Bug 979670 – VUL-0: CVE-2016-4963: xen: Unsanitised driver domain input in libxl device handling (XSA-178)

Bug 979670 - (CVE-2016-4963) VUL-0: CVE-2016-4963: xen: Unsanitised driver domain input in libxl device handling (XSA-178)

(CVE-2016-4963)
Summary:	VUL-0: CVE-2016-4963: xen: Unsanitised driver domain input in libxl device ha...

Status:	RESOLVED FIXED
Duplicates:	979641 (view as bug list)

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:RedHat:CVE-2016-4963:3.5:(AV:N...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-05-12 09:57 UTC by Johannes Segitz
Modified:	2016-10-13 19:14 UTC (History)
CC List:	8 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 1 Swamp Workflow Management 2016-05-12 22:00:50 UTC

bugbot adjusting priority

Comment 2 Johannes Segitz 2016-05-18 07:31:05 UTC

*** Bug 979641 has been marked as a duplicate of this bug. ***

Comment 4 Marcus Meissner 2016-06-02 13:00:32 UTC

            Xen Security Advisory CVE-2016-4963 / XSA-178
                              version 3

       Unsanitised driver domain input in libxl device handling

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

libxl's device-handling code freely uses and trusts information from
the backend directories in xenstore.

The backend domain (driver domain) can store bogus data in the
backend, causing libxl's enquiry functions to fail, confusing
management tools.

A driver domain can also remove its backend directory from xenstore
entirely, preventing the device from showing up in device listings and
preventing it from being removed and replaced.

A driver domain can cause libxl to generate disk eject events for
disks for which the driver domain is not responsible.

IMPACT
======

A malicious driver domain can deny service to management tools.

VULNERABLE SYSTEMS
==================

This vulnerability is only applicable to systems which are using
driver domains, and then only where the driver domain is not intended
to be fully trusted with respect to the host.

Such Xen systems using libxl based toolstacks (for example xl or
libvirt with the libxl driver) are vulnerable.

Note that even with this vulnerability a driver domain based system is
better from a security point of view, than a system where devices are
provided directly by dom0.  Users and vendors of systems using driver
domains should not change their configuration.

MITIGATION
==========

No mitigation is available.

CREDITS
=======

This issue was discovered by Wei Liu from Citrix.

RESOLUTION
==========

Applying the appropriate attached patch set from XSA-175, plus the
appropriate attached patch set below, resolves this issue.

xsa178-unstable/*.patch           xen-unstable

$ sha256sum xsa178-*/*
fd6a1f858d44f618a4e792553598005871f63d12e718bc9b5477d14bf0113386  xsa178-unstable/0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch
ee6cf66ad385203c49d9b030959715fb885a250aa36b85080e6985a603bb1ddb  xsa178-unstable/0002-libxl-Do-not-trust-backend-in-libxl__device_exists.patch
ea29cf28609c2d467fb7a620601af7bf434b098a7554dada956f11ed50c1b895  xsa178-unstable/0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch
a2abc4308d9a18f49a02e6ca8ba913d4d9890867b7816dcc19b548836b65af6c  xsa178-unstable/0004-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch
2884e6566c59ae95792d4282e174c6b3d201c1e006b9e0ab57fbaad2b62ecfb9  xsa178-unstable/0005-libxl-cdrom-eject-and-insert-write-to-libxl.patch
d6ac82211d056a386d18b8296a6a1f2e8a65e8156594595b9c34a3a377f1cf98  xsa178-unstable/0006-libxl-Do-not-trust-backend-for-disk-eject-vdev.patch
4c8bb7bee3b624b02796afdfa0157ea1dc49a7f54f34912f992bae201b6bfe40  xsa178-unstable/0007-libxl-Do-not-trust-backend-for-disk-fix-driver-domai.patch
556b14e8783ddd7ad0cb9a561ca43a40b37ccb27cd56337e7714ac0f796ce21b  xsa178-unstable/0008-libxl-Do-not-trust-backend-for-disk-in-getinfo.patch
b51aaa8cca1f367ae51ffb65240831617d4cab4a3fa6d0a2d42728e99ee8cee8  xsa178-unstable/0009-libxl-Do-not-trust-backend-for-cdrom-insert.patch
3ef493e6bda2d2b96a89cf18b55d43fbdb84a2cd5c10c88f04299434c629ba2b  xsa178-unstable/0010-libxl-Do-not-trust-backend-for-channel-in-getinfo.patch
da4db890c9e73fca006bc381f2208f9bff0fc35990c4dd51d59999db27072d33  xsa178-unstable/0011-libxl-Rename-libxl__device_-nic-channel-_from_xs_be-.patch
ae8b043a83cc35beee2205ab621b6f5bc6543f6d4dcdc06c97e07b1a17ca94bf  xsa178-unstable/0012-libxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch
936c44de9a344b0634b7bff4f5b3cf9c034a0080e87d267e7a84683a967d1bff  xsa178-unstable/0013-libxl-Have-READ_LIBXLDEV-use-libxl_path-rather-than-.patch
3b65a3140387651cf2ed1bcf8668efecd58fbd274a62a03d785c269b55bea8fe  xsa178-unstable/0014-libxl-Do-not-trust-backend-in-nic-getinfo.patch
6d009153b98fd58f316efa4f39c821cf609b54184726e15f887947321610ed14  xsa178-unstable/0015-libxl-Do-not-trust-backend-for-nic-in-devid_to_devic.patch
3105c062bb2017681f47499e2dd2f6cd2996539068f216a5af7d6143bc726eda  xsa178-unstable/0016-libxl-Do-not-trust-backend-for-nic-in-list.patch
97961ce38d8d77e9d91ee85052fd33e04d19f45e5ddfec61f82dc9c8a78158ea  xsa178-unstable/0017-libxl-Do-not-trust-backend-in-channel-list.patch
6ebb611501b66dca66259d3a790e30ae6d892eb27c6d06577d8f399d619c286b  xsa178-unstable/0018-libxl-Do-not-trust-backend-for-vusb.patch
$

Comment 5 Viktor Kijasev 2016-08-09 14:28:11 UTC

Hello,
Testing SUSE:Maintenance:2957:118875 xen sle11sp4

comment #3 and comment #4 RESOLUTION
------------------------------------------------------------
Dropped these patches from the XSA-178 set:

 19 libxl: Cleanup: Have libxl__alloc_vdev use /libxl
 20 libxl: Cleanup: use libxl__backendpath_parse_domid in libxl__device_disk_from_xs_be
 21 libxl: Document ~/serial/ correctly
...
------------------------------------------------------------

But they are included in our update:

+- bsc#979670 - VUL-0: CVE-2016-4963: xen: Unsanitised driver domain
+  input in libxl device handling (XSA-178)
+  xsa178-0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch
+  xsa178-0004-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch
+  xsa178-0006-libxl-Do-not-trust-backend-for-disk-eject-vdev.patch
+  xsa178-0007-libxl-Do-not-trust-backend-for-disk-fix-driver-domai.patch
+  xsa178-0008-libxl-Do-not-trust-backend-for-disk-in-getinfo.patch
+  xsa178-0011-libxl-Rename-libxl__device_-nic-channel-_from_xs_be-.patch
+  xsa178-0012-libxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch
+  xsa178-0013-libxl-Have-READ_LIBXLDEV-use-libxl_path-rather-than-.patch
+  xsa178-0014-libxl-Do-not-trust-backend-in-nic-getinfo.patch
+  xsa178-0015-libxl-Do-not-trust-backend-for-nic-in-devid_to_devic.patch
+  xsa178-0016-libxl-Do-not-trust-backend-for-nic-in-list.patch
+  xsa178-0019-libxl-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch
+  xsa178-0020-libxl-Cleanup-use-libxl__backendpath_parse_domid-in-.patch
+  xsa178-0021-libxl-Document-serial-correctly.patch

Comment 8 Swamp Workflow Management 2016-08-17 16:14:28 UTC

SUSE-SU-2016:2093-1: An update that solves 27 vulnerabilities and has 18 fixes is now available.

Category: security (important)
Bug References: 900418,949889,953339,953362,953518,954872,957986,958848,961600,963161,964427,973188,973631,974038,975130,975138,975907,976058,976111,978164,978295,978413,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,984981,985503,986586,988675,988676,990843,990923
CVE References: CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6259,CVE-2016-6351
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    xen-4.5.3_08-17.1
SUSE Linux Enterprise Server 12-SP1 (src):    xen-4.5.3_08-17.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    xen-4.5.3_08-17.1

Comment 9 Swamp Workflow Management 2016-08-18 16:15:47 UTC

SUSE-SU-2016:2100-1: An update that solves 26 vulnerabilities and has 16 fixes is now available.

Category: security (important)
Bug References: 954872,955399,957986,958848,961600,963161,964427,967630,973188,974038,974912,975130,975138,975907,976058,976111,978164,978295,978413,979035,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,985503,986586,988675,989235,990843,990923
CVE References: CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6351
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_07-37.1
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_07-37.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_07-37.1

Comment 10 Marcus Meissner 2016-08-19 11:08:11 UTC

needinfo was clarified I think.

Comment 11 Charles Arnold 2016-10-03 17:47:10 UTC

Submitted for,

SLE-11-SP4
SLE-12
SLE-12-SP1

Comment 12 Swamp Workflow Management 2016-10-11 17:14:15 UTC

openSUSE-SU-2016:2494-1: An update that solves 46 vulnerabilities and has 17 fixes is now available.

Category: security (important)
Bug References: 900418,949889,953339,953362,953518,954872,955104,958848,959330,959552,961100,961600,963161,964427,970135,971949,973188,973631,974038,975130,975138,975907,976058,976111,978164,978295,978413,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,984981,985503,986586,988675,988676,990500,990843,990923,990970,991934,992224,993665,994421,994625,994761,994772,994775,995785,995789,995792
CVE References: CVE-2014-3615,CVE-2014-3672,CVE-2015-7512,CVE-2015-8504,CVE-2015-8558,CVE-2015-8568,CVE-2015-8613,CVE-2015-8743,CVE-2016-1714,CVE-2016-1981,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3712,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4480,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6259,CVE-2016-6351,CVE-2016-6833,CVE-2016-6834,CVE-2016-6835,CVE-2016-6836,CVE-2016-6888,CVE-2016-7092,CVE-2016-7093,CVE-2016-7094
Sources used:
openSUSE Leap 42.1 (src):    xen-4.5.3_10-15.2

Comment 13 Swamp Workflow Management 2016-10-11 17:25:22 UTC

openSUSE-SU-2016:2497-1: An update that solves 38 vulnerabilities and has 20 fixes is now available.

Category: security (important)
Bug References: 953339,953362,953518,954872,955399,958848,961100,961600,963161,964427,970135,971949,973188,973631,974038,975130,975138,975907,976058,976111,978164,978295,978413,979035,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,984981,985503,986586,988675,990843,990923,990970,991934,992224,994421,994625,994761,994772,994775,995785,995789,995792,997731
CVE References: CVE-2014-3615,CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3712,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4480,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6351,CVE-2016-6833,CVE-2016-6834,CVE-2016-6835,CVE-2016-6836,CVE-2016-6888,CVE-2016-7092,CVE-2016-7093,CVE-2016-7094,CVE-2016-7154
Sources used:
openSUSE 13.2 (src):    xen-4.4.4_05-49.1

Comment 14 Andreas Stieger 2016-10-13 15:32:45 UTC

all done, closing

Comment 15 Swamp Workflow Management 2016-10-13 19:14:32 UTC

SUSE-SU-2016:2533-1: An update that solves 38 vulnerabilities and has 20 fixes is now available.

Category: security (important)
Bug References: 953339,953362,953518,954872,955399,957986,958848,961600,963161,964427,970135,971949,973188,973631,974038,975130,975138,975907,976058,976111,978164,978295,978413,979035,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,984981,985503,986586,988675,990843,990923,990970,991934,992224,994421,994625,994761,994772,994775,995785,995789,995792,997731
CVE References: CVE-2014-3615,CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3712,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4480,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6351,CVE-2016-6833,CVE-2016-6834,CVE-2016-6835,CVE-2016-6836,CVE-2016-6888,CVE-2016-7092,CVE-2016-7093,CVE-2016-7094,CVE-2016-7154
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    xen-4.4.4_04-22.22.2
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_04-22.22.2