Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <E1YWRzm-0008Az-7I@xenbits.xen.org>
Date: Fri, 13 Mar 2015 15:59:30 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 98 (CVE-2014-3969) - insufficient
 permissions checks accessing guest memory on ARM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2014-3969 / XSA-98
                              version 5

       insufficient permissions checks accessing guest memory on ARM

UPDATES IN VERSION 5
====================

The issue described in update 4 also affects Xen 4.5 which was not
released at the time of the original advisory.  The extra patch
supplied with version 4 of this advisory is for Xen 4.5.x (as well as
4.4.x and xen-unstable).

Added credits for updated issue.

UPDATES IN VERSION 4
====================

Supply an additional patch for arm64. The original patches had the
permissions check backwards, meaning that a guest could read a
write-only mapping and vice versa, rendering the original fix
ineffective an inparticular not closing down the ability for a guest
to write to a readonly page via the hypervisor.

This issue was discussed on a public IRC channel and therefore it has
been agreed with the discoverer that it should not subject to a new
embargo.

32-bit ARM systems are not affected by this mistake; the original fix
remains correct for 32-bit.

ISSUE DESCRIPTION
=================

When accessing guest memory Xen does not correctly perform permissions
checks on the (possibly guest provided) virtual address: it only
checks that the mapping is readable by the guest, even when writing on
behalf of the guest.  This allows a guest to write to memory which
it should only be able to read.

A guest running on a vulnerable system is able to write to memory
which should be read-only.  This includes supposedly read only foreign
mappings established using the grant table mechanism.  Such read-only
mappings are commonly used as part of the paravirtualised I/O drivers
(such as guest disk write and network transmit).

In order to exploit this vulnerability the guest must have a mapping
of the memory; it does not allow access to arbitrary addresses.

In the event that a guest executes code from a page which has been
shared read-only with another guest it would be possible to mount a
take over attack on that guest.

IMPACT
======

A domain which is deliberately exchanging data with another,
malicious, domain, may be vulnerable to privilege escalation.  The
vulnerability depends on the precise behaviour of the victim domain.

In a typical configuration this means that, depending on the behaviour
of the toolstack or device driver domain, a malicious guest
administrator might be able to escalate their privilege to that of the
whole host.

VULNERABLE SYSTEMS
==================

Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward.

MITIGATION
==========

None.

CREDITS
=======

This issue was discovered by Julien Grall.

The additional issue reported in update 4 was discovered by Tamas K
Lengyel.

RESOLUTION
==========

Applying the appropriate pair of attached patches along with the
additional update resolves this issue.

xsa98-unstable-{01,02}.patch        xen-unstable
xsa98-4.4-{01,02}.patch             Xen 4.4.x
xsa98-update.patch                  Additional update for unstable, 4.5.x and 4.4.x

$ sha256sum xsa98*.patch
b8535aad5ae969675d59781a81ce0b24491f1abc01aaf36c3620fd7fb6cc84eb  xsa98-unstable-01.patch
f5e8a93525a8905653da6377097f77681ff8121b973063ff6081e27547ceaa67  xsa98-unstable-02.patch
6f63bc2e0a0a39bbd9137513a5d130ae2c78d1fd2ebf9172bf49456f73f0a67b  xsa98-4.4-01.patch
b338472ecce3c31a55d1a936eebbd4e46cb3ad989b91a64d4b8c5d3ca80d875d  xsa98-4.4-02.patch
8bb4a23174c0c9b1a23a41d4669900877483fd526d331d0c377c32845feb2eb8  xsa98-update.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJVAwlFAAoJEIP+FMlX6CvZBGMH/1qZuF20x5mfSn9TPDXJZrU4
dc6Jab7VDISnfy2CkLPsyLeaOolWm34HgP0a+vggInuxtKmo7TIvoJBUVi6ndsJI
mqSWsoUvOl6PthAB1/4WNH2e/wySxBLFEwQWnUZRXxW32LrQzb+rVcJvvHjZiYKR
p7NYKYklCZDKhmX5DdANjO1RDg561UnenEMsgUbOdyjsk2s8o+/ni927ZUzhnxQe
NY9LqpgOyjBLb+5tStq2v03A+ax7mgzRMQLYlWsuY+Vt08HQsPuEPxN9JNkpmEwb
A46OICRNMEwzKmt6ZKpYJSibiffHAMm5aeRd2SalpUjlIAg67H/LHf0vV/4bJ9o=
=igf6
-----END PGP SIGNATURE-----

Download attachment "xsa98-unstable-01.patch" of type "application/octet-stream" (5701 bytes)

Download attachment "xsa98-unstable-02.patch" of type "application/octet-stream" (7913 bytes)

Download attachment "xsa98-4.4-01.patch" of type "application/octet-stream" (5699 bytes)

Download attachment "xsa98-4.4-02.patch" of type "application/octet-stream" (7800 bytes)

Download attachment "xsa98-update.patch" of type "application/octet-stream" (954 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.