Bugzilla – Bug 905467
VUL-0: CVE-2014-8867: XSA-112: xen: Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor
Last modified: 2016-11-22 17:19:33 UTC
*** EMBARGOED UNTIL 2014-11-27 12:00 UTC *** ISSUE DESCRIPTION ================= Acceleration support for the "REP MOVS" instruction, when the first iteration accesses memory mapped I/O emulated internally in the hypervisor, incorrectly assumes that the whole range accessed is handled by the same hypervisor sub-component. IMPACT ====== A buggy or malicious HVM guest can crash the host or read data relating to other guests or the hypervisor itself. VULNERABLE SYSTEMS ================== Xen versions from at least 3.2.x onwards are vulnerable on x86 systems. Older versions have not been inspected. ARM systems are not vulnerable. MITIGATION ========== Running only PV guests will avoid this issue. There is no mitigation available for HVM guests. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa112-unstable.patch xen-unstable, Xen 4.4.x, Xen 4.3.x xsa112-4.2.patch Xen 4.2.x $ sha256sum xsa112*.patch 8b6ee4055d37d416ed4192bf114a1b89948f03ee4c925f22932838ef0c36b40a xsa112-4.2.patch 21c4698be6515e6833002f77ed02d5eaa4a692ebea9f127226f997310181dcc4 xsa112.patch
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-11-27. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/59647
bugbot adjusting priority
UPDATES IN VERSION 2 ==================== Impact is limited to host crash; there's no information leak here. ISSUE DESCRIPTION ================= Acceleration support for the "REP MOVS" instruction, when the first iteration accesses memory mapped I/O emulated internally in the hypervisor, incorrectly assumes that the whole range accessed is handled by the same hypervisor sub-component. IMPACT ====== A buggy or malicious HVM guest can crash the host. VULNERABLE SYSTEMS ================== Xen versions from at least 3.2.x onwards are vulnerable on x86 systems. Older versions have not been inspected. ARM systems are not vulnerable. MITIGATION ========== Running only PV guests will avoid this issue. There is no mitigation available for HVM guests.
Created attachment 614520 [details] Xen 4.2.x switched patches, sorry. This one is 4.2.x
Created attachment 614521 [details] xen-unstable, Xen 4.4.x, Xen 4.3.x
Xen has been submitted with the following MR/SR numbers: SLE12: MR#46616 SLE11-SP3: SR#46617 SLE11-SP2: SR#46618 SLE11-SP1: SR#46619 SLE11-SP1-Teradata: SR#46622 SLE10-SP4: SR#46620 SLE10-SP3: SR#46621
is public
SUSE-SU-2014:1691-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 880751,895799,903850,903970,905467,906439 CVE References: CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030 Sources used: SUSE Linux Enterprise Server 10 SP4 LTSS (src): xen-3.2.3_17040_46-0.9.1
SUSE-SU-2014:1700-1: An update that solves 5 vulnerabilities and has 5 fixes is now available. Category: security (moderate) Bug References: 866902,882089,896023,901317,903850,903967,903970,905465,905467,906439 CVE References: CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): xen-4.2.5_02-0.7.1 SUSE Linux Enterprise Server 11 SP3 (src): xen-4.2.5_02-0.7.1 SUSE Linux Enterprise Desktop 11 SP3 (src): xen-4.2.5_02-0.7.1
SUSE-SU-2014:1710-1: An update that solves 13 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 826717,867910,875668,880751,895798,895799,895802,897657,901317,903850,903967,903970,905465,905467,906439 CVE References: CVE-2013-3495,CVE-2014-2599,CVE-2014-3124,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): xen-4.1.6_08-0.5.1
SUSE-SU-2014:1732-1: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 826717,880751,895798,895799,895802,903967,903970,905467,906439 CVE References: CVE-2013-3495,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-8594,CVE-2014-8595,CVE-2014-8867,CVE-2014-9030 Sources used: SUSE Linux Enterprise Server 11 SP1 LTSS (src): xen-4.0.3_21548_18-0.9.1
SUSE-SU-2015:0022-1: An update that solves 8 vulnerabilities and has 10 fixes is now available. Category: security (important) Bug References: 826717,866902,882089,889526,896023,897614,897906,898772,900292,901317,903357,903359,903850,903967,903970,905465,905467,906439 CVE References: CVE-2013-3495,CVE-2014-5146,CVE-2014-5149,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): xen-4.4.1_08-5.2 SUSE Linux Enterprise Server 12 (src): xen-4.4.1_08-5.2 SUSE Linux Enterprise Desktop 12 (src): xen-4.4.1_08-5.2
openSUSE-SU-2015:0226-1: An update that solves 11 vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 826717,866902,882089,889526,900292,901317,903357,903359,903850,903967,903970,905465,905467,906439,906996,910681 CVE References: CVE-2013-3495,CVE-2014-5146,CVE-2014-5149,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030,CVE-2014-9065,CVE-2014-9066,CVE-2015-0361 Sources used: openSUSE 13.1 (src): xen-4.3.3_04-34.1
close
openSUSE-SU-2015:0256-1: An update that solves 11 vulnerabilities and has 9 fixes is now available. Category: security (important) Bug References: 826717,866902,882089,889526,896023,897906,898772,900292,901317,903357,903359,903850,903967,903970,904255,905465,905467,906439,906996,910681 CVE References: CVE-2013-3495,CVE-2014-5146,CVE-2014-5149,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030,CVE-2014-9065,CVE-2014-9066,CVE-2015-0361 Sources used: openSUSE 13.2 (src): xen-4.4.1_08-9.1