Information

AdvisoryXSA-121
Public release 2015-03-05 12:00
Updated 2015-03-05 12:18
Version 3
CVE(s) CVE-2015-2044
Title Information leak via internal x86 system device emulation

Files

advisory-121.txt (signed advisory file)
xsa121.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2015-2044 / XSA-121
                              version 3

       Information leak via internal x86 system device emulation

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

Emulation routines in the hypervisor dealing with certain system
devices check whether the access size by the guest is a supported one.
When the access size is unsupported these routines failed to set the
data to be returned to the guest for read accesses, so that hypervisor
stack contents are copied into the destination of the operation, thus
becoming visible to the guest.

IMPACT
======

A malicious HVM guest might be able to read sensitive data relating
to other guests.

VULNERABLE SYSTEMS
==================

Xen 3.2.x and later are vulnerable.
Xen 3.1.x and earlier have not been inspected.

Only HVM guests can take advantage of this vulnerability.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

MITIGATION
==========

Running only PV guests will avoid this issue.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa121.patch        xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa121*.patch
e74afb34e8059e8ee25b803019c192aa47c29208af2c19fb81aa84b0d7c0d268  xsa121.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJU+EmOAAoJEIP+FMlX6CvZnU0IAJZE8lD0dqlM9RyIMopSOZwp
CYEVhmk03UsTIpJci1zVg+QUs7owe/p6tamuy4B/XFG6tGs4vsqVeUk8lvs8/Gzs
6RsEkHvOdy1Np9r8vCp2SShKsom0dE13t3JwAY+mftJNHFN2QTPmHbfi8XpnVotm
1nsLXl+8FAWa+d3ZULQTZXKJw6f2dNuXu9NHIvaNzP+IffJ6zKLPr9b8Va71yztA
0MPuUziRxVoJ5xWtoceN4qEdsnIZo5N9JN90fZSGSdiR976Qh1lhMu1ak4aVcNJa
qljKSQQPOmfyHjyKsULvLlCYUldonkIfBVaJ+5QmZEVPMCDxig36m49QMOCNwOg=
=BATt
-----END PGP SIGNATURE-----


Xenproject.org Security Team