Bug 875668 - (CVE-2014-3124) VUL-0: CVE-2014-3124: xen: XSA-92: HVMOP_set_mem_type allows invalid P2M entries to be created
(CVE-2014-3124)
VUL-0: CVE-2014-3124: xen: XSA-92: HVMOP_set_mem_type allows invalid P2M entr...
Status: VERIFIED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Charles Arnold
Security Team bot
maint:running:59647:moderate
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-04-29 13:47 UTC by Alexander Bergmann
Modified: 2014-12-30 16:38 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-04-29 13:47:36 UTC
Xen Security Advisory XSA-92
                              version 2

      HVMOP_set_mem_type allows invalid P2M entries to be created

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

The implementation in Xen of the HVMOP_set_mem_type HVM control
operations attempts to exclude transitioning a page from an
inappropriate memory type.  However, only an inadequate subset of
memory types is excluded.

There are certain other types that don't correspond to a particular
valid page, whose page table translation can be inappropriately
changed (by HVMOP_set_mem_type) from not-present (due to the lack of
valid memory page) to present.  If this occurs, an invalid translation
will be established.

IMPACT
======

In a configuration where device models run with limited privilege (for
example, stubdom device models), a guest attacker who successfully
finds and exploits an unfixed security flaw in qemu-dm could leverage
the other flaw into a Denial of Service affecting the whole host.

In the more general case, in more abstract terms: a malicious
administrator of a domain privileged with regard to an HVM guest can
cause Xen to crash leading to a Denial of Service.

Arbitrary code execution, and therefore privilege escalation, cannot
be entirely excluded: On a system with a RAM page present immediately
below the 52-bit address boundary, this would be possible.  However,
we are not aware of any systems with such a memory layout.

VULNERABLE SYSTEMS
==================

All Xen versions from 4.1 onwards are vulnerable.

The vulnerability is only exposed to service domains for HVM guests
which have privilege over the guest.  In a usual configuration that
means only device model emulators (qemu-dm).

In the case of HVM guests whose device model is running in an
unrestricted dom0 process, qemu-dm already has the ability to cause
problems for the whole system.  So in that case the vulnerability is
not applicable.

The situation is more subtle for an HVM guest with a stub qemu-dm.
That is, where the device model runs in a separate domain (in the case
of xl, as requested by "device_model_stubdomain_override=1" in the xl
domain configuration file).  The same applies with a qemu-dm in a dom0
process subjected to some kind kernel-based process privilege
limitation (eg the chroot technique as found in some versions of
XCP/XenServer).

In those latter situations this issue means that the extra isolation
does not provide as good a defence (against denial of service) as
intended.  That is the essence of this vulnerability.

However, the security is still better than with a qemu-dm running as
an unrestricted dom0 process.  Therefore users with these
configurations should not switch to an unrestricted dom0 qemu-dm.

Finally, in a radically disaggregated system: where the HVM service
domain software (probably, the device model domain image) is not
always supplied by the host administrator, a malicious service domain
administrator can exercise this vulnerability.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

In a radically disaggregated system, restricting HVM service domains
to software images approved by the host administrator will avoid the
vulnerability.

CREDITS
=======

This issue was discovered by Jan Beulich.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa92.patch                 xen-unstable, Xen 4.4.x, Xen 4.3.x
xsa92-4.2.patch             Xen 4.2.x
xsa92-4.1.patch             Xen 4.1.x

$ sha256sum xsa92*.patch
184dcb88dfb4540fca33016ffcfe0f4f557449ab5b4ec6a4bf486c75926d23f3  xsa92.patch
76905398958dfcec98fb5bde2a68c0e86a3ccc9f442a8a658e972937fd75534a  xsa92-4.1.patch
bca98827834f807c787fceb6c719d9d4fe3c40786cb087156829e5e6fb5700d6  xsa92-4.2.patch
$
Comment 1 Swamp Workflow Management 2014-04-29 22:00:19 UTC
bugbot adjusting priority
Comment 2 Alexander Bergmann 2014-05-02 06:35:53 UTC
CVE-2014-3124 was assigned to this issue.
Comment 3 Alexander Bergmann 2014-05-02 16:18:53 UTC
Charles/Jan are we affected by this? And if yes, which code-streams?
Comment 4 Charles Arnold 2014-05-02 16:35:32 UTC
(In reply to comment #3)
> Charles/Jan are we affected by this? And if yes, which code-streams?

SLE11-SP2 (Xen 4.1 - LTSS only)
SLE11-SP3 (Xen 4.2)
SLE12 (Xen 4.4 - Patched in Beta 6)

os12.3 (Xen 4.2)
os13.1 (Xen 4.3)
Comment 5 Jan Beulich 2014-05-09 12:07:59 UTC
(In reply to comment #3)
> Charles/Jan are we affected by this? And if yes, which code-streams?

In fact it depends on what you mean by "affected": Yes, the problematic code is there. But no, we don't support any form of disaggregation right now.
Comment 6 Sebastian Krahmer 2014-05-20 13:03:41 UTC
That basically means we can close this bug as INVALID?
Comment 7 Jan Beulich 2014-05-20 13:16:52 UTC
I would think so, yes.
Comment 8 Sebastian Krahmer 2014-05-20 14:10:44 UTC
thx
Comment 9 Swamp Workflow Management 2014-10-09 11:10:12 UTC
openSUSE-SU-2014:1281-1: An update that solves 10 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 798770,820873,842006,864801,865682,875668,878841,880751,882127,895798,895799,895802,896023,897657
CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-3124,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188
Sources used:
openSUSE 13.1 (src):    xen-4.3.2_02-27.1
Comment 10 Swamp Workflow Management 2014-12-24 18:05:32 UTC
SUSE-SU-2014:1710-1: An update that solves 13 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 826717,867910,875668,880751,895798,895799,895802,897657,901317,903850,903967,903970,905465,905467,906439
CVE References: CVE-2013-3495,CVE-2014-2599,CVE-2014-3124,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    xen-4.1.6_08-0.5.1