Bug 897657 – VUL-0: CVE-2014-7188: xen: XSA-108 Improper MSR range used for x2APIC emulation

Bug 897657 - (CVE-2014-7188) VUL-0: CVE-2014-7188: xen: XSA-108 Improper MSR range used for x2APIC emulation

(CVE-2014-7188)
Summary:	VUL-0: CVE-2014-7188: xen: XSA-108 Improper MSR range used for x2APIC emulation

Status:	RESOLVED FIXED
Duplicates:	905117 (view as bug list)

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P2 - High Severity: Major
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle11-sp3:59232 maint:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2014-09-22 05:27 UTC by Marcus Meissner
Modified:	2014-12-24 18:06 UTC (History)
CC List:	7 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
xsa108.patch (1.06 KB, patch) 2014-09-22 05:27 UTC, Marcus Meissner	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2014-09-22 05:27:23 UTC

embargoed, CRD 2014-10-01 12:00 UTC

                    Xen Security Advisory XSA-108

              Improper MSR range used for x2APIC emulation

              *** EMBARGOED UNTIL 2014-10-01 12:00 UTC ***

ISSUE DESCRIPTION
=================

The MSR range specified for APIC use in the x2APIC access model spans
256 MSRs. Hypervisor code emulating read and write accesses to these
MSRs erroneously covered 1024 MSRs. While the write emulation path is
written such that accesses to the extra MSRs would not have any bad
effect (they end up being no-ops), the read path would (attempt to)
access memory beyond the single page set up for APIC emulation.

IMPACT
======

A buggy or malicious HVM guest can crash the host or read data
relating to other guests or the hypervisor itself.

VULNERABLE SYSTEMS
==================

Xen 4.1 and onward are vulnerable.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa108.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa108*.patch
89aca860721e355c2c275d89bd23cd6e73db3a8054bc3c90c6ad0f77536610ea  xsa108.patch
$

Comment 1 Marcus Meissner 2014-09-22 05:27:58 UTC

Created attachment 607103 [details]
xsa108.patch

attahced patch

Comment 2 SMASH SMASH 2014-09-22 09:10:08 UTC

Affected packages:

SLE-11-SP3: xen
SLE-11-SP3-PRODUCTS: xen
SLE-11-SP3-UPTU: xen

Comment 3 Marcus Meissner 2014-09-22 09:16:56 UTC

read overflow only apaprently

Comment 4 Charles Arnold 2014-09-22 15:00:22 UTC

Given the timing of the embargo I wonder how we should handle this for
SLE-12?

Comment 5 Marcus Meissner 2014-09-23 15:44:29 UTC

we probably need to hold it back a bit as customers might get it too early with the next RC / Pool channel push.

Comment 6 Marcus Meissner 2014-09-29 13:53:02 UTC

CVE-2014-7188

Comment 7 Swamp Workflow Management 2014-10-01 12:06:10 UTC

bugbot adjusting priority

Comment 8 Marcus Meissner 2014-10-01 12:09:14 UTC

public now.

i think alex is reconsidering the respool the currently xen SLES packages to include this fix.

Comment 9 Alexander Bergmann 2014-10-01 12:17:56 UTC

Yes, I've just spoke to Charles and the submission is on its way. 

See bnc#880751 for more details about the whole submission set.

Comment 10 Charles Arnold 2014-10-03 14:34:41 UTC

This fix has been included in the pending maintenance update.

SLE11 SP3: SR#44915
SLE11 SP2: SR#44916

os12.3: SR#253501
os13.1: SR#253503
Factory os13.2: SR#253627

Comment 11 Swamp Workflow Management 2014-10-09 11:08:48 UTC

openSUSE-SU-2014:1279-1: An update that solves 10 vulnerabilities and has 8 fixes is now available.

Category: security (important)
Bug References: 798770,820873,833483,842006,858178,862608,864801,865682,867910,878841,880751,881900,891539,895798,895799,895802,896023,897657
CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-2599,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188
Sources used:
openSUSE 12.3 (src):    xen-4.2.4_04-1.32.1

Comment 12 Swamp Workflow Management 2014-10-09 11:11:42 UTC

openSUSE-SU-2014:1281-1: An update that solves 10 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 798770,820873,842006,864801,865682,875668,878841,880751,882127,895798,895799,895802,896023,897657
CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-3124,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188
Sources used:
openSUSE 13.1 (src):    xen-4.3.2_02-27.1

Comment 17 Swamp Workflow Management 2014-10-22 23:08:26 UTC

SUSE-SU-2014:1318-1: An update that solves 10 vulnerabilities and has 7 fixes is now available.

Category: security (moderate)
Bug References: 798770,833483,842006,858178,862608,864801,865682,867910,878841,880751,881900,882092,891539,895798,895799,895802,897657
CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-2599,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    xen-4.2.4_04-0.9.1
SUSE Linux Enterprise Server 11 SP3 (src):    xen-4.2.4_04-0.9.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    xen-4.2.4_04-0.9.1

Comment 18 Charles Arnold 2014-12-08 14:06:45 UTC

*** Bug 905117 has been marked as a duplicate of this bug. ***

Comment 19 Marcus Meissner 2014-12-18 14:55:58 UTC

done i would say

Comment 20 Swamp Workflow Management 2014-12-24 18:06:24 UTC

SUSE-SU-2014:1710-1: An update that solves 13 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 826717,867910,875668,880751,895798,895799,895802,897657,901317,903850,903967,903970,905465,905467,906439
CVE References: CVE-2013-3495,CVE-2014-2599,CVE-2014-3124,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    xen-4.1.6_08-0.5.1