Bug 813675

Summary: VUL-0: xen: CVE-2013-1919: XSA-46: Several access permission issues with IRQs for unprivileged guests
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: carnold, jbeulich, jdouglas, jsegitz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:sle11-sp2:52751 maint:running:54856:moderate maint:released:sle11-sp1:54877 maint:released:sle11-sp1:56471
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Xen 4.1.x fix
Xen 4.2.x fix.
xen-unstable fix.
updated patch to fix ARM problems
updated patch to fix ARM problems

Description Alexander Bergmann 2013-04-05 10:06:24 UTC 
Not public yet!

Received via security@suse.de.

Date: Thu, 04 Apr 2013 17:57:14 +0000
From: "Xen.org security team" <security@xen.org>
Subject: [security@suse.de] Xen Security Advisory 46 (CVE-2013-1919) - Several access permission issues with IRQs for unprivileged guests

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2013-1919 / XSA-46

     Several access permission issues with IRQs for unprivileged guests

             *** EMBARGOED UNTIL 2013-04-18 12:00 UTC ***

ISSUE DESCRIPTION
=================

Various IRQ related access control operations may not have the
intended effect, thus potentially permitting a stub domain to grant
its client domain access to an IRQ it doesn't have access to itself.

IMPACT
======

Malicious or buggy stub domains kernels can mount a denial of service
attack possibly affecting the whole system.

VULNERABLE SYSTEMS
==================

Only Xen systems using stub domains are vulnerable.

Only guests with passed-through IRQs or PCI devices are able to
exploit the vulnerability.

It is remotely possible that PV guests with passthrough IRQs or
devices may also be able to exploit this vulnerability, although we
think this is unlikely.

MITIGATION
==========

Servicing HVM guests with passthrough IRQs or PCI devices in dom0 (ie,
not using a stub domain device model) should avoid this vulnerability.

Reconfiguring the system to disable IRQ/PCI passthrough and instead
providing the guests with appropriate paravirtualised facilities will
avoid this vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa46-4.1.patch             Xen 4.1.x
xsa46-4.2.patch             Xen 4.2.x
xsa46-unstable.patch        xen-unstable

$ sha256sum xsa46*.patch
3b2ea317c1cf2ba428cc14946d030d38294747fef2beeb16eba30bcf3b1bc2cc  xsa46-4.1.patch
53c94ef769811680cf2f6814d6f49c6fd0e2c064a86b4b2453642e090555c8c6  xsa46-4.2.patch
db50e94868be0193eadb11bd685c431eeef3f676cac68e307d2a19eafff14154  xsa46-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRXb5cAAoJEIP+FMlX6CvZHVkIALM8m0D/BlPt9XcwqtpJAm3S
NyQ28Yu9D/KRefIUMYu4qJgsvOarwxxGjEtfzx6cgsZEr1RI0yFE3FCQfv0CkPzT
pofOnRc9hNipXf5us4pnbyS0QSfEqyZwYUgrzbdQqbVvU2AnVmxthMUnQwEEuqGk
kHUW4aqYt/ZfedzBkz++swUjH3shXq+5sFEhQfYOx6vzy7+tB+seqJPVwV2pECHW
0e1xsDs1A6Iiv7Y62ZLJXDa8OLtGk31zHKMZOZsEuMk9FGcUyYQYWBi3EwrTkiJG
3cpIEdDlg91H6PgDrlUWjNJQkugq+aYy94Y3mF+zVYIrwbwCYQu1NLV1wqq6LaM=
=R959
-----END PGP SIGNATURE-----
Comment 1 Alexander Bergmann 2013-04-05 10:20:19 UTC 
Created attachment 533686 [details]
Xen 4.1.x fix
Comment 2 Alexander Bergmann 2013-04-05 10:20:45 UTC 
Created attachment 533687 [details]
Xen 4.2.x fix.
Comment 3 Alexander Bergmann 2013-04-05 10:21:10 UTC 
Created attachment 533688 [details]
xen-unstable fix.
Comment 4 Swamp Workflow Management 2013-04-05 22:00:19 UTC 
bugbot adjusting priority
Comment 5 Sebastian Krahmer 2013-04-16 13:40:15 UTC 
Created attachment 535339 [details]
updated patch to fix ARM problems

.
Comment 6 Sebastian Krahmer 2013-04-16 13:41:03 UTC 
Created attachment 535340 [details]
updated patch to fix ARM problems

.
Comment 7 Alexander Bergmann 2013-04-18 14:35:13 UTC 
now public via xen.org
Comment 8 Alexander Bergmann 2013-04-18 15:00:43 UTC 
Charles, could we get a status?
Comment 9 Charles Arnold 2013-04-18 15:45:59 UTC 
(In reply to comment #8)
> Charles, could we get a status?

SLE11 SP3: Will be in RC1
SLE11 SP2: Running internal stage testing with fix.  Just received word of
another bug (CVE-2013-1964, xsa50) that probably needs to be included with
this batch of security updates. There is no bug yet that I can find but
I've been told it is already public.

openSUSE 12.2/3: I can submit this anytime but first need to add xsa50.
Comment 10 Alexander Bergmann 2013-04-19 08:39:45 UTC 
CVE-2013-1964 is listed in bug#816156.
Comment 11 Jan Beulich 2013-05-02 07:26:42 UTC 
For everyone's information: An apparent regression with this change used under the xend/xm tool stack (breaking pass-through to PV guests) has been reported upstream (i.e. on xen-devel). Not root caused yet, and hence no fix (or ETA for one) available yet.
Comment 12 Bernhard Wiedemann 2013-05-07 16:00:43 UTC 
This is an autogenerated message for OBS integration:
This bug (813675) was mentioned in
https://build.opensuse.org/request/show/174763 Factory / xen
Comment 13 Bernhard Wiedemann 2013-05-09 11:00:44 UTC 
This is an autogenerated message for OBS integration:
This bug (813675) was mentioned in
https://build.opensuse.org/request/show/174892 Factory / xen
Comment 14 Jan Beulich 2013-05-21 09:36:22 UTC 
The tentative fix for the regression got verified on both 4.1 and 4.2, and was committed a minute ago to the upstream master branch. With that, this shouldn't be holding up the release of the maintenance update anymore.
Comment 15 Swamp Workflow Management 2013-05-23 09:13:58 UTC 
The SWAMPID for this issue is 52595.
This issue was rated as important.
Please submit fixed packages until 2013-05-30.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 16 Charles Arnold 2013-05-28 22:01:49 UTC 
Submitted for SLE11SP2:
Xen: SR#26763
Vm-install: SR#26764
libvirt: SR#26758
virt-manager: SR#26765

See bnc#813673 for detailed bug fix list.
Comment 17 Swamp Workflow Management 2013-06-25 07:59:07 UTC 
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP2 (i386, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (i386, x86_64)
SLE-SERVER 11-SP2 (i386, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 18 Swamp Workflow Management 2013-08-30 14:05:59 UTC 
openSUSE-SU-2013:1392-1: An update that solves 12 vulnerabilities and has 7 fixes is now available.

Category: security (moderate)
Bug References: 801663,803712,809662,813673,813675,813677,814709,816156,816159,816163,819416,820917,820919,820920,823011,823608,823786,824676,826882
CVE References: CVE-2013-1432,CVE-2013-1917,CVE-2013-1918,CVE-2013-1919,CVE-2013-1920,CVE-2013-1952,CVE-2013-1964,CVE-2013-2072,CVE-2013-2076,CVE-2013-2077,CVE-2013-2078,CVE-2013-2211
Sources used:
openSUSE 12.2 (src):    xen-4.1.5_04-5.29.1
Comment 19 Swamp Workflow Management 2013-09-04 13:06:44 UTC 
openSUSE-SU-2013:1404-1: An update that solves 13 vulnerabilities and has 13 fixes is now available.

Category: security (moderate)
Bug References: 797285,797523,801663,802221,808085,808269,809662,813673,813675,814059,814709,816159,816163,817068,817210,817799,817904,818183,819416,820917,820919,820920,823011,823608,824676,826882
CVE References: CVE-2012-6075,CVE-2013-0151,CVE-2013-1432,CVE-2013-1917,CVE-2013-1918,CVE-2013-1919,CVE-2013-1922,CVE-2013-1952,CVE-2013-2007,CVE-2013-2072,CVE-2013-2076,CVE-2013-2077,CVE-2013-2078
Sources used:
openSUSE 12.3 (src):    xen-4.2.2_06-1.16.1
Comment 20 Alexander Bergmann 2013-09-26 12:59:26 UTC 
Closed as fixed.
Comment 21 Swamp Workflow Management 2013-11-29 16:05:04 UTC 
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-libs, xen-tools, xen-tools-domU
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 22 Swamp Workflow Management 2014-03-25 18:48:02 UTC 
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP1 (i386, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, x86_64)
Comment 23 Swamp Workflow Management 2014-03-25 22:07:51 UTC 
SUSE-SU-2014:0446-1: An update that fixes 47 vulnerabilities is now available.

Category: security (important)
Bug References: 777628,777890,779212,786516,786517,786519,786520,787163,789944,789945,789948,789950,789951,794316,797031,797523,800275,805094,813673,813675,813677,816156,816159,816163,819416,820917,820919,823011,823608,826882,831120,839596,839618,840592,841766,842511,848657,849667,849668,853049,860163
CVE References: CVE-2006-1056,CVE-2007-0998,CVE-2012-3497,CVE-2012-4411,CVE-2012-4535,CVE-2012-4537,CVE-2012-4538,CVE-2012-4539,CVE-2012-4544,CVE-2012-5510,CVE-2012-5511,CVE-2012-5513,CVE-2012-5514,CVE-2012-5515,CVE-2012-5634,CVE-2012-6075,CVE-2012-6333,CVE-2013-0153,CVE-2013-0154,CVE-2013-1432,CVE-2013-1442,CVE-2013-1917,CVE-2013-1918,CVE-2013-1919,CVE-2013-1920,CVE-2013-1952,CVE-2013-1964,CVE-2013-2072,CVE-2013-2076,CVE-2013-2077,CVE-2013-2194,CVE-2013-2195,CVE-2013-2196,CVE-2013-2211,CVE-2013-2212,CVE-2013-4329,CVE-2013-4355,CVE-2013-4361,CVE-2013-4368,CVE-2013-4494,CVE-2013-4553,CVE-2013-4554,CVE-2013-6885,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    xen-4.0.3_21548_16-0.5.1