Bug 1014300 – VUL-0: CVE-2016-10025: xen: x86: missing NULL pointer check in VMFUNC emulation (XSA-203)

Bug 1014300 - (CVE-2016-10025) VUL-0: CVE-2016-10025: xen: x86: missing NULL pointer check in VMFUNC emulation (XSA-203)

(CVE-2016-10025)
Summary:	VUL-0: CVE-2016-10025: xen: x86: missing NULL pointer check in VMFUNC emulati...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Charles Arnold
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-12-07 16:01 UTC by Marcus Meissner
Modified:	2017-05-17 22:49 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 1 Marcus Meissner 2016-12-07 16:02:04 UTC

Created attachment 705397 [details]
xsa203.patch

xsa203.patch

Comment 2 Marcus Meissner 2016-12-07 16:02:47 UTC

Created attachment 705398 [details]
xsa203-4.8.patch

xsa203-4.8.patch

Comment 3 Marcus Meissner 2016-12-07 16:03:07 UTC

Created attachment 705399 [details]
xsa203-4.7.patch

xsa203-4.7.patch

Comment 4 Swamp Workflow Management 2016-12-07 23:02:47 UTC

bugbot adjusting priority

Comment 5 Marcus Meissner 2016-12-21 12:53:23 UTC

is public now

            Xen Security Advisory CVE-2016-10025 / XSA-203
                               version 3

          x86: missing NULL pointer check in VMFUNC emulation

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

When support for the Intel VMX VMFUNC leaf 0 was added, a new optional
function pointer hvmemul_vmfunc was added to the hvm_emulate_ops
table.  As is intended, that new function pointer is NULL on non-VMX
hardware, including AMD SVM hardware.  However at a call site, the
necessary NULL check was omitted before the indirect function call.

IMPACT
======

Malicious guests may cause a hypervisor crash, resulting in a Denial
of Service (DoS).

VULNERABLE SYSTEMS
==================

Xen versions 4.6 and newer are vulnerable.  Xen versions 4.5 and earlier
are not vulnerable.

Only HVM guests can exploit the vulnerability.  PV guests cannot exploit
the vulnerability.

Only x86 systems using SVM (AMD virtualisation extensions) rather than
VMX (Intel virtualisation extensions) are vulnerable.  This applies to
HVM guests on AMD x86 CPUs.  Therefore AMD x86 hardware is vulnerable;
Intel hardware is not vulnerable.

ARM systems are not vulnerable.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

Running HVM guests on only VMX capable hardware will also avoid this
vulnerability.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa203.patch           xen-unstable
xsa203-4.8.patch       Xen 4.8.x
xsa203-4.7.patch       Xen 4.7.x, Xen 4.6.x

$ sha256sum xsa203*
9af7e862705987a60de1def81ed179931c3f683d05b05c2708cf16bb85d203c9  xsa203.patch
7cc04278778fe885e4c3ae3f846d099075a38bccfafe6dff018ba525499b4e46  xsa203-4.7.patch
4218fcfff11ec4788462a3ea9dddecb25b9d9fb1beaad17ca0f723b07b6675e4  xsa203-4.8.patch
$

Comment 6 Swamp Workflow Management 2016-12-21 18:09:35 UTC

SUSE-SU-2016:3208-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1012651,1014298,1014300,1016340
CVE References: CVE-2016-10013,CVE-2016-10024,CVE-2016-10025,CVE-2016-9932
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    xen-4.7.1_04-28.1
SUSE Linux Enterprise Server 12-SP2 (src):    xen-4.7.1_04-28.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    xen-4.7.1_04-28.1

Comment 7 Marcus Meissner 2016-12-22 12:08:03 UTC

released during emu update

Comment 8 Swamp Workflow Management 2017-01-02 12:07:36 UTC

openSUSE-SU-2017:0005-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1012651,1014298,1014300,1016340
CVE References: CVE-2016-10013,CVE-2016-10024,CVE-2016-10025,CVE-2016-9932
Sources used:
openSUSE Leap 42.2 (src):    xen-4.7.1_04-6.1

Comment 9 Swamp Workflow Management 2017-02-27 17:14:48 UTC

SUSE-SU-2017:0571-1: An update that solves four vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1000195,1002496,1005028,1012651,1014298,1014300,1015169,1016340,1022871,1023004,1024834
CVE References: CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    xen-4.7.1_06-31.1
SUSE Linux Enterprise Server 12-SP2 (src):    xen-4.7.1_06-31.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    xen-4.7.1_06-31.1

Comment 10 Swamp Workflow Management 2017-03-11 14:08:41 UTC

openSUSE-SU-2017:0665-1: An update that solves four vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1000195,1002496,1005028,1012651,1014298,1014300,1015169,1016340,1022871,1023004,1024834
CVE References: CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620
Sources used:
openSUSE Leap 42.2 (src):    xen-4.7.1_06-9.2