Bug 38173 - xen: Multiple issues (3.2)
xen: Multiple issues (3.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.2
Other Linux
: P1 normal (vote)
: UCS 3.2-5-errata
Assigned To: Philipp Hahn
Stefan Gohmann
:
Depends on:
Blocks: 38565
  Show dependency treegraph
 
Reported: 2015-03-31 15:43 CEST by Arvid Requate
Modified: 2015-05-21 16:04 CEST (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
CVE-2015-3456.patch from debian package version 4.1.4-3+deb7u6 (2.53 KB, patch)
2015-05-19 15:46 CEST, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2015-03-31 15:43:55 CEST
Certain domctl operations may be abused to lock up the host (CVE-2015-2751)

Denial of service against host by malicious HVM guest with assigned PCI device with pass-through (Long latency MMIO mapping operations are not preemptible) (CVE-2015-2752)

Denial of service against host by HVM guest with assigned PCI device with pass-through (Unmediated PCI command register access in qemu) (CVE-2015-2756)
Comment 1 Arvid Requate univentionstaff 2015-03-31 16:56:56 CEST
ignore CVE-2015-2751: doesn't affect Xen versions 4.2 and earlier.
Comment 2 Arvid Requate univentionstaff 2015-04-01 11:51:37 CEST
* Denial of service against host by guest with assigned PCI device with pass-through (Non-maskable interrupts triggerable by guests) (CVE-2015-2150)
Comment 3 Arvid Requate univentionstaff 2015-04-07 12:41:26 CEST
* HVM qemu unexpectedly enabling emulated VGA graphics backends (CVE-2015-2152)
Comment 4 Arvid Requate univentionstaff 2015-04-28 15:12:36 CEST
* Information leak through XEN_DOMCTL_gettscinfo (CVE-2015-3340)
Comment 5 Arvid Requate univentionstaff 2015-05-13 18:27:43 CEST
* HVM guests using the traditional "qemu-xen" which have access to an emulated floppy device can take over the qemu process elevating its privilege to that of the qemu process. Guests using a qemu-dm stubdomain to run the device model are only vulnerable to takeover of that service domain (CVE-2015-3456)
Comment 6 Arvid Requate univentionstaff 2015-05-19 15:31:05 CEST
Upstream patches for CVE-2015-3456 are here:

http://xenbits.xen.org/xsa/advisory-133.html
Comment 7 Arvid Requate univentionstaff 2015-05-19 15:46:57 CEST
Created attachment 6912 [details]
CVE-2015-3456.patch from debian package version 4.1.4-3+deb7u6

Unfixed in Debian: CVE-2015-2152 CVE-2015-2752 CVE-2015-3340

Not affected by:
* CVE-2015-2756 (Vulnerable code not present)
* CVE-2015-2150 (affects linux, that's Bug #38008)

So the only fixable issue for now is the VENOM vulnerability (CVE-2015-3456). Please fix that ASAP and split off the unfixed issues into a new bug.
Comment 8 Arvid Requate univentionstaff 2015-05-19 17:57:44 CEST
I applied the patch in SVN, but the package build currently fails with a strange error. The only guess I currently have is that it somehow thinks that it should build 64-bit code in dimma?:

===========================================================================
gcc -Wall -g -O2 -O2 -fomit-frame-pointer -m64 -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-value -Wdeclaration-after-statement  -D__XEN_TOOLS__ -MMD -MF .subdirs-all.d -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE  -O2 -fomit-frame-pointer -m64 -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-value -Wdeclaration-after-statement  -D__XEN_TOOLS__ -MMD -MF .subdir-all-libxc.d -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE  -O2 -fomit-frame-pointer -m64 -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-value -Wdeclaration-after-statement  -D__XEN_TOOLS__ -MMD -MF .build.d -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_GNU_SOURCE -I../../xen/common/libelf -Werror -Wmissing-prototypes  -I. -I../xenstore -I../include -O2 -fomit-frame-pointer -m64 -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-value -Wdeclaration-after-statement  -D__XEN_TOOLS__ -MMD -MF .libxenctrl.so.4.0.0.d -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_GNU_SOURCE -I../../xen/common/libelf -Werror -Wmissing-prototypes  -I. -I../xenstore -I../include     -Wl,--no-as-needed    -Wl,--no-as-needed    -Wl,--no-as-needed -L.    -Wl,--no-as-needed -L. -Wl,-soname -Wl,libxenctrl.so.4.0 -ldl -shared -o libxenctrl.so.4.0.0 xc_core.opic xc_core_x86.opic xc_cpupool.opic xc_domain.opic xc_evtchn.opic xc_gnttab.opic xc
_misc.opic xc_acm.opic xc_flask.opic xc_physdev.opic xc_private.opic xc_sedf.opic xc_csched.opic xc_csched2.opic xc_arinc653.opic xc_tbuf.opic xc_pm.opic xc_cpu_hotplug.opic xc_resume.opic xc_tmem.opic xc_mem_event.opic xc_mem_paging.opic xc_mem_access.opic xc_memshr.opic xc_hcall_buf.opic xc_foreign_memory.opic xtl_core.opic xtl_logger_stdio.opic xc_pagetab.opic xc_linux.opic xc_linux_osdep.opic -lpthread
/usr/bin/ld: skipping incompatible /usr/lib/gcc/i486-linux-gnu/4.4.5/../../../libdl.so when searching for -ldl
/usr/bin/ld: skipping incompatible /usr/lib/gcc/i486-linux-gnu/4.4.5/../../../libdl.a when searching for -ldl
/usr/bin/ld: skipping incompatible /usr/lib/libdl.so when searching for -ldl
/usr/bin/ld: skipping incompatible /usr/lib/libdl.a when searching for -ldl
/usr/bin/ld: cannot find -ldl
collect2: ld returned 1 exit status
make[4]: *** [libxenctrl.so.4.0.0] Error 1
===========================================================================

There is a previous build log ucs_3.2-0-errata3.2-5.xen-4.1.201503110812.log.bz2 which is fine.
Comment 9 Philipp Hahn univentionstaff 2015-05-20 19:29:54 CEST
# ssh -t dimma chroot /proc/25880/root su -l -s /bin/bash pbuser

$ file -L /usr/lib/libdl.so /usr/lib/libdl.a 
/usr/lib/libdl.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
/usr/lib/libdl.a:  current ar archive
$ uname -m
x86_64
$ dpkg --print-architecture
i386

$ cd ~/xen-4.1-4.1.3/xen-4.1.3/tools/libxc
$ gcc -Wall -g -O2 -O2 -fomit-frame-pointer -m64 -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-value -Wdeclaration-after-statement  -D__XEN_TOOLS__ -MMD -MF .subdirs-all.d -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE  -O2 -fomit-frame-pointer -m64 -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-value -Wdeclaration-after-statement  -D__XEN_TOOLS__ -MMD -MF .subdir-all-libxc.d -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE  -O2 -fomit-frame-pointer -m64 -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-value -Wdeclaration-after-statement  -D__XEN_TOOLS__ -MMD -MF .build.d -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_GNU_SOURCE -I../../xen/common/libelf -Werror -Wmissing-prototypes  -I. -I../xenstore -I../include -O2 -fomit-frame-pointer -m64 -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-value -Wdeclaration-after-statement  -D__XEN_TOOLS__ -MMD -MF .libxenctrl.so.4.0.0.d -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_GNU_SOURCE -I../../xen/common/libelf -Werror -Wmissing-prototypes  -I. -I../xenstore -I../include     -Wl,--no-as-needed    -Wl,--no-as-needed    -Wl,--no-as-needed -L.    -Wl,--no-as-needed -L. -Wl,-soname -Wl,libxenctrl.so.4.0 -ldl -shared -o libxenctrl.so.4.0.0 xc_core.opic xc_core_x86.opic xc_cpupool.opic xc_domain.opic xc_evtchn.opic xc_gnttab.opic xc_misc.opic xc_acm.opic xc_flask.opic xc_physdev.opic xc_private.opic xc_sedf.opic xc_csched.opic xc_csched2.opic xc_arinc653.opic xc_tbuf.opic xc_pm.opic xc_cpu_hotplug.opic xc_resume.opic xc_tmem.opic xc_mem_event.opic xc_mem_paging.opic xc_mem_access.opic xc_memshr.opic xc_hcall_buf.opic xc_foreign_memory.opic xtl_core.opic xtl_logger_stdio.opic xc_pagetab.opic xc_linux.opic xc_linux_osdep.opic -lpthread -v

$ /usr/lib/gcc/i486-linux-gnu/4.4.5/collect2 --build-id --eh-frame-hdr -m elf_x86_64 --hash-style=both -shared -o libxenctrl.so.4.0.0 /usr/lib/gcc/i486-linux-gnu/4.4.5/../../../crti.o /usr/lib/gcc/i486-linux-gnu/4.4.5/crtbeginS.o -L. -L. -L/usr/lib/gcc/i486-linux-gnu/4.4.5/../../../../lib64 -L/usr/lib/../lib64 -L/usr/lib/gcc/i486-linux-gnu/4.4.5 -L/usr/lib/gcc/i486-linux-gnu/4.4.5 -L/usr/lib/gcc/i486-linux-gnu/4.4.5/../../.. --no-as-needed --no-as-needed --no-as-needed --no-as-needed -soname libxenctrl.so.4.0 -ldl xc_core.opic xc_core_x86.opic xc_cpupool.opic xc_domain.opic xc_evtchn.opic xc_gnttab.opic xc_misc.opic xc_acm.opic xc_flask.opic xc_physdev.opic xc_private.opic xc_sedf.opic xc_csched.opic xc_csched2.opic xc_arinc653.opic xc_tbuf.opic xc_pm.opic xc_cpu_hotplug.opic xc_resume.opic xc_tmem.opic xc_mem_event.opic xc_mem_paging.opic xc_mem_access.opic xc_memshr.opic xc_hcall_buf.opic xc_foreign_memory.opic xtl_core.opic xtl_logger_stdio.opic xc_pagetab.opic xc_linux.opic xc_linux_osdep.opic -lpthread -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/i486-linux-gnu/4.4.5/crtendS.o /usr/lib/gcc/i486-linux-gnu/4.4.5/../../../crtn.o

Where does the "-m elf_x86_64" come from?


Idea: dimma was moved from xen13 HW back to a VM, which is 64 bit? Thus "uname -r" returns x86 and some xen scripts uses that?

$ ssh dimma uname -m
x86_64
$ ssh dimma dpkg --print-architecture
i386
$ ssh dimma aptitude search '?name(linux-image)?installed'
i   linux-image-3.10.0-ucs108-amd64     - Linux 3.10 for 64-bit PCs
Comment 10 Philipp Hahn univentionstaff 2015-05-21 08:13:05 CEST
Rebootet dimma to use a 32 bit kernel again:
 $ ssh dimma uname -r -m
 3.10.0-ucs114-686-pae i686

Package: xen-4.1
Version: 4.1.3-20.51.201505202321
Branch: ucs_3.2-0
Scope: errata3.2-5

r60813 | Bug #38173: xen-4.1 YAML
 2015-05-19-xen-4.1.yaml
Comment 11 Stefan Gohmann univentionstaff 2015-05-21 14:16:21 CEST
YAML: OK

Tests: OK
Comment 12 Stefan Gohmann univentionstaff 2015-05-21 14:18:50 CEST
(In reply to Stefan Gohmann from comment #11)
> Tests: OK

I was unable to add a floppy to a PV instance (UCS) but it is independent from the Xen version and seems to be a bug in UVMM / libvirt.  It works with a HVM instance.
Comment 13 Janek Walkenhorst univentionstaff 2015-05-21 15:56:48 CEST
<http://errata.univention.de/ucs/3.2/336.html>
Comment 14 Philipp Hahn univentionstaff 2015-05-21 16:04:57 CEST
OK: amd64 @ xen14
OK: UCS-3.2-6
OK: UCS-4.0-2 (no VNC, needs text mode installer and "xen_emul_unplug=never")

[    0.000000] Linux version 3.16-ucs109-amd64 (debian-kernel@lists.debian.org) (gcc version 4.7.2 (Debian 4.7.2-5.9.201403121731) ) #1 SMP Debian 3.16.5-1.109.201412161258 (2014-12-16)
[    0.000000] Command line: initrd=/install.amd/initrd.gz verbose console=ttyS0,115200,8,N,1 console=tty0 BOOT_IMAGE=/install.amd/vmlinuz 
...
[    6.696108] xenbus_probe_frontend: Waiting for devices to initialise: 25s...20s...15s...10s...5s...0s...
[   31.601505] 
[   31.603225] xenbus_probe_frontend: Timeout connecting to device: device/vfb/0 (local state 3, remote state 1)
[   31.607948] xenbus_probe_frontend: Device with no driver: device/vbd/768
[   31.614322] xenbus_probe_frontend: Device with no driver: device/vbd/832
[   31.618862] xenbus_probe_frontend: Device with no driver: device/vif/0
...
[   32.575241] vbd vbd-832: 19 xenbus_dev_probe on device/vbd/832
[   32.589571] blkfront: xvda: barrier or flush: disabled; persistent grants: enabled; indirect descriptors: disabled;
[   32.624865]  xvda: unknown partition table
[   32.626972] Setting capacity to 41943040
[   32.628839] xvda: detected capacity change from 0 to 21474836480

Also adding "xen_emul_unplug=never" makes the text installer work:
[    0.000000] Command line: initrd=/install.amd/initrd.gz verbose console=ttyS0,115200,8,N,1 console=tty0 xen_emul_unplug=never BOOT_IMAGE=/install.amd/vmlinuz 

OK: Windows 7 64 (GPLPV failed without Updtaes, too multiple hours to update)
OK: Windows 2008 R2 64
OK: Windows 2012 64