Bug 895798 – VUL-0: CVE-2014-7154: xen: XSA-104: Race condition in HVMOP_track_dirty_vram

Bug 895798 - (CVE-2014-7154) VUL-0: CVE-2014-7154: xen: XSA-104: Race condition in HVMOP_track_dirty_vram

(CVE-2014-7154)
Summary:	VUL-0: CVE-2014-7154: xen: XSA-104: Race condition in HVMOP_track_dirty_vram

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle11-sp1:59013 maint:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2014-09-09 12:52 UTC by Marcus Meissner
Modified:	2015-02-10 10:49 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
xsa104.patch (1.61 KB, patch) 2014-09-09 12:53 UTC, Marcus Meissner	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2014-09-09 12:52:40 UTC

embargoed, via email pre-advisory

              *** EMBARGOED UNTIL 2014-09-23 12:00 UTC ***

                    Xen Security Advisory XSA-104

               Race condition in HVMOP_track_dirty_vram

              *** EMBARGOED UNTIL 2014-09-23 12:00 UTC ***

ISSUE DESCRIPTION
=================

The routine controlling the setup of dirty video RAM tracking latches
the value of a pointer before taking the respective guarding lock, thus
making it possible for a stale pointer to be used by the time the lock
got acquired and the pointer gets dereferenced.

The hypercall providing access to the affected function is available to
the domain controlling HVM guests.

IMPACT
======

Malicious or buggy stub domain kernels or tool stacks otherwise living
outside of Domain0 can mount a denial of service attack which, if
successful, can affect the whole system.

Only domains controlling HVM guests can exploit this vulnerability.
(This includes domains providing hardware emulation services to HVM
guests.)

VULNERABLE SYSTEMS
==================

Xen versions from 4.0.0 onwards are vulnerable.

This vulnerability is only applicable to Xen systems using stub
domains or other forms of disaggregation of control domains for HVM
guests.

MITIGATION
==========

There is no mitigation available for this issue.

(The security of a Xen system using stub domains is still better than
with a qemu-dm running as an unrestricted dom0 process.  Therefore
users with these configurations should not switch to an unrestricted
dom0 qemu-dm.)

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa104.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa104*.patch
fc02f6365ca79a6ef386c882b57fab8b56aa12b54fc9b05054552f0f25e32047  xsa104.patch
$

Comment 1 Marcus Meissner 2014-09-09 12:53:04 UTC

Created attachment 605559 [details]
xsa104.patch

attached patch

Comment 2 SMASH SMASH 2014-09-09 13:30:13 UTC

Affected packages:

SLE-10-SP3-TERADATA: xen
SLE-11-SP1-TERADATA: xen
SLE-11-SP3: xen
SLE-11-SP3-PRODUCTS: xen
SLE-11-SP3-UPTU: xen

Comment 3 Swamp Workflow Management 2014-09-09 22:00:21 UTC

bugbot adjusting priority

Comment 4 Charles Arnold 2014-09-19 00:35:02 UTC

Xen submitted for relevant SLE platforms.

Comment 5 Marcus Meissner 2014-09-23 12:52:14 UTC

public

Comment 6 Marcus Meissner 2014-09-24 08:00:48 UTC

CVE-2014-7154

Comment 7 Swamp Workflow Management 2014-10-09 11:08:05 UTC

openSUSE-SU-2014:1279-1: An update that solves 10 vulnerabilities and has 8 fixes is now available.

Category: security (important)
Bug References: 798770,820873,833483,842006,858178,862608,864801,865682,867910,878841,880751,881900,891539,895798,895799,895802,896023,897657
CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-2599,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188
Sources used:
openSUSE 12.3 (src):    xen-4.2.4_04-1.32.1

Comment 8 Swamp Workflow Management 2014-10-09 11:11:00 UTC

openSUSE-SU-2014:1281-1: An update that solves 10 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 798770,820873,842006,864801,865682,875668,878841,880751,882127,895798,895799,895802,896023,897657
CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-3124,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188
Sources used:
openSUSE 13.1 (src):    xen-4.3.2_02-27.1

Comment 9 Swamp Workflow Management 2014-10-22 23:07:55 UTC

SUSE-SU-2014:1318-1: An update that solves 10 vulnerabilities and has 7 fixes is now available.

Category: security (moderate)
Bug References: 798770,833483,842006,858178,862608,864801,865682,867910,878841,880751,881900,882092,891539,895798,895799,895802,897657
CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-2599,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    xen-4.2.4_04-0.9.1
SUSE Linux Enterprise Server 11 SP3 (src):    xen-4.2.4_04-0.9.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    xen-4.2.4_04-0.9.1

Comment 10 Swamp Workflow Management 2014-12-24 18:05:54 UTC

SUSE-SU-2014:1710-1: An update that solves 13 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 826717,867910,875668,880751,895798,895799,895802,897657,901317,903850,903967,903970,905465,905467,906439
CVE References: CVE-2013-3495,CVE-2014-2599,CVE-2014-3124,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    xen-4.1.6_08-0.5.1

Comment 11 Swamp Workflow Management 2014-12-30 19:05:23 UTC

SUSE-SU-2014:1732-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 826717,880751,895798,895799,895802,903967,903970,905467,906439
CVE References: CVE-2013-3495,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-8594,CVE-2014-8595,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    xen-4.0.3_21548_18-0.9.1

Comment 12 Marcus Meissner 2015-02-10 10:48:28 UTC

SLE12?

Comment 13 Marcus Meissner 2015-02-10 10:49:24 UTC

sle12 was fixed before the GA release.