Bug 880751 – VUL-0: CVE-2014-4021: xen: XSA-100: Hypervisor heap contents leaked to guests

Bug 880751 - (CVE-2014-4021) VUL-0: CVE-2014-4021: xen: XSA-100: Hypervisor heap contents leaked to guests

(CVE-2014-4021)
Summary:	VUL-0: CVE-2014-4021: xen: XSA-100: Hypervisor heap contents leaked to guests

Status:	RESOLVED FIXED
Duplicates:	881987 (view as bug list)

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:running:59647:moderate maint:re...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2014-05-30 13:41 UTC by Johannes Segitz
Modified:	2014-12-30 19:05 UTC (History)
CC List:	7 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2014-05-30 13:41:37 UTC

Created attachment 592810 [details]
Patch for XSA-100

EMBARGOED UNTIL 2014-06-17 12:00 UTC

ISSUE DESCRIPTION
=================

While memory pages recovered from dying guests are being cleaned to avoid
leaking sensitive information to other guests, memory pages that were in
use by the hypervisor and are eligible to be allocated to guests weren't
being properly cleaned.  Such exposure of information would happen through
memory pages freshly allocated to or by the guest.

Normally the leaked data is administrative information of limited
value to an attacker.  However, scenarios exist where guest CPU
register state and hypercall arguments might be leaked.

IMPACT
======

A malicious guest might be able to read data relating to other guests
or the hypervisor itself.

Data at rest in guest memory or storage (filesystems) is not affected.
However, it is possible for an attacker to obtain modest amounts of
in-flight and in-use data, which might contain passwords or
cryptographic keys.

VULNERABLE SYSTEMS
==================
Xen 3.2.x and later are vulnerable.
Xen 3.1.x and earlier have not been inspected.

MITIGATION
==========

No comprehensive mitigation is available.

An attacker will find it easier obtain sensitive data from a victim
guest if the attacker is able to initiate domain management operations
and lifecycle events for that guest.  This includes a situation where
the attacker can cause the victim guest to crash.

Therefore the risk from this vulnerability can be somewhat reduced by
restricting management (such as migration or resource adjustment) to
fully trusted guest or host administrators, and by eliminating any
Denial of Service vulnerabilities against potential victim guests.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa100.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x

Note that to avoid a regression on systems with AMD IOMMU, additionally
commit 6b4d71d0 ("AMD IOMMU: don't free page table prematurely") found at
http://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=6b4d71d028f445cba7426a144751fddc8bfdd67b
will be required if not already in place in the respective tree.

This additional patch is known not to apply cleanly to Xen 4.1 and no
backport is available at the time of writing.  We would appreciate
contributions of a backported version.

$ sha256sum xsa100*.patch
2cbd3a52bb8d32d00a19e2ce48e3157034b484b4a7b7282cae0d108ffb4ddca0  xsa100.patch

Comment 1 Swamp Workflow Management 2014-05-30 22:00:44 UTC

bugbot adjusting priority

Comment 2 SMASH SMASH 2014-06-10 13:40:21 UTC

Affected packages:

SLE-11-SP3: xen

Comment 3 Alexander Bergmann 2014-06-10 15:33:30 UTC

*** Bug 881987 has been marked as a duplicate of this bug. ***

Comment 4 Johannes Segitz 2014-06-17 12:38:32 UTC

went public

Comment 7 Swamp Workflow Management 2014-09-08 10:02:45 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-09-22.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/58863

Comment 10 Charles Arnold 2014-09-19 00:34:02 UTC

Summary of what is checked in.  Let me know if I should delete the
Teradata submissions and just leave the standard SLE11-SP1 and SLE10-SP3
submissions.

All Bugs
========
- bnc#895802 - VUL-0: xen: XSA-106: Missing privilege level checks in x86 emulation of software interrupts
- bnc#895799 - VUL-0: xen: XSA-105: Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation
- bnc#895798 - VUL-0: xen: XSA-104: Race condition in HVMOP_track_dirty_vram
- bnc#864801 - VUL-0: CVE-2013-4540: qemu: zaurus: buffer overrun on invalid state load
- bnc#891539 - xend: fix netif convertToDeviceNumber for running domains
- bnc#882092 - Installing SLES12 as a VM on SLES11 SP3 fails because of btrfs in the VM 
- bnc#881900 - XEN kernel panic do_device_not_available()
- bnc#833483 - Boot Failure with xen kernel in UEFI mode with error "No memory for trampoline"
- bnc#880751 - VUL-0: xen: Hypervisor heap contents leaked to guests
- bnc#878841 - VUL-0: XSA-96: Xen: Vulnerabilities in HVM MSI injection 
- bnc#862608 - SLES 11 SP3 vm-install should get RHEL 7 support when released
- bnc#867910 - VUL-0: xen: XSA-89: HVMOP_set_mem_access is not preemptible
- bnc#842006 - VUL-1: CVE-2013-4344: XSA-65: xen: qemu SCSI REPORT LUNS buffer overflow
- bnc#858178 - [HP HPS Bug]: SLES11sp3 XEN kiso version cause softlockup on 8 blades npar(480 cpu)
- bnc#865682 - Local attach support for PHY backends using scripts
- bnc#798770 - Improve multipath support for npiv devices

Security and Maintenance SLE11-SP3
SR#44321
==================================
- bnc#895802 - VUL-0: xen: XSA-106: Missing privilege level checks in x86 emulation of software interrupts
- bnc#895799 - VUL-0: xen: XSA-105: Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation
- bnc#895798 - VUL-0: xen: XSA-104: Race condition in HVMOP_track_dirty_vram
- bnc#864801 - VUL-0: CVE-2013-4540: qemu: zaurus: buffer overrun on invalid state load
- bnc#880751 - VUL-0: CVE-2014-4021: xen: XSA-100: Hypervisor heap contents leaked to guests
- bnc#878841 - VUL-0: XSA-96: Xen: Vulnerabilities in HVM MSI injection
- bnc#867910 - VUL-0: xen: XSA-89: HVMOP_set_mem_access is not preemptible
- bnc#842006 - VUL-1: CVE-2013-4344: XSA-65: xen: qemu SCSI REPORT LUNS buffer overflow
- bnc#882092 - Installing SLES12 as a VM on SLES11 SP3 fails because of btrfs in the VM
- bnc#891539 - Bug in virsh attach-device / detach-device functions
- bnc#881900 - XEN kernel panic do_device_not_available()
- bnc#833483 - Boot Failure with xen kernel in UEFI mode with error "No memory for trampoline"
- bnc#862608 - SLES 11 SP3 vm-install should get RHEL 7 support when released
- bnc#858178 - [HP HPS Bug]: SLES11sp3 XEN kiso version cause softlockup on 8 blades npar(480 cpu)
- bnc#865682 - Local attach support for PHY backends using scripts
- bnc#798770 - Improve multipath support for npiv devices

Security SLE11-SP2
SR#44322
==================
- bnc#895802 - VUL-0: xen: XSA-106: Missing privilege level checks in x86 emulation of software interrupts
- bnc#895799 - VUL-0: xen: XSA-105: Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation
- bnc#895798 - VUL-0: xen: XSA-104: Race condition in HVMOP_track_dirty_vram
- bnc#880751 - VUL-0: CVE-2014-4021: xen: XSA-100: Hypervisor heap contents leaked to guests
- bnc#875668 - VUL-0: CVE-2014-3124: xen: XSA-92: HVMOP_set_mem_type allows invalid P2M entries to be created
- bnc#867910 - VUL-0: CVE-2014-2599: xen: XSA-89: HVMOP_set_mem_access is not preemptible

Security SLE11-SP1 (SUSE:SLE-11-SP1:Update:Teradata:Test)
SR#44323, (Teradata SR#44326)
==================
- bnc#895802 - VUL-0: xen: XSA-106: Missing privilege level checks in x86 emulation of software interrupts
- bnc#895799 - VUL-0: xen: XSA-105: Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation
- bnc#895798 - VUL-0: xen: XSA-104: Race condition in HVMOP_track_dirty_vram
- bnc#880751 - VUL-0: CVE-2014-4021: xen: XSA-100: Hypervisor heap contents leaked to guests

Security SLE10-SP3/SP4 (SUSE:SLE-10-SP3:Update:Teradata:Test)
SP3 SR#44324, (Teradata SR#44327)
SP4 SR#44325
======================
- bnc#895799 - VUL-0: xen: XSA-105: Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation
- bnc#880751 - VUL-0: CVE-2014-4021: xen: XSA-100: Hypervisor heap contents leaked to guests

Comment 11 Alexander Bergmann 2014-09-19 09:53:15 UTC

Hi Charles,

the following bugs/XSAs got CVEs assigned that are missing inside the changes file. Please resubmit.

SLE11-SP3(SR#44321):
bnc#867910: XSA-89: CVE-2014-2599
bnc#878841: XSA-96: CVE-2014-3967, CVE-2014-3968
bnc#880751: XSA-100: CVE-2014-4021


The Teradata submissions are looking good.

Comment 12 Charles Arnold 2014-09-19 13:53:28 UTC

(In reply to comment #11)
> Hi Charles,
> 
> the following bugs/XSAs got CVEs assigned that are missing inside the changes
> file. Please resubmit.
> 
> SLE11-SP3(SR#44321):
> bnc#867910: XSA-89: CVE-2014-2599
> bnc#878841: XSA-96: CVE-2014-3967, CVE-2014-3968
> bnc#880751: XSA-100: CVE-2014-4021

Yes, the original entries were made before a CVE had been assigned.
They have now been updated in the change log to contain the CVE.

New SR#44354

Comment 13 Swamp Workflow Management 2014-09-22 09:43:32 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-10-06.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/59011

Comment 14 Charles Arnold 2014-09-23 22:25:09 UTC

Updates submitted for openSUSE.
os12.3: MR#251755
os13.1: MR#251756

Comment 17 Swamp Workflow Management 2014-10-09 11:07:30 UTC

openSUSE-SU-2014:1279-1: An update that solves 10 vulnerabilities and has 8 fixes is now available.

Category: security (important)
Bug References: 798770,820873,833483,842006,858178,862608,864801,865682,867910,878841,880751,881900,891539,895798,895799,895802,896023,897657
CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-2599,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188
Sources used:
openSUSE 12.3 (src):    xen-4.2.4_04-1.32.1

Comment 18 Swamp Workflow Management 2014-10-09 11:10:34 UTC

openSUSE-SU-2014:1281-1: An update that solves 10 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 798770,820873,842006,864801,865682,875668,878841,880751,882127,895798,895799,895802,896023,897657
CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-3124,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188
Sources used:
openSUSE 13.1 (src):    xen-4.3.2_02-27.1

Comment 19 Swamp Workflow Management 2014-10-22 23:07:12 UTC

SUSE-SU-2014:1318-1: An update that solves 10 vulnerabilities and has 7 fixes is now available.

Category: security (moderate)
Bug References: 798770,833483,842006,858178,862608,864801,865682,867910,878841,880751,881900,882092,891539,895798,895799,895802,897657
CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-2599,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    xen-4.2.4_04-0.9.1
SUSE Linux Enterprise Server 11 SP3 (src):    xen-4.2.4_04-0.9.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    xen-4.2.4_04-0.9.1

Comment 20 Sebastian Krahmer 2014-10-27 09:35:54 UTC

released

Comment 21 Swamp Workflow Management 2014-12-23 18:04:58 UTC

SUSE-SU-2014:1691-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 880751,895799,903850,903970,905467,906439
CVE References: CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    xen-3.2.3_17040_46-0.9.1

Comment 22 Swamp Workflow Management 2014-12-24 18:05:42 UTC

SUSE-SU-2014:1710-1: An update that solves 13 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 826717,867910,875668,880751,895798,895799,895802,897657,901317,903850,903967,903970,905465,905467,906439
CVE References: CVE-2013-3495,CVE-2014-2599,CVE-2014-3124,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    xen-4.1.6_08-0.5.1

Comment 23 Swamp Workflow Management 2014-12-30 19:05:08 UTC

SUSE-SU-2014:1732-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 826717,880751,895798,895799,895802,903967,903970,905467,906439
CVE References: CVE-2013-3495,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-8594,CVE-2014-8595,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    xen-4.0.3_21548_18-0.9.1