Bugzilla – Bug 816156
VUL-0: xen: CVE-2013-1964: XSA-50: grant table hypercall acquire/release imbalance
Last modified: 2015-03-05 14:55:58 UTC
public via xen.org From: "Xen.org security team" <security@xen.org> Date: Thu, 18 Apr 2013 15:16:16 +0000 Subject: [security@suse.de] Xen Security Advisory 50 (CVE-2013-1964) - grant table hypercall acquire/release imbalance -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-1964 / XSA-50 grant table hypercall acquire/release imbalance ISSUE DESCRIPTION ================= When releasing a non-v1 non-transitive grant after doing a grant copy operation, Xen incorrectly recurses (as if for a transitive grant) and releases an unrelated grant reference. IMPACT ====== A malicious guest administrator can cause undefined behaviour; depending on the dom0 kernel a host crash is possible, but information leakage or privilege escalation cannot be ruled out. VULNERABLE SYSTEMS ================== Xen 4.0 and 4.1 are vulnerable. Any kind of guest can trigger the vulnerability. Xen 4.2 and xen-unstable, as well as Xen 3.x and earlier, are not vulnerable. MITIGATION ========== Using only trustworthy guest kernels will avoid the vulnerability. Using a debug build of Xen will eliminate the possible information leak or privilege violation; instead, if the vulnerability is attacked, Xen will crash. NOTE REGARDING EMBARGO ====================== A crash resulting from this bug has been reported by a user on the public xen-devel mailing list. There is therefore no embargo. RESOLUTION ========== Applying the attached patch resolves this issue. xsa50-4.1.patch $ sha256sum xsa50-*.patch 29f76073311a372dd30dd4788447850465d2575d5ff7b2c10912a69e4941fb21 xsa50-4.1.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRcA4pAAoJEIP+FMlX6CvZHhsIAK2RYhWr4CQ2ziTh3o1cbkXe HfDcWHjLTe1+zoULCKbptUHcoH6/oPxwZBklAfNSECFT47a4FKZu/ARCP1IBtot2 o6cuTTlYgLMMpSfVW//aDJQ59YivhcwN5omLEp4G8N/YHw0IA1W58/IpNKXVbNNy pmMEqus/QUH8EzGaxLfwIfSrJR96x96QKOlG94lohY5P5aipx/5vXzUPyRFXLbOZ jr8Ve+woNuYAeBx3zue7TNfhePVuDUl8b7ufhsuYdwkODzEXCNLcJM93Z3eaKfPp CVDBE38GUO9hr5CpBh5QgGeCCeMhxwI8jXTXUb6N8KFrwgbq04HP7BOmVI4O8Xs= =jiz6 -----END PGP SIGNATURE-----
Created attachment 536028 [details] Xen 4.1.x fix
bugbot adjusting priority
The SWAMPID for this issue is 52595. This issue was rated as important. Please submit fixed packages until 2013-05-30. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Submitted for SLE11SP2: Xen: SR#26763 Vm-install: SR#26764 libvirt: SR#26758 virt-manager: SR#26765 See bnc#813673 for detailed bug fix list.
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU Products: SLE-DEBUGINFO 11-SP2 (i386, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SDK 11-SP2 (i386, x86_64) SLE-SERVER 11-SP2 (i386, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
openSUSE-SU-2013:1392-1: An update that solves 12 vulnerabilities and has 7 fixes is now available. Category: security (moderate) Bug References: 801663,803712,809662,813673,813675,813677,814709,816156,816159,816163,819416,820917,820919,820920,823011,823608,823786,824676,826882 CVE References: CVE-2013-1432,CVE-2013-1917,CVE-2013-1918,CVE-2013-1919,CVE-2013-1920,CVE-2013-1952,CVE-2013-1964,CVE-2013-2072,CVE-2013-2076,CVE-2013-2077,CVE-2013-2078,CVE-2013-2211 Sources used: openSUSE 12.2 (src): xen-4.1.5_04-5.29.1
Closed as fixed. (SLE-11-SP2 / openSUSE 12.2)
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-libs, xen-tools, xen-tools-domU Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU Products: SLE-DEBUGINFO 11-SP1 (i386, x86_64) SLE-SERVER 11-SP1-LTSS (i386, x86_64)
SUSE-SU-2014:0446-1: An update that fixes 47 vulnerabilities is now available. Category: security (important) Bug References: 777628,777890,779212,786516,786517,786519,786520,787163,789944,789945,789948,789950,789951,794316,797031,797523,800275,805094,813673,813675,813677,816156,816159,816163,819416,820917,820919,823011,823608,826882,831120,839596,839618,840592,841766,842511,848657,849667,849668,853049,860163 CVE References: CVE-2006-1056,CVE-2007-0998,CVE-2012-3497,CVE-2012-4411,CVE-2012-4535,CVE-2012-4537,CVE-2012-4538,CVE-2012-4539,CVE-2012-4544,CVE-2012-5510,CVE-2012-5511,CVE-2012-5513,CVE-2012-5514,CVE-2012-5515,CVE-2012-5634,CVE-2012-6075,CVE-2012-6333,CVE-2013-0153,CVE-2013-0154,CVE-2013-1432,CVE-2013-1442,CVE-2013-1917,CVE-2013-1918,CVE-2013-1919,CVE-2013-1920,CVE-2013-1952,CVE-2013-1964,CVE-2013-2072,CVE-2013-2076,CVE-2013-2077,CVE-2013-2194,CVE-2013-2195,CVE-2013-2196,CVE-2013-2211,CVE-2013-2212,CVE-2013-4329,CVE-2013-4355,CVE-2013-4361,CVE-2013-4368,CVE-2013-4494,CVE-2013-4553,CVE-2013-4554,CVE-2013-6885,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894 Sources used: SUSE Linux Enterprise Server 11 SP1 LTSS (src): xen-4.0.3_21548_16-0.5.1