Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 30 Jun 2014 14:22:49 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 101 (CVE-2014-4022) - information leak via
 gnttab_setup_table on ARM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

           Xen Security Advisory CVE-2014-4022 / XSA-101
                            version 3

            information leak via gnttab_setup_table on ARM

UPDATES IN VERSION 3
====================

Provide the CVE.

ISSUE DESCRIPTION
=================

When initialising an internal data structure on ARM platform Xen was
not correctly initialising the memory containing the list of a
domain's grant table pages. This list is returned by the
GNTTABOP_setup_table subhypercall, leading to an information leak.

IMPACT
======

Malicious guest administrators can obtain some of the memory contents
of other domains:

Up to 8*max_nr_grant_frames bytes of uninitialised memory can be
leaked to the calling domain. This memory may have been previously
used by either the hypervisor or other guests.

The default max_nr_grant_frames is 32, hence by default 256 bytes may
be leaked in this way.  However this can be overridden via the
"gnttab_max_nr_frames" hypervisor command line option.

VULNERABLE SYSTEMS
==================

Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward.

MITIGATION
==========

None.

CREDITS
=======

This issue was discovered by Julien Grall.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa101.patch        xen-unstable, Xen 4.4.x

$ sha256sum xsa101*.patch
12ea475265a0804a3a42f620d7065a7408a5ae4b017c871847424c7247c204e9  xsa101.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJTsXKlAAoJEIP+FMlX6CvZAXwH/0Km16VstdF5P72chl3u9BsE
aWLe8Xdb9lmPXiIWM+q2NN+Jp8tL08Ia4fyD1OC5zJqtf6TReI9qsBkzo2O6EfjF
QdTluXrfYgkob0THsDW1Nd86wxy8UBLlz1dwu+jfKkYp9gMQgTtV1NNyrXEOwn1f
vepA/V2kOVss7U5+OXqe10HOm+bK4Qs0vYwu1HnG/y6/I39eP2FXw8jMDSB1pKcJ
1/zBll+R+LVXsQbJbKA6vS9RJiOeMXY1b8y6ThduVuW+bq/RydyqoTb25XPqhHcV
6FaDe3JlncXvpJp4OEaAiHPyBqPRvNgr3WWW16lFGTtlLJdc+43/24WkrLfok6o=
=srxg
-----END PGP SIGNATURE-----

Download attachment "xsa101.patch" of type "application/octet-stream" (690 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.