Univention Bugzilla – Bug 38173
xen: Multiple issues (3.2)
Last modified: 2015-05-21 16:04:57 CEST
Certain domctl operations may be abused to lock up the host (CVE-2015-2751) Denial of service against host by malicious HVM guest with assigned PCI device with pass-through (Long latency MMIO mapping operations are not preemptible) (CVE-2015-2752) Denial of service against host by HVM guest with assigned PCI device with pass-through (Unmediated PCI command register access in qemu) (CVE-2015-2756)
ignore CVE-2015-2751: doesn't affect Xen versions 4.2 and earlier.
* Denial of service against host by guest with assigned PCI device with pass-through (Non-maskable interrupts triggerable by guests) (CVE-2015-2150)
* HVM qemu unexpectedly enabling emulated VGA graphics backends (CVE-2015-2152)
* Information leak through XEN_DOMCTL_gettscinfo (CVE-2015-3340)
* HVM guests using the traditional "qemu-xen" which have access to an emulated floppy device can take over the qemu process elevating its privilege to that of the qemu process. Guests using a qemu-dm stubdomain to run the device model are only vulnerable to takeover of that service domain (CVE-2015-3456)
Upstream patches for CVE-2015-3456 are here: http://xenbits.xen.org/xsa/advisory-133.html
Created attachment 6912 [details] CVE-2015-3456.patch from debian package version 4.1.4-3+deb7u6 Unfixed in Debian: CVE-2015-2152 CVE-2015-2752 CVE-2015-3340 Not affected by: * CVE-2015-2756 (Vulnerable code not present) * CVE-2015-2150 (affects linux, that's Bug #38008) So the only fixable issue for now is the VENOM vulnerability (CVE-2015-3456). Please fix that ASAP and split off the unfixed issues into a new bug.
I applied the patch in SVN, but the package build currently fails with a strange error. The only guess I currently have is that it somehow thinks that it should build 64-bit code in dimma?: =========================================================================== gcc -Wall -g -O2 -O2 -fomit-frame-pointer -m64 -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-value -Wdeclaration-after-statement -D__XEN_TOOLS__ -MMD -MF .subdirs-all.d -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -O2 -fomit-frame-pointer -m64 -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-value -Wdeclaration-after-statement -D__XEN_TOOLS__ -MMD -MF .subdir-all-libxc.d -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -O2 -fomit-frame-pointer -m64 -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-value -Wdeclaration-after-statement -D__XEN_TOOLS__ -MMD -MF .build.d -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_GNU_SOURCE -I../../xen/common/libelf -Werror -Wmissing-prototypes -I. -I../xenstore -I../include -O2 -fomit-frame-pointer -m64 -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-value -Wdeclaration-after-statement -D__XEN_TOOLS__ -MMD -MF .libxenctrl.so.4.0.0.d -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_GNU_SOURCE -I../../xen/common/libelf -Werror -Wmissing-prototypes -I. -I../xenstore -I../include -Wl,--no-as-needed -Wl,--no-as-needed -Wl,--no-as-needed -L. -Wl,--no-as-needed -L. -Wl,-soname -Wl,libxenctrl.so.4.0 -ldl -shared -o libxenctrl.so.4.0.0 xc_core.opic xc_core_x86.opic xc_cpupool.opic xc_domain.opic xc_evtchn.opic xc_gnttab.opic xc _misc.opic xc_acm.opic xc_flask.opic xc_physdev.opic xc_private.opic xc_sedf.opic xc_csched.opic xc_csched2.opic xc_arinc653.opic xc_tbuf.opic xc_pm.opic xc_cpu_hotplug.opic xc_resume.opic xc_tmem.opic xc_mem_event.opic xc_mem_paging.opic xc_mem_access.opic xc_memshr.opic xc_hcall_buf.opic xc_foreign_memory.opic xtl_core.opic xtl_logger_stdio.opic xc_pagetab.opic xc_linux.opic xc_linux_osdep.opic -lpthread /usr/bin/ld: skipping incompatible /usr/lib/gcc/i486-linux-gnu/4.4.5/../../../libdl.so when searching for -ldl /usr/bin/ld: skipping incompatible /usr/lib/gcc/i486-linux-gnu/4.4.5/../../../libdl.a when searching for -ldl /usr/bin/ld: skipping incompatible /usr/lib/libdl.so when searching for -ldl /usr/bin/ld: skipping incompatible /usr/lib/libdl.a when searching for -ldl /usr/bin/ld: cannot find -ldl collect2: ld returned 1 exit status make[4]: *** [libxenctrl.so.4.0.0] Error 1 =========================================================================== There is a previous build log ucs_3.2-0-errata3.2-5.xen-4.1.201503110812.log.bz2 which is fine.
# ssh -t dimma chroot /proc/25880/root su -l -s /bin/bash pbuser $ file -L /usr/lib/libdl.so /usr/lib/libdl.a /usr/lib/libdl.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped /usr/lib/libdl.a: current ar archive $ uname -m x86_64 $ dpkg --print-architecture i386 $ cd ~/xen-4.1-4.1.3/xen-4.1.3/tools/libxc $ gcc -Wall -g -O2 -O2 -fomit-frame-pointer -m64 -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-value -Wdeclaration-after-statement -D__XEN_TOOLS__ -MMD -MF .subdirs-all.d -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -O2 -fomit-frame-pointer -m64 -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-value -Wdeclaration-after-statement -D__XEN_TOOLS__ -MMD -MF .subdir-all-libxc.d -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -O2 -fomit-frame-pointer -m64 -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-value -Wdeclaration-after-statement -D__XEN_TOOLS__ -MMD -MF .build.d -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_GNU_SOURCE -I../../xen/common/libelf -Werror -Wmissing-prototypes -I. -I../xenstore -I../include -O2 -fomit-frame-pointer -m64 -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-value -Wdeclaration-after-statement -D__XEN_TOOLS__ -MMD -MF .libxenctrl.so.4.0.0.d -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_GNU_SOURCE -I../../xen/common/libelf -Werror -Wmissing-prototypes -I. -I../xenstore -I../include -Wl,--no-as-needed -Wl,--no-as-needed -Wl,--no-as-needed -L. -Wl,--no-as-needed -L. -Wl,-soname -Wl,libxenctrl.so.4.0 -ldl -shared -o libxenctrl.so.4.0.0 xc_core.opic xc_core_x86.opic xc_cpupool.opic xc_domain.opic xc_evtchn.opic xc_gnttab.opic xc_misc.opic xc_acm.opic xc_flask.opic xc_physdev.opic xc_private.opic xc_sedf.opic xc_csched.opic xc_csched2.opic xc_arinc653.opic xc_tbuf.opic xc_pm.opic xc_cpu_hotplug.opic xc_resume.opic xc_tmem.opic xc_mem_event.opic xc_mem_paging.opic xc_mem_access.opic xc_memshr.opic xc_hcall_buf.opic xc_foreign_memory.opic xtl_core.opic xtl_logger_stdio.opic xc_pagetab.opic xc_linux.opic xc_linux_osdep.opic -lpthread -v $ /usr/lib/gcc/i486-linux-gnu/4.4.5/collect2 --build-id --eh-frame-hdr -m elf_x86_64 --hash-style=both -shared -o libxenctrl.so.4.0.0 /usr/lib/gcc/i486-linux-gnu/4.4.5/../../../crti.o /usr/lib/gcc/i486-linux-gnu/4.4.5/crtbeginS.o -L. -L. -L/usr/lib/gcc/i486-linux-gnu/4.4.5/../../../../lib64 -L/usr/lib/../lib64 -L/usr/lib/gcc/i486-linux-gnu/4.4.5 -L/usr/lib/gcc/i486-linux-gnu/4.4.5 -L/usr/lib/gcc/i486-linux-gnu/4.4.5/../../.. --no-as-needed --no-as-needed --no-as-needed --no-as-needed -soname libxenctrl.so.4.0 -ldl xc_core.opic xc_core_x86.opic xc_cpupool.opic xc_domain.opic xc_evtchn.opic xc_gnttab.opic xc_misc.opic xc_acm.opic xc_flask.opic xc_physdev.opic xc_private.opic xc_sedf.opic xc_csched.opic xc_csched2.opic xc_arinc653.opic xc_tbuf.opic xc_pm.opic xc_cpu_hotplug.opic xc_resume.opic xc_tmem.opic xc_mem_event.opic xc_mem_paging.opic xc_mem_access.opic xc_memshr.opic xc_hcall_buf.opic xc_foreign_memory.opic xtl_core.opic xtl_logger_stdio.opic xc_pagetab.opic xc_linux.opic xc_linux_osdep.opic -lpthread -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/i486-linux-gnu/4.4.5/crtendS.o /usr/lib/gcc/i486-linux-gnu/4.4.5/../../../crtn.o Where does the "-m elf_x86_64" come from? Idea: dimma was moved from xen13 HW back to a VM, which is 64 bit? Thus "uname -r" returns x86 and some xen scripts uses that? $ ssh dimma uname -m x86_64 $ ssh dimma dpkg --print-architecture i386 $ ssh dimma aptitude search '?name(linux-image)?installed' i linux-image-3.10.0-ucs108-amd64 - Linux 3.10 for 64-bit PCs
Rebootet dimma to use a 32 bit kernel again: $ ssh dimma uname -r -m 3.10.0-ucs114-686-pae i686 Package: xen-4.1 Version: 4.1.3-20.51.201505202321 Branch: ucs_3.2-0 Scope: errata3.2-5 r60813 | Bug #38173: xen-4.1 YAML 2015-05-19-xen-4.1.yaml
YAML: OK Tests: OK
(In reply to Stefan Gohmann from comment #11) > Tests: OK I was unable to add a floppy to a PV instance (UCS) but it is independent from the Xen version and seems to be a bug in UVMM / libvirt. It works with a HVM instance.
<http://errata.univention.de/ucs/3.2/336.html>
OK: amd64 @ xen14 OK: UCS-3.2-6 OK: UCS-4.0-2 (no VNC, needs text mode installer and "xen_emul_unplug=never") [ 0.000000] Linux version 3.16-ucs109-amd64 (debian-kernel@lists.debian.org) (gcc version 4.7.2 (Debian 4.7.2-5.9.201403121731) ) #1 SMP Debian 3.16.5-1.109.201412161258 (2014-12-16) [ 0.000000] Command line: initrd=/install.amd/initrd.gz verbose console=ttyS0,115200,8,N,1 console=tty0 BOOT_IMAGE=/install.amd/vmlinuz ... [ 6.696108] xenbus_probe_frontend: Waiting for devices to initialise: 25s...20s...15s...10s...5s...0s... [ 31.601505] [ 31.603225] xenbus_probe_frontend: Timeout connecting to device: device/vfb/0 (local state 3, remote state 1) [ 31.607948] xenbus_probe_frontend: Device with no driver: device/vbd/768 [ 31.614322] xenbus_probe_frontend: Device with no driver: device/vbd/832 [ 31.618862] xenbus_probe_frontend: Device with no driver: device/vif/0 ... [ 32.575241] vbd vbd-832: 19 xenbus_dev_probe on device/vbd/832 [ 32.589571] blkfront: xvda: barrier or flush: disabled; persistent grants: enabled; indirect descriptors: disabled; [ 32.624865] xvda: unknown partition table [ 32.626972] Setting capacity to 41943040 [ 32.628839] xvda: detected capacity change from 0 to 21474836480 Also adding "xen_emul_unplug=never" makes the text installer work: [ 0.000000] Command line: initrd=/install.amd/initrd.gz verbose console=ttyS0,115200,8,N,1 console=tty0 xen_emul_unplug=never BOOT_IMAGE=/install.amd/vmlinuz OK: Windows 7 64 (GPLPV failed without Updtaes, too multiple hours to update) OK: Windows 2008 R2 64 OK: Windows 2012 64