Bug 880751 (CVE-2014-4021)

Summary: VUL-0: CVE-2014-4021: xen: XSA-100: Hypervisor heap contents leaked to guests
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, andreas.taschner, brent.griggs, carnold, jbeulich, krahmer, lchiquitto
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:running:59647:moderate maint:released:sle10-sp4:59947 maint:released:sle11-sp2:59949 maint:released:sle11-sp1:59807 maint:released:sle11-sp1:59948
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2014-05-30 13:41:37 UTC
Created attachment 592810 [details]
Patch for XSA-100

EMBARGOED UNTIL 2014-06-17 12:00 UTC

ISSUE DESCRIPTION
=================

While memory pages recovered from dying guests are being cleaned to avoid
leaking sensitive information to other guests, memory pages that were in
use by the hypervisor and are eligible to be allocated to guests weren't
being properly cleaned.  Such exposure of information would happen through
memory pages freshly allocated to or by the guest.

Normally the leaked data is administrative information of limited
value to an attacker.  However, scenarios exist where guest CPU
register state and hypercall arguments might be leaked.

IMPACT
======

A malicious guest might be able to read data relating to other guests
or the hypervisor itself.

Data at rest in guest memory or storage (filesystems) is not affected.
However, it is possible for an attacker to obtain modest amounts of
in-flight and in-use data, which might contain passwords or
cryptographic keys.

VULNERABLE SYSTEMS
==================
Xen 3.2.x and later are vulnerable.
Xen 3.1.x and earlier have not been inspected.

MITIGATION
==========

No comprehensive mitigation is available.

An attacker will find it easier obtain sensitive data from a victim
guest if the attacker is able to initiate domain management operations
and lifecycle events for that guest.  This includes a situation where
the attacker can cause the victim guest to crash.

Therefore the risk from this vulnerability can be somewhat reduced by
restricting management (such as migration or resource adjustment) to
fully trusted guest or host administrators, and by eliminating any
Denial of Service vulnerabilities against potential victim guests.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa100.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x

Note that to avoid a regression on systems with AMD IOMMU, additionally
commit 6b4d71d0 ("AMD IOMMU: don't free page table prematurely") found at
http://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=6b4d71d028f445cba7426a144751fddc8bfdd67b
will be required if not already in place in the respective tree.

This additional patch is known not to apply cleanly to Xen 4.1 and no
backport is available at the time of writing.  We would appreciate
contributions of a backported version.

$ sha256sum xsa100*.patch
2cbd3a52bb8d32d00a19e2ce48e3157034b484b4a7b7282cae0d108ffb4ddca0  xsa100.patch
Comment 1 Swamp Workflow Management 2014-05-30 22:00:44 UTC
bugbot adjusting priority
Comment 2 SMASH SMASH 2014-06-10 13:40:21 UTC
Affected packages:

SLE-11-SP3: xen
Comment 3 Alexander Bergmann 2014-06-10 15:33:30 UTC
*** Bug 881987 has been marked as a duplicate of this bug. ***
Comment 4 Johannes Segitz 2014-06-17 12:38:32 UTC
went public
Comment 7 Swamp Workflow Management 2014-09-08 10:02:45 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-09-22.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/58863
Comment 10 Charles Arnold 2014-09-19 00:34:02 UTC
Summary of what is checked in.  Let me know if I should delete the
Teradata submissions and just leave the standard SLE11-SP1 and SLE10-SP3
submissions.

All Bugs
========
- bnc#895802 - VUL-0: xen: XSA-106: Missing privilege level checks in x86 emulation of software interrupts
- bnc#895799 - VUL-0: xen: XSA-105: Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation
- bnc#895798 - VUL-0: xen: XSA-104: Race condition in HVMOP_track_dirty_vram
- bnc#864801 - VUL-0: CVE-2013-4540: qemu: zaurus: buffer overrun on invalid state load
- bnc#891539 - xend: fix netif convertToDeviceNumber for running domains
- bnc#882092 - Installing SLES12 as a VM on SLES11 SP3 fails because of btrfs in the VM 
- bnc#881900 - XEN kernel panic do_device_not_available()
- bnc#833483 - Boot Failure with xen kernel in UEFI mode with error "No memory for trampoline"
- bnc#880751 - VUL-0: xen: Hypervisor heap contents leaked to guests
- bnc#878841 - VUL-0: XSA-96: Xen: Vulnerabilities in HVM MSI injection 
- bnc#862608 - SLES 11 SP3 vm-install should get RHEL 7 support when released
- bnc#867910 - VUL-0: xen: XSA-89: HVMOP_set_mem_access is not preemptible
- bnc#842006 - VUL-1: CVE-2013-4344: XSA-65: xen: qemu SCSI REPORT LUNS buffer overflow
- bnc#858178 - [HP HPS Bug]: SLES11sp3 XEN kiso version cause softlockup on 8 blades npar(480 cpu)
- bnc#865682 - Local attach support for PHY backends using scripts
- bnc#798770 - Improve multipath support for npiv devices

Security and Maintenance SLE11-SP3
SR#44321
==================================
- bnc#895802 - VUL-0: xen: XSA-106: Missing privilege level checks in x86 emulation of software interrupts
- bnc#895799 - VUL-0: xen: XSA-105: Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation
- bnc#895798 - VUL-0: xen: XSA-104: Race condition in HVMOP_track_dirty_vram
- bnc#864801 - VUL-0: CVE-2013-4540: qemu: zaurus: buffer overrun on invalid state load
- bnc#880751 - VUL-0: CVE-2014-4021: xen: XSA-100: Hypervisor heap contents leaked to guests
- bnc#878841 - VUL-0: XSA-96: Xen: Vulnerabilities in HVM MSI injection
- bnc#867910 - VUL-0: xen: XSA-89: HVMOP_set_mem_access is not preemptible
- bnc#842006 - VUL-1: CVE-2013-4344: XSA-65: xen: qemu SCSI REPORT LUNS buffer overflow
- bnc#882092 - Installing SLES12 as a VM on SLES11 SP3 fails because of btrfs in the VM
- bnc#891539 - Bug in virsh attach-device / detach-device functions
- bnc#881900 - XEN kernel panic do_device_not_available()
- bnc#833483 - Boot Failure with xen kernel in UEFI mode with error "No memory for trampoline"
- bnc#862608 - SLES 11 SP3 vm-install should get RHEL 7 support when released
- bnc#858178 - [HP HPS Bug]: SLES11sp3 XEN kiso version cause softlockup on 8 blades npar(480 cpu)
- bnc#865682 - Local attach support for PHY backends using scripts
- bnc#798770 - Improve multipath support for npiv devices

Security SLE11-SP2
SR#44322
==================
- bnc#895802 - VUL-0: xen: XSA-106: Missing privilege level checks in x86 emulation of software interrupts
- bnc#895799 - VUL-0: xen: XSA-105: Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation
- bnc#895798 - VUL-0: xen: XSA-104: Race condition in HVMOP_track_dirty_vram
- bnc#880751 - VUL-0: CVE-2014-4021: xen: XSA-100: Hypervisor heap contents leaked to guests
- bnc#875668 - VUL-0: CVE-2014-3124: xen: XSA-92: HVMOP_set_mem_type allows invalid P2M entries to be created
- bnc#867910 - VUL-0: CVE-2014-2599: xen: XSA-89: HVMOP_set_mem_access is not preemptible

Security SLE11-SP1 (SUSE:SLE-11-SP1:Update:Teradata:Test)
SR#44323, (Teradata SR#44326)
==================
- bnc#895802 - VUL-0: xen: XSA-106: Missing privilege level checks in x86 emulation of software interrupts
- bnc#895799 - VUL-0: xen: XSA-105: Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation
- bnc#895798 - VUL-0: xen: XSA-104: Race condition in HVMOP_track_dirty_vram
- bnc#880751 - VUL-0: CVE-2014-4021: xen: XSA-100: Hypervisor heap contents leaked to guests

Security SLE10-SP3/SP4 (SUSE:SLE-10-SP3:Update:Teradata:Test)
SP3 SR#44324, (Teradata SR#44327)
SP4 SR#44325
======================
- bnc#895799 - VUL-0: xen: XSA-105: Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation
- bnc#880751 - VUL-0: CVE-2014-4021: xen: XSA-100: Hypervisor heap contents leaked to guests
Comment 11 Alexander Bergmann 2014-09-19 09:53:15 UTC
Hi Charles,

the following bugs/XSAs got CVEs assigned that are missing inside the changes file. Please resubmit.

SLE11-SP3(SR#44321):
bnc#867910: XSA-89: CVE-2014-2599
bnc#878841: XSA-96: CVE-2014-3967, CVE-2014-3968
bnc#880751: XSA-100: CVE-2014-4021


The Teradata submissions are looking good.
Comment 12 Charles Arnold 2014-09-19 13:53:28 UTC
(In reply to comment #11)
> Hi Charles,
> 
> the following bugs/XSAs got CVEs assigned that are missing inside the changes
> file. Please resubmit.
> 
> SLE11-SP3(SR#44321):
> bnc#867910: XSA-89: CVE-2014-2599
> bnc#878841: XSA-96: CVE-2014-3967, CVE-2014-3968
> bnc#880751: XSA-100: CVE-2014-4021

Yes, the original entries were made before a CVE had been assigned.
They have now been updated in the change log to contain the CVE.

New SR#44354
Comment 13 Swamp Workflow Management 2014-09-22 09:43:32 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-10-06.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/59011
Comment 14 Charles Arnold 2014-09-23 22:25:09 UTC
Updates submitted for openSUSE.
os12.3: MR#251755
os13.1: MR#251756
Comment 17 Swamp Workflow Management 2014-10-09 11:07:30 UTC
openSUSE-SU-2014:1279-1: An update that solves 10 vulnerabilities and has 8 fixes is now available.

Category: security (important)
Bug References: 798770,820873,833483,842006,858178,862608,864801,865682,867910,878841,880751,881900,891539,895798,895799,895802,896023,897657
CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-2599,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188
Sources used:
openSUSE 12.3 (src):    xen-4.2.4_04-1.32.1
Comment 18 Swamp Workflow Management 2014-10-09 11:10:34 UTC
openSUSE-SU-2014:1281-1: An update that solves 10 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 798770,820873,842006,864801,865682,875668,878841,880751,882127,895798,895799,895802,896023,897657
CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-3124,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188
Sources used:
openSUSE 13.1 (src):    xen-4.3.2_02-27.1
Comment 19 Swamp Workflow Management 2014-10-22 23:07:12 UTC
SUSE-SU-2014:1318-1: An update that solves 10 vulnerabilities and has 7 fixes is now available.

Category: security (moderate)
Bug References: 798770,833483,842006,858178,862608,864801,865682,867910,878841,880751,881900,882092,891539,895798,895799,895802,897657
CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-2599,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    xen-4.2.4_04-0.9.1
SUSE Linux Enterprise Server 11 SP3 (src):    xen-4.2.4_04-0.9.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    xen-4.2.4_04-0.9.1
Comment 20 Sebastian Krahmer 2014-10-27 09:35:54 UTC
released
Comment 21 Swamp Workflow Management 2014-12-23 18:04:58 UTC
SUSE-SU-2014:1691-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 880751,895799,903850,903970,905467,906439
CVE References: CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    xen-3.2.3_17040_46-0.9.1
Comment 22 Swamp Workflow Management 2014-12-24 18:05:42 UTC
SUSE-SU-2014:1710-1: An update that solves 13 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 826717,867910,875668,880751,895798,895799,895802,897657,901317,903850,903967,903970,905465,905467,906439
CVE References: CVE-2013-3495,CVE-2014-2599,CVE-2014-3124,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    xen-4.1.6_08-0.5.1
Comment 23 Swamp Workflow Management 2014-12-30 19:05:08 UTC
SUSE-SU-2014:1732-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 826717,880751,895798,895799,895802,903967,903970,905467,906439
CVE References: CVE-2013-3495,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-8594,CVE-2014-8595,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    xen-4.0.3_21548_18-0.9.1