Bug 38565 - xen: Multiple issues (3.2)
xen: Multiple issues (3.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.2
Other Linux
: P1 normal (vote)
: UCS 3.2-7-errata
Assigned To: Philipp Hahn
Erik Damrose
:
Depends on: 38173
Blocks:
  Show dependency treegraph
 
Reported: 2015-05-19 16:39 CEST by Philipp Hahn
Modified: 2015-09-23 13:14 CEST (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2015-05-19 16:39:54 CEST
Unfixed issues remaining in xen-4.1.3 for UCS-3.2-6 from Bug #38173:

Denial of service against host by malicious HVM guest with assigned PCI device with pass-through (Long latency MMIO mapping operations are not preemptible) (CVE-2015-2752)

HVM qemu unexpectedly enabling emulated VGA graphics backends (CVE-2015-2152)

Information leak through XEN_DOMCTL_gettscinfo (CVE-2015-3340)

+++ This bug was initially created as a clone of Bug #38173 +++
Comment 1 Arvid Requate univentionstaff 2015-06-08 19:14:34 CEST
* Denial of service (host interrupt handling confusion) due to potential unintended writes to host MSI message data field via qemu by untrusted guest administrators (CVE-2015-4103)

* Denial of service (unexpected interrupt and host crash) due to PCI MSI mask bits inadvertently exposed to guests (CVE-2015-4104)

* Denial of service due to guest triggerable qemu MSI-X pass-through error messages filling up the host storage (CVE-2015-4105)

* Unmediated PCI register access in qemu possibly allows privilege escalation, host crash (Denial of Service), and leaked information (CVE-2015-4106)
Comment 2 Arvid Requate univentionstaff 2015-06-22 18:48:29 CEST
* A privileged guest user in a guest with an AMD PCNet ethernet card enabled can potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process (CVE-2015-3209)

* The compat_iret function in Xen 3.1 through 4.5 iterates the wrong way through a loop, which allows local 32-bit PV guest administrators to cause a denial of service (large loop and system hang) via a hypercall_iret call with EFLAGS.VM set (CVE-2015-4164)
Comment 3 Arvid Requate univentionstaff 2015-07-08 11:17:02 CEST
* xl command line config handling stack overflow (CVE-2015-3259)
Comment 4 Philipp Hahn univentionstaff 2015-09-17 15:15:58 CEST
r63808 | Bug #35104: xenstored crash SEGV, Bug #38565: xen: Multiple issues
 Renamed patches ; Use "git build package patch quete" (gbp-pq) from ~phahn/src/extern/xen
 Applied patches for CVEs mentioned in this bug report
 Applied patch for Bug #35104
 Fixed build system for parallel build: *-stamp did not work

Package: xen-4.1
Version: 4.1.3-21.52.201509171449
Branch: ucs_3.2-0
Scope: errata3.2-7

r63809 | Bug #35104: xenstored crash SEGV, Bug #38565: xen: Multiple issues YAML
 2015-09-17-xen-4.1.yaml

OK: @xen13
OK: xm list
OK: virsh list
OK: uvmm ...
OK: ucs-3.2
OK: ucs-4.0
OK: w2k8r2
FYI: w2k12 blue sceeen, but VM might be corrupt

Already fixed
=============
ALREADY-FIXED   http://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=fa957039018e1470737e785d849e5eee12ae3786    CVE-2013-4494 / XSA-73

Fixed imcompletely
==================
FIXED   Missing eefac7560f9a23e9330c04fe50e1185a1739a18d after 18c40b58752701b7a08e8394aa614cd4f6e21707 for XSA-27 / CVE-2012-5511 (Bug #29183)

Missed
======
ADDED   CVE-2013-2212 was claimed as an unfixable hardware limitation (Bug #31395)
ADDED   CVE-2015-2756 was claimed to not be present (Bug #25434)
ADDED   CVE-2015-5154 is also present (Bug #25434)

Fixed in stable-4.1
===================
CVEs
----
ADDED   http://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=5cd1c730438c3c2cf164dd99a93627d3bcef2b9f    XSA-72 / CVE-2013-4416
ADDED   http://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=21c17c15931f1dcb3da5520d8d542e973098297d    CVE-2013-4554 / XSA-76

ADDED   http://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=5891e7c1541199350c0f23452f4487a679037f03    CVE-2013-6885 / XSA-82
ADDED   http://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=934858f00267a92bc2a2995a0c634d02d2c60fbd    CVE-2013-6885 / XSA-82

ADDED   http://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=649e7ae0df99ffb5bccc17b4cb139c46ce2359a2    CVE-2013-2212 / XSA-60
ADDED   http://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=8829f8e3a6aff06f800c32841418afe98f0825bb    CVE-2013-2212 / XSA-60
ADDED   http://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=684b40eb41c3d5eba55ad94b36fa3702c7720fe1    CVE-2013-2212 / XSA-60

XSAs
----
ADDED   http://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=fa1bde94493ee9fc66ce6f33ed434a9d7133c896    XSA-87 CVE-2014-1666
NO-NEEDED       http://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=f0d0e5efe15a8ce53eaaeee64cf568358ec197ca    XSA-84 CVE-2014-1891 CVE-2014-1892 CVE-2014-1893 CVE-2014-1894 XSM_ENABLE=n


Open
====
<https://forge.univention.org/bugzilla/show_bug.cgi?id=38565>

* Denial of service against host by malicious HVM guest with assigned PCI device with pass-through (Long latency MMIO mapping operations are not preemptible) (CVE-2015-2752)
XSA-125
Commit-4.2: e3bfa4003ceaa2746cdd77655953ab2601acaf9c

* HVM qemu unexpectedly enabling emulated VGA graphics backends (CVE-2015-2152)
XSA-119
Commit-4.2: 5bec01c19839e150e489dd04376c65f961830c86

* Information leak through XEN_DOMCTL_gettscinfo (CVE-2015-3340)
XSA-132
Commit-4.2: 7e527e2ab6c95ef84035d02e9e50b956a0d469c9

* Denial of service (host interrupt handling confusion) due to potential unintended writes to host MSI message data field via qemu by untrusted guest administrators (CVE-2015-4103)
XSA-128
http://xenbits.xen.org/xsa/xsa128-qemut.patch

* Denial of service (unexpected interrupt and host crash) due to PCI MSI mask bits inadvertently exposed to guests (CVE-2015-4104)
XSA-129
http://xenbits.xen.org/xsa/xsa129-qemut.patch

* Denial of service due to guest triggerable qemu MSI-X pass-through error messages filling up the host storage (CVE-2015-4105)
XSA-130
http://xenbits.xen.org/xsa/xsa130-qemut.patch

* Unmediated PCI register access in qemu possibly allows privilege escalation, host crash (Denial of Service), and leaked information (CVE-2015-4106)
XSA-131
http://xenbits.xen.org/xsa/xsa131-qemut-4.2-1.patch
http://xenbits.xen.org/xsa/xsa131-qemut-2.patch
http://xenbits.xen.org/xsa/xsa131-qemut-3.patch
http://xenbits.xen.org/xsa/xsa131-qemut-4.patch
http://xenbits.xen.org/xsa/xsa131-qemut-5.patch
http://xenbits.xen.org/xsa/xsa131-qemut-6.patch
http://xenbits.xen.org/xsa/xsa131-qemut-7.patch
http://xenbits.xen.org/xsa/xsa131-qemut-8.patch

* A privileged guest user in a guest with an AMD PCNet ethernet card enabled can potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process (CVE-2015-3209)
XSA-135
http://xenbits.xen.org/xsa/xsa135-qemut-1.patch
http://xenbits.xen.org/xsa/xsa135-qemut-2.patch

* The compat_iret function in Xen 3.1 through 4.5 iterates the wrong way through a loop, which allows local 32-bit PV guest administrators to cause a denial of service (large loop and system hang) via a hypercall_iret call with EFLAGS.VM set (CVE-2015-4164)
XSA-136
http://xenbits.xen.org/xsa/xsa136.patch
Commit-4.2: 21a8344ca38a2797a13b4bf57031b6f49ae12ccb

* xl command line config handling stack overflow (CVE-2015-3259)
XSA-137
Commit-4.2: b20c28064c54d345f366528a0f452ad14911e146


New
===
<http://xenbits.xen.org/xsa/>

NOT-VULNERABLE  XSA-139 CVE-2015-5166

TODO    XSA-140 CVE-2015-5165
http://xenbits.xen.org/xsa/xsa140-qemuu-unstable-1.patch
http://xenbits.xen.org/xsa/xsa140-qemuu-unstable-2.patch
http://xenbits.xen.org/xsa/xsa140-qemuu-unstable-3.patch
http://xenbits.xen.org/xsa/xsa140-qemuu-unstable-4.patch
http://xenbits.xen.org/xsa/xsa140-qemuu-unstable-5.patch
http://xenbits.xen.org/xsa/xsa140-qemuu-unstable-6.patch
http://xenbits.xen.org/xsa/xsa140-qemuu-unstable-7.patch

NOT-VULNERABLE  XSA-141 CVE-2015-6654
Comment 5 Erik Damrose univentionstaff 2015-09-22 16:12:58 CEST
OK: Patches adapted
OK: Patches included in build
OK: YAML (minor change in r63881)
OK: Also release for UCS 3.2-6
OK: VM state after update @xen1; (UCS, w2k3, w2k12)
OK: xm, virsh, uvmm
-> Verified
Comment 6 Janek Walkenhorst univentionstaff 2015-09-23 13:14:46 CEST
<http://errata.software-univention.de/ucs/3.2/372.html>