[kernel-xen] Xen Security Advisory 136 (CVE-2015-4164) - vulnerability in the iret hypercall handler

Steven Haigh netwiz at crc.id.au
Thu Jun 11 22:38:36 AEST 2015 

            Xen Security Advisory CVE-2015-4164 / XSA-136
                              version 3

              vulnerability in the iret hypercall handler

UPDATES IN VERSION 3
====================

Public release.

Added email header syntax to patches, for e.g. git-am.

ISSUE DESCRIPTION
=================

A buggy loop in Xen's compat_iret() function iterates the wrong way
around a 32-bit index.  Any 32-bit PV guest kernel can trigger this
vulnerability by attempting a hypercall_iret with EFLAGS.VM set.

Given the use of __get/put_user(), and that the virtual addresses in
question are contained within the lower canonical half, the guest
cannot clobber any hypervisor data.  Instead, Xen will take up to 2^33
pagefaults, in sequence, effectively hanging the host.

IMPACT
======

Malicious guest administrators can cause a denial of service affecting
the whole system.

VULNERABLE SYSTEMS
==================

Only 64-bit x86 (ARCH=x86_64) builds of Xen are vulnerable.  32-bit
builds (ARCH=x86_32) (necessarily of Xen 4.2 or earlier), are not
affected.

Xen versions 3.1 or later are vulnerable.

ARM systems are not vulnerable.

Only 32-bit PV guests can exploit the vulnerability.

MITIGATION
==========

Systems which only need to run 32-bit guests and are running Xen 4.2
or earlier can avoid the vulnerability by using a 32-bit build of Xen
instead of a 64-bit build.  (The dom0 operating system would have to
be 32-bit too.)

If the boot process and kernel for the guest can be controlled,
forcing it to use a 64-bit kernel will avoid the vulnerability.

CREDITS
=======

This issue was discovered by Andrew Cooper of Citrix.

RESOLUTION
==========

* Thu Jun 11 2015 Steven Haigh <netwiz at crc.id.au> - 4.2.5-18
- XSA-134 (CVE-2015-4163) GNTTABOP_swap_grant_ref operation misbehavior
- XSA-136 (CVE-2015-4164) vulnerability in the iret hypercall handler

Thu Jun 11 2015 Steven Haigh <netwiz at crc.id.au> - 4.4.1-18
- XSA-134 (CVE-2015-4163) GNTTABOP_swap_grant_ref operation misbehavior
- XSA-136 (CVE-2015-4164) vulnerability in the iret hypercall handler

Thu Jun 11 2015 Steven Haigh <netwiz at crc.id.au> - 4.5.0-0.13
- XSA-134 (CVE-2015-4163) GNTTABOP_swap_grant_ref operation misbehavior
- XSA-136 (CVE-2015-4164) vulnerability in the iret hypercall handler

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.wireless.org.au/pipermail/kernel-xen/attachments/20150611/b7647801/attachment.sig>

More information about the kernel-xen mailing list