Univention Bugzilla – Bug 39689
xen: Multiple issues (3.3)
Last modified: 2016-10-05 12:45:48 CEST
+++ This bug was initially created as a clone of Bug #39684 +++ x86: Long latency populate-on-demand operation is not preemptible (CVE-2015-7970) http://xenbits.xen.org/xsa/advisory-150.html x86: populate-on-demand balloon size inaccuracy can crash guests (CVE-2015-7972) http://xenbits.xen.org/xsa/advisory-153.html
A new XSA has been published: x86: CPU lockup during exception delivery (Alignment Check Exception, CVE-2015-5307) x86: CPU lockup during exception delivery (Debug Exception, CVE-2015-8104) http://xenbits.xen.org/xsa/advisory-156.html Note: XSA numbers 154 and 155 are not published (yet)
New issues: * CVE-2015-8339, CVE-2015-8340 (XSA-159) XENMEM_exchange error handling issues * CVE-2015-7504 (XSA-162) pcnet: heap overflow vulnerability in loopback mode And updated info on these: * CVE-2015-7970 (XSA-150) will probably not get fixed (Minor issue, too intrusive to backport) * CVE-2015-7972 (XSA-153) will not get fixed (minor issue, libxl is not default in xen-4.1, see http://wiki.xen.org/wiki/XL)
Additional issues: * CVE-2015-8550 (XSA-153): Denial of service due to paravirtualized drivers being incautious about shared memory contents. If driver domains are not in use, the impact can be a host crash, or privilege escalation. * CVE-2015-8551, CVE-2015-8552 (XSA-157): Linux pciback missing sanity checks leading to crash. If driver domains are not in use, the impact can be a host crash. * CVE-2015-8553: Addendum patch to XSA-120. * CVE-2015-8554 (XSA-164): Elevation of privilege due to qemu-dm buffer overrun in MSI-X handling. * CVE-2015-8555 (XSA-165): Information leak between domains in legacy x86 FPU/XMM initialization. * (XSA-166): Xen systems servicing an HVM domain may suffer from privilege escalation, host crash (Denial of Service), and leaked information if the attacker has gained control of the device model qemu via another vulnerability.
* x86: inconsistent cachability flags on guest mappings. Impact: A malicious guest administrator might be able to cause a reboot, denying service to the entire host. Affected: Only x86 guests given control over some physical device can trigger this vulnerability. x86 systems are vulnerable, depending on CPU and chipset, the impact may be harmless. (CVE-2016-2270 / XSA-154) * paravirtualized drivers incautious about shared memory contents. Impact: Malicious guest administrators can cause denial of service or arbitrary code execution in backend. If driver domains are not in use, the impact can be a host crash or privilege escalation. Systems running PV or HVM guests are vulnerable. (CVE-2015-8550 / XSA-155) * PV superpage functionality is missing sanity checks on data passed to the hypervisor by guests. Impact: The vulnerability may have unknown effects, ranging from information leaks through Denial of Service to privilege escalation. Affected: This feature is disabled by default, that is, only systems with an `allowsuperpage' setting on the hypervisor command line are vulnerable (CVE-2016-1570 / XSA-167) * VMX: intercept issue with INVLPG on non-canonical address. Impact: A malicious guest can crash the host, leading to a Denial of Service. Affected: Systems using Intel or Cyrix CPUs are affected. ARM and AMD systems are unaffected. Only HVM guests using shadow mode paging can expose this vulnerability. PV guests, and HVM guests using Hardware Assisted Paging (also known as EPT on affected hardware), are unaffected. (CVE-2016-1571 / XSA-168) * VMX: guest user mode may crash guest with non-canonical RIP. Impact: Malicious HVM guest user mode code may be able to crash the guest. Affected: Only systems using Intel or Cyrix CPUs are affected. ARM and AMD systems are unaffected. Only HVM guests are affected. (CVE-2016-2271 / XSA-170) * I/O port access privilege escalation in x86-64 Linux. Impact: User mode processes not supposed to be able to access I/O ports may be granted such permission, potentially resulting in one or more of in-guest privilege escalation, guest crashes (Denial of Service), or in-guest information leaks. Affected: x86-64 Linux versions operating as PV Xen guests are vulnerable. x86 HVM guests are not vulnerable. 32-bit Linux guests are not vulnerable. Probably non-Linux guests are not vulnerable either.(CVE-2016-3157 / XSA-171)
* broken AMD FPU FIP/FDP/FOP leak workaround (XSA-172) (CVE-2016-3159)
Most are fixed by Bug #40697 for UCS-3.3: (In reply to Janek Walkenhorst from comment #0) > x86: Long latency populate-on-demand operation is not preemptible > (CVE-2015-7970) > <http://xenbits.xen.org/xsa/advisory-150.html> debian/patches/xsa150-4.1.patch > x86: populate-on-demand balloon size inaccuracy can crash guests > (CVE-2015-7972) > <http://xenbits.xen.org/xsa/advisory-153.html> debian/patches/xsa153-libxl-4.2.patch (In reply to Arvid Requate from comment #1) > x86: CPU lockup during exception delivery (Alignment Check Exception, > CVE-2015-5307) > x86: CPU lockup during exception delivery (Debug Exception, CVE-2015-8104) > <http://xenbits.xen.org/xsa/advisory-156.html> debian/patches/xsa156-4.2.patch (In reply to Arvid Requate from comment #2) > * CVE-2015-8339, CVE-2015-8340 (XSA-159) XENMEM_exchange error handling > issues > <http://xenbits.xen.org/xsa/advisory-159.html> debian/patches/xsa159.patch > * CVE-2015-7504 (XSA-162) pcnet: heap overflow vulnerability in loopback mode > <http://xenbits.xen.org/xsa/advisory-162.html> debian/patches/xsa162-qemut.patch > * CVE-2015-7970 (XSA-150) will probably not get fixed (Minor issue, too > intrusive to backport) > <http://xenbits.xen.org/xsa/advisory-150.html> debian/patches/xsa150-4.1.patch > * CVE-2015-7972 (XSA-153) will not get fixed (minor issue, libxl is not > default in xen-4.1, see http://wiki.xen.org/wiki/XL) ... (In reply to Arvid Requate from comment #3) > * CVE-2015-8550 (XSA-153): Denial of service due to paravirtualized drivers > being incautious about shared memory contents. If driver domains are not in > use, the impact can be a host crash, or privilege escalation. > <http://xenbits.xen.org/xsa/advisory-153.html> debian/patches/xsa153-libxl-4.2.patch > * CVE-2015-8551, CVE-2015-8552 (XSA-157): Linux pciback missing sanity > checks leading to crash. If driver domains are not in use, the impact can be > a host crash. > <http://xenbits.xen.org/xsa/advisory-157.html> This is a bug in the Linux kernel. > * CVE-2015-8553: Addendum patch to XSA-120. > <http://xenbits.xen.org/xsa/advisory-120.html> This is a bug in the Linux kernel. > * CVE-2015-8554 (XSA-164): Elevation of privilege due to qemu-dm buffer > overrun in MSI-X handling. > <http://xenbits.xen.org/xsa/advisory-164.html> debian/patches/xsa164.patch > * CVE-2015-8555 (XSA-165): Information leak between domains in legacy x86 > FPU/XMM initialization. > <http://xenbits.xen.org/xsa/advisory-165.html> debian/patches/xsa165-4.1.patch > * (XSA-166): Xen systems servicing an HVM domain may suffer from privilege > escalation, host crash (Denial of Service), and leaked information if the > attacker has gained control of the device model qemu via another > vulnerability. > <http://xenbits.xen.org/xsa/advisory-166.html> debian/patches/xsa166-4.3.patch (In reply to Arvid Requate from comment #4) > * x86: inconsistent cachability flags on guest mappings. Impact: A malicious > guest administrator might be able to cause a reboot, denying service to the > entire host. Affected: Only x86 guests given control over some physical > device can trigger this vulnerability. x86 systems are vulnerable, depending > on CPU and chipset, the impact may be harmless. (CVE-2016-2270 / XSA-154) > <http://xenbits.xen.org/xsa/advisory-154.html> debian/patches/xsa154-4.3.patch | 347 ++++++++++++++++++++++++++++++++++++ debian/patches/xsa154-prereq1.patch | 252 ++++++++++++++++++++++++++ debian/patches/xsa154-prereq2.patch | 126 +++++++++++++ debian/patches/xsa154-prereq3.patch | 213 ++++++++++++++++++++++ debian/patches/xsa154-prereq4.patch | 41 ++++ > * paravirtualized drivers incautious about shared memory contents. Impact: > Malicious guest administrators can cause denial of service or arbitrary code > execution in backend. If driver domains are not in use, the impact can be a > host crash or privilege escalation. Systems running PV or HVM guests are > vulnerable. (CVE-2015-8550 / XSA-155) > <http://xenbits.xen.org/xsa/advisory-155.html> debian/patches/xsa155-qemut-qdisk-double-access.patch debian/patches/xsa155-qemut-xenfb.patch debian/patches/xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch debian/patches/xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch > * PV superpage functionality is missing sanity checks on data passed to the > hypervisor by guests. Impact: The vulnerability may have unknown effects, > ranging from information leaks through Denial of Service to privilege > escalation. Affected: This feature is disabled by default, that is, only > systems with an `allowsuperpage' setting on the hypervisor command line are > vulnerable (CVE-2016-1570 / XSA-167) > <http://xenbits.xen.org/xsa/advisory-167.html> debian/patches/xsa167-4.4.patch | 100 ++++++++++ > * VMX: intercept issue with INVLPG on non-canonical address. Impact: A > malicious guest can crash the host, leading to a Denial of Service. > Affected: Systems using Intel or Cyrix CPUs are affected. ARM and AMD > systems are unaffected. Only HVM guests using shadow mode paging can expose > this vulnerability. PV guests, and HVM guests using Hardware Assisted > Paging (also known as EPT on affected hardware), are unaffected. > (CVE-2016-1571 / XSA-168) > <http://xenbits.xen.org/xsa/advisory-168.html> debian/patches/xsa168.patch | 48 ++++ > * VMX: guest user mode may crash guest with non-canonical RIP. Impact: > Malicious HVM guest user mode code may be able to crash the guest. Affected: > Only systems using Intel or Cyrix CPUs are affected. ARM and AMD systems are > unaffected. Only HVM guests are affected. (CVE-2016-2271 / XSA-170) > <http://xenbits.xen.org/xsa/advisory-170.html> debian/patches/xsa170-4.3.patch | 102 ++++++++++ > * I/O port access privilege escalation in x86-64 Linux. Impact: User mode > processes not supposed to be able to access I/O ports may be granted such > permission, potentially resulting in one or more of in-guest privilege > escalation, guest crashes (Denial of Service), or in-guest information > leaks. Affected: x86-64 Linux versions operating as PV Xen guests are > vulnerable. x86 HVM guests are not vulnerable. 32-bit Linux guests are not > vulnerable. Probably non-Linux guests are not vulnerable > either.(CVE-2016-3157 / XSA-171) > <http://xenbits.xen.org/xsa/advisory-171.html> This is a bug in the Linux kernel. (In reply to Arvid Requate from comment #5) > * broken AMD FPU FIP/FDP/FOP leak workaround (XSA-172) (CVE-2016-3159) > <http://xenbits.xen.org/xsa/advisory-172.html> debian/patches/xsa172-4.3.patch r16288 | Bug #39689 xen: Fix remaining CVE/XSA Package: xen Version: 4.1.6.1-0ubuntu0.12.04.8.28.201604011535 Branch: ucs_3.3-0
There is a new advisory, either include the patch, rank it as irrelevant or split it off to a separate Bug (possibly Bug 40697): * hugetlbfs use may crash PV Linux guests. Impact: Depending on the guest kernel configuration, the OOPS could result in a kernel crash (guest DoS). Affected: All upstream x86 Linux versions operating as PV Xen guests are vulnerable (CVE-2016-3961 / XSA-174)
(In reply to Arvid Requate from comment #7) > There is a new advisory, either include the patch, rank it as irrelevant or > split it off to a separate Bug (possibly Bug 40697): > > * hugetlbfs use may crash PV Linux guests. Impact: Depending on the guest > kernel configuration, the OOPS could result in a kernel crash (guest DoS). > Affected: All upstream x86 Linux versions operating as PV Xen guests are > vulnerable (CVE-2016-3961 / XSA-174) This is a bug in the Linux kernel.
xen-hypervisor-4.1-amd64 4.1.6.1-0ubuntu0.12.04.8.28.201604011535 OK: All issues are fixed in the imported XEN package for UCS 3.3. Reopen: No changelog entry
(In reply to Erik Damrose from comment #9) > Reopen: No changelog entry r69300 | Bug #39689 xen: UCS-3.3 See Bug #40697
Verified
There is a new advisory, either include the patch available in the recent jessie DSA package version, rank it as irrelevant or split it off to a separate Bug (possibly Bug 40697): * Integer overflow in the x86 shadow pagetable code in Xen allows local guest OS users to cause a denial of service (host crash) or possibly gain privileges by shadowing a superpage mapping (CVE-2016-3960 / XSA-173) http://xenbits.xen.org/xsa/advisory-173.html
There is a new upstream package, but it does not have the fix for XSA-173: xen (4.1.6.1-0ubuntu0.12.04.10)
(In reply to Erik Damrose from comment #13) > There is a new upstream package, but it does not have the fix for XSA-173: > xen (4.1.6.1-0ubuntu0.12.04.10) <http://changelogs.ubuntu.com/changelogs/pool/main/x/xen/xen_4.1.6.1-0ubuntu0.12.04.10/changelog> > - CVE-2016-2270 / XSA-154 > * x86: make get_page_from_l1e() return a proper error code > * x86: make mod_l1_entry() return a proper error code > * x86/mm: fix mod_l1_entry() return value when encountering r/o MMIO > page > * x86: enforce consistent cachability of MMIO mappings <https://bugs.launchpad.net/bugs/cve/2016-2270> <https://bugs.launchpad.net/ubuntu/+source/xen/+bug/1564914> was reported by me Already fixed in our version by my backported patches: debian/patches/xsa154-4.3.patch | 347 ++++++++++++++++++++++++++++++++++++ debian/patches/xsa154-prereq1.patch | 252 ++++++++++++++++++++++++++ debian/patches/xsa154-prereq2.patch | 126 +++++++++++++ debian/patches/xsa154-prereq3.patch | 213 ++++++++++++++++++++++ debian/patches/xsa154-prereq4.patch | 41 ++++ Stefan Bader merged them and applied them as xsa154-4.1.patch > - CVE-2016-1570 / XSA-167 > * x86/mm: PV superpage handling lacks sanity checks <https://bugs.launchpad.net/bugs/cve/2016-1570> <https://bugs.launchpad.net/ubuntu/+source/xen/+bug/1564909> was reported by me Already fixed in our version by my backported patches: debian/patches/xsa167-4.4.patch | 100 ++++++++++ Stefan Bader applied that patch as xsa167-4.4.patch > - CVE-2016-1571 / XSA-168 > * x86/VMX: prevent INVVPID failure due to non-canonical guest address <https://bugs.launchpad.net/bugs/cve/2016-1571> <https://bugs.launchpad.net/ubuntu/+source/xen/+bug/1564915> was reported by me Already fixed in our version by my backported patches: debian/patches/xsa168.patch | 48 ++++ Stefan Bader applied the patch as xsa168.patch > - CVE-2015-8615 / XSA-169 > * x86: make debug output consistent in hvm_set_callback_via <https://bugs.launchpad.net/bugs/cve/2015-8615> Was not fixed in UCS. Stefan Bader applied the patch as xsa169.patch > - CVE-2016-2271 / XSA-170 > * x86/VMX: sanitize rIP before re-entering guest <https://bugs.launchpad.net/bugs/cve/2016-2271> <https://bugs.launchpad.net/ubuntu/+source/xen/+bug/1564916> was reported by me Already fixed in our version by my backported patches: debian/patches/xsa170-4.3.patch | 102 ++++++++++ Stefan Bader applied the patch as xsa170-4.3.patch (In reply to Arvid Requate from comment #12) > There is a new advisory, either include the patch available in the recent > jessie DSA package version, rank it as irrelevant or split it off to a > separate Bug (possibly Bug 40697): > > * Integer overflow in the x86 shadow pagetable code in Xen allows local > guest OS users to cause a denial of service (host crash) or possibly gain > privileges by shadowing a superpage mapping (CVE-2016-3960 / XSA-173) > http://xenbits.xen.org/xsa/advisory-173.html <https://bugs.launchpad.net/bugs/cve/2016-3960> <https://bugs.launchpad.net/ubuntu/+source/xen/+bug/1581420> was filed by me Already fixed in our version by my backported patches: xsa173-4.1.patch | 184 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ Still unfixed in Ubuntu - I forwarded my patch! (In reply to Arvid Requate from comment #5) > * broken AMD FPU FIP/FDP/FOP leak workaround (XSA-172) (CVE-2016-3159) <https://bugs.launchpad.net/bugs/cve/2016-3158> <https://bugs.launchpad.net/ubuntu/+source/xen/+bug/1581419> was filed by me Already fixed in our version by my backported patches: debian/patches/xsa172-4.3.patch Still unfixed in Ubuntu - I forwarded by patch! r16504 | Bug #39689 xen: UCS-3.3 r16507 | Bug #39689 xen: UCS-3.3 Package: xen Version: 4.1.6.1-0ubuntu0.12.04.10.30.201605131254 Branch: ucs_3.3-0
Another issue out of embargo today: http://xenbits.xen.org/xsa/advisory-176.html
And another one: * http://xenbits.xen.org/xsa/advisory-180.html (CVE-2014-3672 / XSA-180)
(In reply to Arvid Requate from comment #15) > http://xenbits.xen.org/xsa/advisory-176.html (In reply to Arvid Requate from comment #16) > * http://xenbits.xen.org/xsa/advisory-180.html (CVE-2014-3672 / XSA-180) Moved to Bug #41332 as they are too complicate for now or don't apply to UCS
OK; new version imported, tested fine (see bug #40697) OK: open issues moved to new bug Verified
UCS 3.3 has been released: https://docs.software-univention.de/release-notes-3.3-0-en.html https://docs.software-univention.de/release-notes-3.3-0-de.html If this error occurs again, please use "Clone This Bug".