Bug 38173 – xen: Multiple issues (3.2)

Bug 38173 - xen: Multiple issues (3.2)


Summary:	xen: Multiple issues (3.2)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 3.2
Hardware:	Other Linux

Importance:	P1 normal (vote)
Target Milestone:	UCS 3.2-5-errata
Assigned To:	Philipp Hahn
QA Contact:	Stefan Gohmann

URL:
Keywords:

Depends on:
Blocks:	38565
	Show dependency tree / graph

Reported:	2015-03-31 15:43 CEST by Arvid Requate
Modified:	2015-05-21 16:04 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
CVE-2015-3456.patch from debian package version 4.1.4-3+deb7u6 (2.53 KB, patch) 2015-05-19 15:46 CEST, Arvid Requate	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2015-03-31 15:43:55 CEST

Certain domctl operations may be abused to lock up the host (CVE-2015-2751)

Denial of service against host by malicious HVM guest with assigned PCI device with pass-through (Long latency MMIO mapping operations are not preemptible) (CVE-2015-2752)

Denial of service against host by HVM guest with assigned PCI device with pass-through (Unmediated PCI command register access in qemu) (CVE-2015-2756)

Comment 1 Arvid Requate

2015-03-31 16:56:56 CEST

ignore CVE-2015-2751: doesn't affect Xen versions 4.2 and earlier.

Comment 2 Arvid Requate

2015-04-01 11:51:37 CEST

* Denial of service against host by guest with assigned PCI device with pass-through (Non-maskable interrupts triggerable by guests) (CVE-2015-2150)

Comment 3 Arvid Requate

2015-04-07 12:41:26 CEST

* HVM qemu unexpectedly enabling emulated VGA graphics backends (CVE-2015-2152)

Comment 4 Arvid Requate

2015-04-28 15:12:36 CEST

* Information leak through XEN_DOMCTL_gettscinfo (CVE-2015-3340)

Comment 5 Arvid Requate

2015-05-13 18:27:43 CEST

* HVM guests using the traditional "qemu-xen" which have access to an emulated floppy device can take over the qemu process elevating its privilege to that of the qemu process. Guests using a qemu-dm stubdomain to run the device model are only vulnerable to takeover of that service domain (CVE-2015-3456)

Comment 6 Arvid Requate

2015-05-19 15:31:05 CEST

Upstream patches for CVE-2015-3456 are here:

http://xenbits.xen.org/xsa/advisory-133.html

Comment 7 Arvid Requate

2015-05-19 15:46:57 CEST

Created attachment 6912 [details]
CVE-2015-3456.patch from debian package version 4.1.4-3+deb7u6

Unfixed in Debian: CVE-2015-2152 CVE-2015-2752 CVE-2015-3340

Not affected by:
* CVE-2015-2756 (Vulnerable code not present)
* CVE-2015-2150 (affects linux, that's Bug #38008)

So the only fixable issue for now is the VENOM vulnerability (CVE-2015-3456). Please fix that ASAP and split off the unfixed issues into a new bug.

Comment 8 Arvid Requate

2015-05-19 17:57:44 CEST

I applied the patch in SVN, but the package build currently fails with a strange error. The only guess I currently have is that it somehow thinks that it should build 64-bit code in dimma?:

===========================================================================
gcc -Wall -g -O2 -O2 -fomit-frame-pointer -m64 -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-value -Wdeclaration-after-statement  -D__XEN_TOOLS__ -MMD -MF .subdirs-all.d -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE  -O2 -fomit-frame-pointer -m64 -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-value -Wdeclaration-after-statement  -D__XEN_TOOLS__ -MMD -MF .subdir-all-libxc.d -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE  -O2 -fomit-frame-pointer -m64 -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-value -Wdeclaration-after-statement  -D__XEN_TOOLS__ -MMD -MF .build.d -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_GNU_SOURCE -I../../xen/common/libelf -Werror -Wmissing-prototypes  -I. -I../xenstore -I../include -O2 -fomit-frame-pointer -m64 -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-value -Wdeclaration-after-statement  -D__XEN_TOOLS__ -MMD -MF .libxenctrl.so.4.0.0.d -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_GNU_SOURCE -I../../xen/common/libelf -Werror -Wmissing-prototypes  -I. -I../xenstore -I../include     -Wl,--no-as-needed    -Wl,--no-as-needed    -Wl,--no-as-needed -L.    -Wl,--no-as-needed -L. -Wl,-soname -Wl,libxenctrl.so.4.0 -ldl -shared -o libxenctrl.so.4.0.0 xc_core.opic xc_core_x86.opic xc_cpupool.opic xc_domain.opic xc_evtchn.opic xc_gnttab.opic xc
_misc.opic xc_acm.opic xc_flask.opic xc_physdev.opic xc_private.opic xc_sedf.opic xc_csched.opic xc_csched2.opic xc_arinc653.opic xc_tbuf.opic xc_pm.opic xc_cpu_hotplug.opic xc_resume.opic xc_tmem.opic xc_mem_event.opic xc_mem_paging.opic xc_mem_access.opic xc_memshr.opic xc_hcall_buf.opic xc_foreign_memory.opic xtl_core.opic xtl_logger_stdio.opic xc_pagetab.opic xc_linux.opic xc_linux_osdep.opic -lpthread
/usr/bin/ld: skipping incompatible /usr/lib/gcc/i486-linux-gnu/4.4.5/../../../libdl.so when searching for -ldl
/usr/bin/ld: skipping incompatible /usr/lib/gcc/i486-linux-gnu/4.4.5/../../../libdl.a when searching for -ldl
/usr/bin/ld: skipping incompatible /usr/lib/libdl.so when searching for -ldl
/usr/bin/ld: skipping incompatible /usr/lib/libdl.a when searching for -ldl
/usr/bin/ld: cannot find -ldl
collect2: ld returned 1 exit status
make[4]: *** [libxenctrl.so.4.0.0] Error 1
===========================================================================

There is a previous build log ucs_3.2-0-errata3.2-5.xen-4.1.201503110812.log.bz2 which is fine.

Comment 9 Philipp Hahn

2015-05-20 19:29:54 CEST

# ssh -t dimma chroot /proc/25880/root su -l -s /bin/bash pbuser

$ file -L /usr/lib/libdl.so /usr/lib/libdl.a 
/usr/lib/libdl.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
/usr/lib/libdl.a:  current ar archive
$ uname -m
x86_64
$ dpkg --print-architecture
i386

$ cd ~/xen-4.1-4.1.3/xen-4.1.3/tools/libxc
$ gcc -Wall -g -O2 -O2 -fomit-frame-pointer -m64 -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-value -Wdeclaration-after-statement  -D__XEN_TOOLS__ -MMD -MF .subdirs-all.d -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE  -O2 -fomit-frame-pointer -m64 -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-value -Wdeclaration-after-statement  -D__XEN_TOOLS__ -MMD -MF .subdir-all-libxc.d -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE  -O2 -fomit-frame-pointer -m64 -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-value -Wdeclaration-after-statement  -D__XEN_TOOLS__ -MMD -MF .build.d -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_GNU_SOURCE -I../../xen/common/libelf -Werror -Wmissing-prototypes  -I. -I../xenstore -I../include -O2 -fomit-frame-pointer -m64 -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-value -Wdeclaration-after-statement  -D__XEN_TOOLS__ -MMD -MF .libxenctrl.so.4.0.0.d -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_GNU_SOURCE -I../../xen/common/libelf -Werror -Wmissing-prototypes  -I. -I../xenstore -I../include     -Wl,--no-as-needed    -Wl,--no-as-needed    -Wl,--no-as-needed -L.    -Wl,--no-as-needed -L. -Wl,-soname -Wl,libxenctrl.so.4.0 -ldl -shared -o libxenctrl.so.4.0.0 xc_core.opic xc_core_x86.opic xc_cpupool.opic xc_domain.opic xc_evtchn.opic xc_gnttab.opic xc_misc.opic xc_acm.opic xc_flask.opic xc_physdev.opic xc_private.opic xc_sedf.opic xc_csched.opic xc_csched2.opic xc_arinc653.opic xc_tbuf.opic xc_pm.opic xc_cpu_hotplug.opic xc_resume.opic xc_tmem.opic xc_mem_event.opic xc_mem_paging.opic xc_mem_access.opic xc_memshr.opic xc_hcall_buf.opic xc_foreign_memory.opic xtl_core.opic xtl_logger_stdio.opic xc_pagetab.opic xc_linux.opic xc_linux_osdep.opic -lpthread -v

$ /usr/lib/gcc/i486-linux-gnu/4.4.5/collect2 --build-id --eh-frame-hdr -m elf_x86_64 --hash-style=both -shared -o libxenctrl.so.4.0.0 /usr/lib/gcc/i486-linux-gnu/4.4.5/../../../crti.o /usr/lib/gcc/i486-linux-gnu/4.4.5/crtbeginS.o -L. -L. -L/usr/lib/gcc/i486-linux-gnu/4.4.5/../../../../lib64 -L/usr/lib/../lib64 -L/usr/lib/gcc/i486-linux-gnu/4.4.5 -L/usr/lib/gcc/i486-linux-gnu/4.4.5 -L/usr/lib/gcc/i486-linux-gnu/4.4.5/../../.. --no-as-needed --no-as-needed --no-as-needed --no-as-needed -soname libxenctrl.so.4.0 -ldl xc_core.opic xc_core_x86.opic xc_cpupool.opic xc_domain.opic xc_evtchn.opic xc_gnttab.opic xc_misc.opic xc_acm.opic xc_flask.opic xc_physdev.opic xc_private.opic xc_sedf.opic xc_csched.opic xc_csched2.opic xc_arinc653.opic xc_tbuf.opic xc_pm.opic xc_cpu_hotplug.opic xc_resume.opic xc_tmem.opic xc_mem_event.opic xc_mem_paging.opic xc_mem_access.opic xc_memshr.opic xc_hcall_buf.opic xc_foreign_memory.opic xtl_core.opic xtl_logger_stdio.opic xc_pagetab.opic xc_linux.opic xc_linux_osdep.opic -lpthread -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/i486-linux-gnu/4.4.5/crtendS.o /usr/lib/gcc/i486-linux-gnu/4.4.5/../../../crtn.o

Where does the "-m elf_x86_64" come from?


Idea: dimma was moved from xen13 HW back to a VM, which is 64 bit? Thus "uname -r" returns x86 and some xen scripts uses that?

$ ssh dimma uname -m
x86_64
$ ssh dimma dpkg --print-architecture
i386
$ ssh dimma aptitude search '?name(linux-image)?installed'
i   linux-image-3.10.0-ucs108-amd64     - Linux 3.10 for 64-bit PCs

Comment 10 Philipp Hahn

2015-05-21 08:13:05 CEST

Rebootet dimma to use a 32 bit kernel again:
 $ ssh dimma uname -r -m
 3.10.0-ucs114-686-pae i686

Package: xen-4.1
Version: 4.1.3-20.51.201505202321
Branch: ucs_3.2-0
Scope: errata3.2-5

r60813 | Bug #38173: xen-4.1 YAML
 2015-05-19-xen-4.1.yaml

Comment 11 Stefan Gohmann

2015-05-21 14:16:21 CEST

YAML: OK

Tests: OK

Comment 12 Stefan Gohmann

2015-05-21 14:18:50 CEST

(In reply to Stefan Gohmann from comment #11)
> Tests: OK

I was unable to add a floppy to a PV instance (UCS) but it is independent from the Xen version and seems to be a bug in UVMM / libvirt.  It works with a HVM instance.

Comment 13 Janek Walkenhorst

2015-05-21 15:56:48 CEST

<http://errata.univention.de/ucs/3.2/336.html>

Comment 14 Philipp Hahn

2015-05-21 16:04:57 CEST

OK: amd64 @ xen14
OK: UCS-3.2-6
OK: UCS-4.0-2 (no VNC, needs text mode installer and "xen_emul_unplug=never")

[    0.000000] Linux version 3.16-ucs109-amd64 (debian-kernel@lists.debian.org) (gcc version 4.7.2 (Debian 4.7.2-5.9.201403121731) ) #1 SMP Debian 3.16.5-1.109.201412161258 (2014-12-16)
[    0.000000] Command line: initrd=/install.amd/initrd.gz verbose console=ttyS0,115200,8,N,1 console=tty0 BOOT_IMAGE=/install.amd/vmlinuz 
...
[    6.696108] xenbus_probe_frontend: Waiting for devices to initialise: 25s...20s...15s...10s...5s...0s...
[   31.601505] 
[   31.603225] xenbus_probe_frontend: Timeout connecting to device: device/vfb/0 (local state 3, remote state 1)
[   31.607948] xenbus_probe_frontend: Device with no driver: device/vbd/768
[   31.614322] xenbus_probe_frontend: Device with no driver: device/vbd/832
[   31.618862] xenbus_probe_frontend: Device with no driver: device/vif/0
...
[   32.575241] vbd vbd-832: 19 xenbus_dev_probe on device/vbd/832
[   32.589571] blkfront: xvda: barrier or flush: disabled; persistent grants: enabled; indirect descriptors: disabled;
[   32.624865]  xvda: unknown partition table
[   32.626972] Setting capacity to 41943040
[   32.628839] xvda: detected capacity change from 0 to 21474836480

Also adding "xen_emul_unplug=never" makes the text installer work:
[    0.000000] Command line: initrd=/install.amd/initrd.gz verbose console=ttyS0,115200,8,N,1 console=tty0 xen_emul_unplug=never BOOT_IMAGE=/install.amd/vmlinuz 

OK: Windows 7 64 (GPLPV failed without Updtaes, too multiple hours to update)
OK: Windows 2008 R2 64
OK: Windows 2012 64