Bug 947165 – VUL-1: CVE-2015-7311: xen: libxl fails to honour readonly flag on disks with qemu-xen (xsa-142)

Bug 947165 - (CVE-2015-7311) VUL-1: CVE-2015-7311: xen: libxl fails to honour readonly flag on disks with qemu-xen (xsa-142)

(CVE-2015-7311)
Summary:	VUL-1: CVE-2015-7311: xen: libxl fails to honour readonly flag on disks with ...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Minor
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/156888/
Whiteboard:	CVSSv2:RedHat:CVE-2015-7311:2.3:(AV:A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2015-09-23 14:18 UTC by Victor Pereira
Modified:	2016-04-27 19:46 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2015-09-23 14:18:25 UTC

rh#1265269

ISSUE DESCRIPTION
=================

Callers of libxl can specify that a disk should be read-only to the guest. However, there is no code in libxl to pass this information to qemu-xen (the upstream-based qemu); and indeed there is no way in qemu to make a disk read-only.

The vulnerability is exploitable only via devices emulated by the device model, not the parallel PV devices for supporting PVHVM. Normally the PVHVM device unplug protocol renders the emulated devices inaccessible early in boot.

IMPACT
======

Malicious guest administrators or (in some situations) users may be able to write to supposedly read-only disk images.

CDROM devices (that is, devices specified to be presented to the guest as CDROMs, regardless of the nature of the backing storage on the host) are not affected.

VULNERABLE SYSTEMS
==================

Only systems using qemu-xen (rather than qemu-xen-traditional) as the device model version are vulnerable.

Only systems using libxl or libxl-based toolstacks are vulnerable. (This includes xl, and libvirt with the libxl driver.)

All versions of libxl which support qemu-xen are vulnerable. The affected code was introduced in Xen 4.1.

If the host and guest together usually support PVHVM, the issue is exploitable only if the malicious guest administrator has control of the guest kernel or guest kernel command line.

MITIGATION
==========

Switching to qemu-xen-traditional will avoid this vulnerability. This can be done with device_model_version="qemu-xen-traditional" in the xl configuration file.

Using stub domain device models (which necessarily involves switching to qemu-xen-traditional) will also avoid this vulnerability. This can be done with device_model_stubdomain_override=true in the xl configuration file.

Either of these mitigations is liable to have other guest-visible effects or even regressions.

It may be possible, depending on the configuration, to make the underlying storage object readonly, or to make it reject writes.

Upstream patches:

http://xenbits.xen.org/xsa/xsa142-4.5.patch
http://xenbits.xen.org/xsa/xsa142-4.6.patch


External References:

http://xenbits.xen.org/xsa/advisory-142.html

Acknowledgements:

Red Hat would like to thank the Xen project for reporting this issue. Upstream acknowledges Michael Young of Durham University as the original reporter.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1265269
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7311
http://seclists.org/oss-sec/2015/q3/615
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7311.html

Comment 1 Swamp Workflow Management 2015-09-23 22:00:47 UTC

bugbot adjusting priority

Comment 3 Charles Arnold 2015-10-01 16:44:46 UTC

I have this patch backported for the relevant SLE distro versions.

Comment 4 Swamp Workflow Management 2015-10-30 16:16:13 UTC

SUSE-SU-2015:1853-1: An update that solves 8 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 877642,907514,910258,918984,923967,932267,941074,944463,944697,947165,950367,950703,950705,950706
CVE References: CVE-2014-0222,CVE-2015-4037,CVE-2015-5239,CVE-2015-6815,CVE-2015-7311,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    xen-4.2.5_14-18.2
SUSE Linux Enterprise Server 11-SP3 (src):    xen-4.2.5_14-18.2
SUSE Linux Enterprise Desktop 11-SP3 (src):    xen-4.2.5_14-18.2
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_14-18.2

Comment 5 Swamp Workflow Management 2015-11-03 10:35:44 UTC

SUSE-SU-2015:1894-1: An update that solves 8 vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 877642,901488,907514,910258,918984,923967,932267,944463,944697,945167,947165,949138,949549,950367,950703,950705,950706
CVE References: CVE-2014-0222,CVE-2015-4037,CVE-2015-5239,CVE-2015-6815,CVE-2015-7311,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.3_02-26.2
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.3_02-26.2
SUSE Linux Enterprise Desktop 11-SP4 (src):    xen-4.4.3_02-26.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.3_02-26.2

Comment 6 Branislav Havel 2015-11-03 14:38:38 UTC

Using updates:

bastion:~ # rpm -qa | grep xen
xen-libs-4.4.3_02-22.12.1.x86_64
patterns-sles-xen_tools-32bit-12-58.8.x86_64
xen-libs-32bit-4.4.3_02-22.12.1.x86_64
kernel-xen-devel-3.12.48-52.27.2.x86_64
xen-4.4.3_02-22.12.1.x86_64
libvirt-daemon-xen-1.2.5-25.4.x86_64
xen-doc-html-4.4.3_02-22.12.1.x86_64
grub2-x86_64-xen-2.02~beta2-54.1.x86_64
xen-kmp-default-4.4.2_10_k3.12.44_52.10-22.8.1.x86_64
xen-kmp-default-4.4.3_02_k3.12.48_52.27-22.12.1.x86_64
patterns-sles-xen_server-32bit-12-58.8.x86_64
crash-kmp-xen-7.0.5_k3.12.28_4-7.12.x86_64
xen-tools-4.4.3_02-22.12.1.x86_64
kernel-xen-3.12.48-52.27.2.x86_64

and starting xen HVM guests (SLES11SP4, SLES12 running on top of SLES12 XEN host) with additional disk added (using SCSI or IDE controller) with read only flag marked will lead into the failure of guests boot:

bastion:~ # virsh start sles11sp4_HVM
error: Failed to start domain sles11sp4_HVM
error: internal error: libxenlight failed to create new domain 'sles11sp4_HVM'

From: /var/log/libvirt/libxl/sles11sp4_HVM.log

libxl: debug: libxl_create.c:1386:do_domain_create: ao 0x7f08d0001350: create: how=(nil) callback=(nil) poller=0x7f08d0004230
libxl: debug: libxl_device.c:251:libxl__device_disk_set_backend: Disk vdev=hda spec.backend=qdisk
libxl: debug: libxl_device.c:251:libxl__device_disk_set_backend: Disk vdev=hdb spec.backend=unknown
libxl: debug: libxl_device.c:197:disk_try_backend: Disk vdev=hdb, backend phy unsuitable as phys path not a block device
libxl: debug: libxl_device.c:286:libxl__device_disk_set_backend: Disk vdev=hdb, using backend qdisk
libxl: debug: libxl_device.c:251:libxl__device_disk_set_backend: Disk vdev=hdd spec.backend=qdisk
libxl: debug: libxl_create.c:837:initiate_domain_create: running bootloader
libxl: debug: libxl_bootloader.c:321:libxl__bootloader_run: not a PV domain, skipping bootloader
libxl: debug: libxl_event.c:622:libxl__ev_xswatch_deregister: watch w=0x7f08d0004b38: deregister unregistered
libxl: debug: libxl_numa.c:478:libxl__get_numa_candidate: New best NUMA placement candidate found: nr_nodes=1, nr_cpus=8, nr_vcpus=10, free_memkb=2626
libxl: detail: libxl_dom.c:195:numa_place_domain: NUMA placement candidate with 1 nodes, 8 cpus and 2626 KB free selected
xc: detail: elf_parse_binary: phdr: paddr=0x100000 memsz=0x9f364
xc: detail: elf_parse_binary: memory: 0x100000 -> 0x19f364
xc: detail: VIRTUAL MEMORY ARRANGEMENT:
  Loader:        0000000000100000->000000000019f364
  Modules:       0000000000000000->0000000000000000
  TOTAL:         0000000000000000->000000003f800000
  ENTRY ADDRESS: 0000000000100000
xc: detail: PHYSICAL MEMORY ALLOCATION:
  4KB PAGES: 0x0000000000000200
  2MB PAGES: 0x00000000000001fb
  1GB PAGES: 0x0000000000000000
xc: detail: elf_load_binary: phdr 0 at 0x7f08ebf5d000 -> 0x7f08ebff31d1
libxl: debug: libxl_device.c:251:libxl__device_disk_set_backend: Disk vdev=hda spec.backend=qdisk
libxl: debug: libxl_event.c:622:libxl__ev_xswatch_deregister: watch w=0x7f08d0004530: deregister unregistered
libxl: debug: libxl_device.c:251:libxl__device_disk_set_backend: Disk vdev=hdb spec.backend=qdisk
libxl: debug: libxl_event.c:622:libxl__ev_xswatch_deregister: watch w=0x7f08d0005fe0: deregister unregistered
libxl: debug: libxl_device.c:251:libxl__device_disk_set_backend: Disk vdev=hdd spec.backend=qdisk
libxl: debug: libxl_event.c:622:libxl__ev_xswatch_deregister: watch w=0x7f08d0006a30: deregister unregistered
libxl: error: libxl_dm.c:768:libxl__build_device_model_args_new: qemu-xen doesn't support read-only disk drivers
libxl: error: libxl_dm.c:1444:device_model_spawn_outcome: (null): spawn failed (rc=-3)
libxl: error: libxl_create.c:1230:domcreate_devmodel_started: device model did not start: -3
libxl: error: libxl_dm.c:1540:kill_device_model: unable to find device model pid in /local/domain/5/image/device-model-pid
libxl: error: libxl.c:1520:libxl__destroy_domid: libxl__destroy_device_model failed for 5
libxl: debug: libxl_create.c:1400:do_domain_create: ao 0x7f08d0001350: inprogress: poller=0x7f08d0004230, flags=i
libxl: debug: libxl_event.c:622:libxl__ev_xswatch_deregister: watch w=0x7f08d0009040: deregister unregistered
libxl: debug: libxl_event.c:622:libxl__ev_xswatch_deregister: watch w=0x7f08d0009290: deregister unregistered
libxl: debug: libxl_event.c:622:libxl__ev_xswatch_deregister: watch w=0x7f08d00094e0: deregister unregistered
libxl: debug: libxl_event.c:622:libxl__ev_xswatch_deregister: watch w=0x7f08d0009780: deregister unregistered
libxl: debug: libxl_event.c:1600:libxl__ao_complete: ao 0x7f08d0001350: complete, rc=-3
libxl: debug: libxl_event.c:1572:libxl__ao__destroy: ao 0x7f08d0001350: destroy

Using n-1 version of xen related packages, guest are booting as expected. Guests are booting as expected also when the read only flag is removed.

Comment 7 Branislav Havel 2015-11-03 14:39:21 UTC

In case that you would need an access into my test lab , please let me know and I will send you the credentials.

Comment 8 Charles Arnold 2015-11-03 16:20:29 UTC

I believe it is doing what the patch intended. Note the error from your log,

"libxl: error: libxl_dm.c:768:libxl__build_device_model_args_new: qemu-xen doesn't support read-only disk drivers"

It is stating that you can't have read only disks. Before this patch, it was
allowing read-only disks to be used by the VM that were really writable.
This was the reason for the security bug and the patch that prevents the
VM from starting thereby giving the impression that you have a protected
read only disk when really you don't.

If you re-enable the disk to be writable, the VM should start up fine.

Comment 9 Swamp Workflow Management 2015-11-04 16:15:36 UTC

SUSE-SU-2015:1908-1: An update that solves 8 vulnerabilities and has 8 fixes is now available.

Category: security (important)
Bug References: 877642,901488,907514,910258,918984,923967,932267,944463,944697,945167,947165,949138,950367,950703,950705,950706
CVE References: CVE-2014-0222,CVE-2015-4037,CVE-2015-5239,CVE-2015-6815,CVE-2015-7311,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xen-4.4.3_02-22.12.1
SUSE Linux Enterprise Server 12 (src):    xen-4.4.3_02-22.12.1
SUSE Linux Enterprise Desktop 12 (src):    xen-4.4.3_02-22.12.1

Comment 10 Olaf Hering 2015-11-05 08:36:13 UTC

(In reply to Victor Pereira from comment #0)

> The vulnerability is exploitable only via devices emulated by the device
> model, not the parallel PV devices for supporting PVHVM. Normally the PVHVM
> device unplug protocol renders the emulated devices inaccessible early in
> boot.

We support only PVHVM. And as such this patch is of no concern for us. Too bad it was already released.

Comment 11 Swamp Workflow Management 2015-11-12 11:11:59 UTC

openSUSE-SU-2015:1964-1: An update that solves 12 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 877642,932267,938344,939709,939712,941074,944463,944697,947165,950367,950703,950705,950706,951845
CVE References: CVE-2014-0222,CVE-2015-4037,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166,CVE-2015-5239,CVE-2015-6815,CVE-2015-7311,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971,CVE-2015-7972
Sources used:
openSUSE 13.1 (src):    xen-4.3.4_06-50.1

Comment 12 Swamp Workflow Management 2015-11-17 10:14:47 UTC

openSUSE-SU-2015:2003-1: An update that solves 13 vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 877642,901488,907514,910258,918984,923967,925466,932267,935634,938344,939709,939712,944463,944697,945167,947165,949138,950367,950703,950705,950706,951845
CVE References: CVE-2014-0222,CVE-2015-3259,CVE-2015-4037,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166,CVE-2015-5239,CVE-2015-6815,CVE-2015-7311,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971,CVE-2015-7972
Sources used:
openSUSE 13.2 (src):    xen-4.4.3_02-30.1

Comment 13 Swamp Workflow Management 2015-12-10 17:10:31 UTC

openSUSE-SU-2015:2249-1: An update that fixes 10 vulnerabilities is now available.

Category: security (moderate)
Bug References: 947165,950704,954018,954405
CVE References: CVE-2015-3259,CVE-2015-4106,CVE-2015-5154,CVE-2015-5239,CVE-2015-5307,CVE-2015-6815,CVE-2015-7311,CVE-2015-7835,CVE-2015-7970,CVE-2015-8104
Sources used:
openSUSE Leap 42.1 (src):    xen-4.5.2_01-6.1

Comment 14 Swamp Workflow Management 2015-12-10 17:11:38 UTC

openSUSE-SU-2015:2250-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 947165,950704,954018,954405
CVE References: CVE-2015-5307,CVE-2015-7311,CVE-2015-7835,CVE-2015-7970,CVE-2015-8104
Sources used:
openSUSE 13.2 (src):    xen-4.4.3_04-33.1

Comment 15 Swamp Workflow Management 2015-12-19 15:10:46 UTC

SUSE-SU-2015:2324-1: An update that fixes 14 vulnerabilities is now available.

Category: security (moderate)
Bug References: 947165,954018,954405,956408,956409,956411,956592,956832
CVE References: CVE-2015-3259,CVE-2015-4106,CVE-2015-5154,CVE-2015-5239,CVE-2015-5307,CVE-2015-6815,CVE-2015-7311,CVE-2015-7504,CVE-2015-7835,CVE-2015-8104,CVE-2015-8339,CVE-2015-8340,CVE-2015-8341,CVE-2015-8345
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    xen-4.5.2_02-4.1
SUSE Linux Enterprise Server 12-SP1 (src):    xen-4.5.2_02-4.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    xen-4.5.2_02-4.1

Comment 16 Swamp Workflow Management 2015-12-19 15:13:20 UTC

SUSE-SU-2015:2326-1: An update that solves 12 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 947165,950703,950704,950705,950706,951845,954018,954405,956408,956409,956411,956592,956832
CVE References: CVE-2015-5307,CVE-2015-7311,CVE-2015-7504,CVE-2015-7969,CVE-2015-7970,CVE-2015-7971,CVE-2015-7972,CVE-2015-8104,CVE-2015-8339,CVE-2015-8340,CVE-2015-8341,CVE-2015-8345
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    xen-4.2.5_18-21.1
SUSE Linux Enterprise Server 11-SP3 (src):    xen-4.2.5_18-21.1
SUSE Linux Enterprise Desktop 11-SP3 (src):    xen-4.2.5_18-21.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_18-21.1

Comment 17 Swamp Workflow Management 2015-12-19 15:16:28 UTC

SUSE-SU-2015:2328-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 947165,950703,950704,950705,950706,951845,954018,954405,956408,956409,956411,956592,956832
CVE References: CVE-2015-5307,CVE-2015-7311,CVE-2015-7504,CVE-2015-7835,CVE-2015-7969,CVE-2015-7970,CVE-2015-7971,CVE-2015-7972,CVE-2015-8104,CVE-2015-8339,CVE-2015-8340,CVE-2015-8341,CVE-2015-8345
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xen-4.4.3_06-22.15.1
SUSE Linux Enterprise Server 12 (src):    xen-4.4.3_06-22.15.1
SUSE Linux Enterprise Desktop 12 (src):    xen-4.4.3_06-22.15.1

Comment 18 Marcus Meissner 2015-12-19 16:43:41 UTC

released

Comment 19 Swamp Workflow Management 2015-12-22 12:11:39 UTC

SUSE-SU-2015:2338-1: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 947165,950703,950704,950705,950706,951845,954018,954405,955399,956408,956409,956411,956592,956832
CVE References: CVE-2015-5307,CVE-2015-7311,CVE-2015-7504,CVE-2015-7835,CVE-2015-7969,CVE-2015-7970,CVE-2015-7971,CVE-2015-7972,CVE-2015-8104,CVE-2015-8339,CVE-2015-8340,CVE-2015-8341,CVE-2015-8345
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.3_06-29.1
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.3_06-29.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    xen-4.4.3_06-29.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.3_06-29.1

Comment 20 Swamp Workflow Management 2016-01-14 21:16:12 UTC

openSUSE-SU-2016:0124-1: An update that solves 15 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 947165,950704,954018,954405,956408,956409,956411,956592,956832,957988,958007,958009,958493,958523,958918,959006
CVE References: CVE-2015-5307,CVE-2015-7311,CVE-2015-7504,CVE-2015-7549,CVE-2015-7970,CVE-2015-8104,CVE-2015-8339,CVE-2015-8340,CVE-2015-8341,CVE-2015-8345,CVE-2015-8504,CVE-2015-8550,CVE-2015-8554,CVE-2015-8555,CVE-2015-8558
Sources used:
openSUSE 13.1 (src):    xen-4.3.4_10-53.1