Date: Mon, 30 Sep 2013 12:04:18 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 64 (CVE-2013-4356) - Memory accessible by 64-bit PV guests under live migration -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4356 / XSA-64 version 3 Memory accessible by 64-bit PV guests under live migration UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= On some hardware, during live migration of 64-bit PV guests, some parts of the guest's shadow pagetables are mistakenly filled in with hypervisor mappings. This causes Xen to crash when those mappings are later cleared. Before the crash, a malicious guest could use hypercalls to cause Xen to read and write the parts of memory pointed to by the stray mappings. IMPACT ====== A malicious 64-bit PV guest, on a vulnerable host system, that can arrange for itself to be live-migrated, could read or write memory at high physical addresses on the host. Note that once such a guest begins live migration the host is likely to eventually crash, either when the live migration completes or on an earlier page fault. This crash could be avoided if the malicious guest uses its improperly escalated privilege to prevent it. VULNERABLE SYSTEMS ================== Xen 4.3.x and xen-unstable are vulnerable. Xen 4.2.x and earlier releases are not vulnerable. In addition, only hosts with RAM extending past 5TB are affected. On any host that is affected (and has not yet been successfully attacked), live migration of a 64-bit PV guest will deterministically crash the host. If you can migrate a 64-bit PV guest from from host A to host B, without crashing host A, then host A is not affected by this bug. MITIGATION ========== Running only HVM and 32-bit PV guests or preventing live migration of 64-bit PV guests will avoid this issue. CREDITS ======= Andrew Cooper found the issue as a bug, which on examination by the Xenproject.org Security Team turned out to be a security problem. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa64.patch xen-unstable, xen-4.3 $ sha256sum xsa64.patch 061396916de992c43b8637909d315581589e5fc28f238aca6822947b45445a47 xsa64.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSSUynAAoJEIP+FMlX6CvZbVsH/i4Lqqfrx+cKZJwVWEqc9Ufz YT9nJzy0nyHPmS8SB4CluhE6Uiy8xi0MwNZLRVTrpuchoFbnWETOpplaKbKasMs3 OtHtmYKxdZWWYGl5kNydx5d8pJ4OCftJ/zJbSQRBG2buORF8by1MTzq2sVzJRca6 PcJqruGXlscsPo9B9OxAg4zH5rQo+E3jg0JuuG2qNDYzSDB/tx4WO0uOjkhwxyR6 eL/sHIzNqUcTLxGUhS4xjfnbjfLJ+WaHUvTJOC3Hu6tmcIBke9p99sRZV8dgToxp OB4i02D8z3Rskjda8KgddWGbaOZPM75N47TCgGxh2r0Z46Eg5Pjye/2+VFHpW9U= =7bGU -----END PGP SIGNATURE----- Download attachment "xsa64.patch" of type "application/octet-stream" (2353 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.