsa98-unstable-02.patch" of type "application/octet-stream" (7913 bytes)

Download attachment "xsa98-4.4-01.patch" of type "application/octet-stream" (5699 bytes)

Download attachment "xsa98-4.4-02.patch" of type "application/octet-stream" (7800 bytes)

Download attachment "xsa98-update.patch" of type "application/octet-stream" (954 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ