Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1lBzZi-0002bO-P6@xenbits.xenproject.org>
Date: Tue, 16 Feb 2021 12:35:30 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 363 v3 (CVE-2021-26934) - Linux: display
 frontend "be-alloc" mode is unsupported

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2021-26934 / XSA-363
                               version 3

        Linux: display frontend "be-alloc" mode is unsupported

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The backend allocation mode of Linux'es drm_xen_front drivers was
not meant to be a supported configuration, but this wasn't stated
accordingly in its support status entry.

IMPACT
======

Use of the feature may have unknown effects.

VULNERABLE SYSTEMS
==================

Linux versions from 4.18 onwards are affected.  Earlier Linux versions
do not provide the affected driver.

MITIGATION
==========

Not using the driver or its backend allocation mode will avoid the
vulnerability.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the attached patch documents the situation.  The patch does
not fix any security issues.

xsa363.patch           xen-unstable

$ sha256sum xsa363*
cf2f2eff446aec625b19d9d01301ec66098b58b792d74012235f10c62a21bb68  xsa363.patch
$

-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmAru/UMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZSocH/3jAI0MeZtnhvuyOM4CxkNmr0fI4HIXnA1xGNhWY
Wa2WgtOuFVaPUFX1Tj/e6zCoibatl1gicETI9hL+w4Dg6/GzIeTogOuzv5D6Ux91
9a6n2tryFfSAs0OxTKq6etLv63VEEicYMHrZT8n700JFvJsAWYAMvuanMDknGxBP
5/Z+DASnZxT09cpvP4REKuG7rW9vIif+6EZ0T0kU87InouDts/YOhzNsdvBD1wKH
y5e/MZh2sOyMOovuhgbvoK+YezHTAcZeGWnUk3yQoTGnW3p+W9XZVURsc8/e2FbZ
heY3Tj918LsY50wGpMZ2PDoHC8PSHaUqEOTq0MPmnPlppvU=
=tJD0
-----END PGP SIGNATURE-----

Download attachment "xsa363.patch" of type "application/octet-stream" (658 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.