Bug 906439 – VUL-0: CVE-2014-9030: XSA-113: xen: Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling

Bug 906439 - (CVE-2014-9030) VUL-0: CVE-2014-9030: XSA-113: xen: Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling

(CVE-2014-9030)
Summary:	VUL-0: CVE-2014-9030: XSA-113: xen: Guest effectable page reference leak in M...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle10-sp3:59806 maint:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2014-11-20 16:56 UTC by Johannes Segitz
Modified:	2016-11-22 17:19 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x (1.25 KB, patch) 2014-11-20 16:56 UTC, Johannes Segitz	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2014-11-20 16:56:03 UTC

Created attachment 614433 [details]
xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

ISSUE DESCRIPTION
=================

An error handling path in the processing of MMU_MACHPHYS_UPDATE failed
to drop a page reference which was acquired in an earlier processing
step.

IMPACT
======

Malicious or buggy stub domain kernels or tool stacks otherwise living
outside of Domain0 can mount a denial of service attack which, if
successful, can affect the whole system.

Only domains controlling HVM guests can exploit this vulnerability.
(This includes domains providing hardware emulation services to HVM
guests.)

VULNERABLE SYSTEMS
==================

Xen versions from at least 3.2.x onwards are vulnerable on x86 systems.
Older versions have not been inspected.  ARM systems are not vulnerable.

This vulnerability is only applicable to Xen systems using stub domains
or other forms of disaggregation of control domains for HVM guests.

MITIGATION
==========

Running only PV guests will avoid this issue.

(The security of a Xen system using stub domains is still better than
with a qemu-dm running as an unrestricted dom0 process.  Therefore
users with these configurations should not switch to an unrestricted
dom0 qemu-dm.)

NOTE REGARDING LACK OF EMBARGO
==============================

A draft of this advisory was mistakenly sent to xen-devel.  The Xen
Project Security Team apologises for this error.  We are working to
share best working practices amongst the team to reduce the risks of
recurrance.

CREDITS
=======
This issue was discovered by Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa113.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa113*.patch
a0f2b792a6b4648151f85fe13961b0bf309a568ed03e1b1d4ea01e4eabf1b18e  xsa113.patch

Comment 1 Swamp Workflow Management 2014-11-20 23:03:05 UTC

bugbot adjusting priority

Comment 2 Johannes Segitz 2014-11-21 08:42:14 UTC

Use CVE-2014-9030

Comment 4 Charles Arnold 2014-11-25 22:51:36 UTC

Xen has been submitted with the following MR/SR numbers:

SLE12: MR#46616
SLE11-SP3: SR#46617
SLE11-SP2: SR#46618
SLE11-SP1: SR#46619
SLE11-SP1-Teradata: SR#46622
SLE10-SP4: SR#46620
SLE10-SP3: SR#46621

Comment 5 Swamp Workflow Management 2014-12-23 18:05:51 UTC

SUSE-SU-2014:1691-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 880751,895799,903850,903970,905467,906439
CVE References: CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    xen-3.2.3_17040_46-0.9.1

Comment 6 Swamp Workflow Management 2014-12-24 07:08:42 UTC

SUSE-SU-2014:1700-1: An update that solves 5 vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 866902,882089,896023,901317,903850,903967,903970,905465,905467,906439
CVE References: CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    xen-4.2.5_02-0.7.1
SUSE Linux Enterprise Server 11 SP3 (src):    xen-4.2.5_02-0.7.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    xen-4.2.5_02-0.7.1

Comment 7 Swamp Workflow Management 2014-12-24 18:07:35 UTC

SUSE-SU-2014:1710-1: An update that solves 13 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 826717,867910,875668,880751,895798,895799,895802,897657,901317,903850,903967,903970,905465,905467,906439
CVE References: CVE-2013-3495,CVE-2014-2599,CVE-2014-3124,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    xen-4.1.6_08-0.5.1

Comment 8 Swamp Workflow Management 2014-12-30 19:06:25 UTC

SUSE-SU-2014:1732-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 826717,880751,895798,895799,895802,903967,903970,905467,906439
CVE References: CVE-2013-3495,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-8594,CVE-2014-8595,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    xen-4.0.3_21548_18-0.9.1

Comment 9 Swamp Workflow Management 2015-01-09 11:08:05 UTC

SUSE-SU-2015:0022-1: An update that solves 8 vulnerabilities and has 10 fixes is now available.

Category: security (important)
Bug References: 826717,866902,882089,889526,896023,897614,897906,898772,900292,901317,903357,903359,903850,903967,903970,905465,905467,906439
CVE References: CVE-2013-3495,CVE-2014-5146,CVE-2014-5149,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xen-4.4.1_08-5.2
SUSE Linux Enterprise Server 12 (src):    xen-4.4.1_08-5.2
SUSE Linux Enterprise Desktop 12 (src):    xen-4.4.1_08-5.2

Comment 10 Swamp Workflow Management 2015-02-06 10:07:52 UTC

openSUSE-SU-2015:0226-1: An update that solves 11 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 826717,866902,882089,889526,900292,901317,903357,903359,903850,903967,903970,905465,905467,906439,906996,910681
CVE References: CVE-2013-3495,CVE-2014-5146,CVE-2014-5149,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030,CVE-2014-9065,CVE-2014-9066,CVE-2015-0361
Sources used:
openSUSE 13.1 (src):    xen-4.3.3_04-34.1

Comment 11 Marcus Meissner 2015-02-09 11:01:45 UTC

13.2 open, but well lets close

Comment 12 Swamp Workflow Management 2015-02-11 14:08:42 UTC

openSUSE-SU-2015:0256-1: An update that solves 11 vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 826717,866902,882089,889526,896023,897906,898772,900292,901317,903357,903359,903850,903967,903970,904255,905465,905467,906439,906996,910681
CVE References: CVE-2013-3495,CVE-2014-5146,CVE-2014-5149,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030,CVE-2014-9065,CVE-2014-9066,CVE-2015-0361
Sources used:
openSUSE 13.2 (src):    xen-4.4.1_08-9.1