Date: Tue, 12 Aug 2014 13:03:33 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 103 (CVE-2014-5148) - Flaw in handling unknown system register access from 64-bit userspace on ARM -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-5148 / XSA-103 version 3 Flaw in handling unknown system register access from 64-bit userspace on ARM UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= When handling an unknown system register access from 64-bit userspace Xen would incorrectly return to the second instruction of the trap handler for faults in kernel space rather than the first instruction of the trap handler for faults in 64-bit userspace. Any user in a guest which is running a 64-bit kernel who is able to spawn a 64-bit process can cause a trap to the kernel to be taken at an unexpected (but not user controlled) exception address. Known versions of Linux in the default configuration will Oops and kill the offending process, and therefore avoid this vulnerability. However local configuration may turn such an Oops into a kernel panic, and therefore a guest denial of service. IMPACT ====== Depending on the guest kernel implementation, kernel crash (guest DoS) or privilege elevation to that of the guest kernel cannot be ruled out. This issue does not enable an attack on the host. VULNERABLE SYSTEMS ================== 64-bit ARM systems may be vulnerable, depending on the guest kernel. All versions of Linux released by Linux upstream to date avoid this vulnerability. Systems based on modified versions of Linux may be vulnerable. 32-bit ARM systems, and X86 systems, are not vulnerable. MITIGATION ========== There is no known mitigation for this issue. CREDITS ======= This issue was reported as a bug by Riku Voipio, discovered via Linaro's LAVA testing and was diagnosed as a security issue by Ian Campbell. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. The patch for XSA-103 (specifically, xsa102-*-02.patch) must be applied first. xsa103-unstable.patch xen-unstable xsa103-4.4.patch Xen 4.4.x $ sha256sum xsa103*.patch fee2e0be91d08aa28ba44b616edd99a1bfcdec419966c3f9e843a842d649e4ea xsa103-4.4.patch 838d059618d31b272ec10ac8cbb6613a68b634c98418aff2a33cd514ed06b55a xsa103-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJT6hBtAAoJEIP+FMlX6CvZ6+sIAMiAJEzJl2pWk61kr3QT1llk lYYEEX94QxxJIzg62o4RnMzYZXsmOT6y2YP62nEziRbBaFcgmB0bNrx+Qc52+QWk iea2lYAJUGmEdwnY6x2raLF6Wd2alCjZxXF1UzSJJ6Vu8WiTNFXHI+mKlc9JY4bN aStmfgvN3j6Nmjav8k9ar/8QVfc4Oe0xOlzwFt5DlNHewExWN1y+HtPnrBTkGu5K ckgjvbxs4/SF4No59XqY0XxdpEDIEXo46keJ07DG6/nVzIl83ZtpBhxiNX8xfz91 ZYzu6feGbgtvy1+utxo/l3qBAn7TrDXn58mLTgKTM2dD3D4Crv9tKLuOXF1xVLM= =hjBc -----END PGP SIGNATURE----- Download attachment "xsa103-4.4.patch" of type "application/octet-stream" (1078 bytes) Download attachment "xsa103-unstable.patch" of type "application/octet-stream" (1082 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.