-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-8550 / XSA-155 version 6 paravirtualized drivers incautious about shared memory contents UPDATES IN VERSION 6 ==================== Correct CREDITS section. ISSUE DESCRIPTION ================= The compiler can emit optimizations in the PV backend drivers which can lead to double fetch vulnerabilities. Specifically the shared memory between the frontend and backend can be fetched twice (during which time the frontend can alter the contents) possibly leading to arbitrary code execution in backend. IMPACT ====== Malicious guest administrators can cause denial of service. If driver domains are not in use, the impact can be a host crash, or privilege escalation. VULNERABLE SYSTEMS ================== Systems running PV or HVM guests are vulnerable. ARM and x86 systems are vulnerable. All OSes providing PV backends are susceptible, this includes Linux and NetBSD. By default the Linux distributions compile kernels with optimizations. MITIGATION ========== There is no mitigation. CREDITS ======= This issue was discovered by Felix Wilhelm (ERNW Research, KIT / Operating Systems Group). RESOLUTION ========== Applying the appropriate attached patches should fix the problem for PV backends. Note only that PV backends are fixed; PV frontend patches will be developed and released (publicly) after the embargo date. Please note that there is a bug in some versions of gcc, https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 which can cause the construct used in RING_COPY_REQUEST() to be ineffective in some circumstances. We have determined that this is only the case when the structure being copied consists purely of bitfields. The Xen PV protocols updated here do not use bitfields in this way and therefore these patches are not subject to that bug. However authors of third party PV protocols should take this into consideration. Linux v4.4: xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch xsa155-linux-xsa155-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch xsa155-linux-xsa155-0007-xen-pciback-Save-xen_pci_op-commands-before-processi.patch Linux v4.[0,1,2,3] All the above patches except #5 will apply, please use: xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch Linux v3.19: All the above patches except #5 and #6 will apply, please use: xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch xsa155-linux319-0006-xen-scsiback-safely-copy-requests.patch qemu-xen: xsa155-qemu-qdisk-double-access.patch xsa155-qemu-xenfb.patch qemu-traditional: xsa155-qemut-qdisk-double-access.patch xsa155-qemut-xenfb.patch NetBSD 7.0: xsa155-netbsd-xsa155-0001-netbsd-xen-Add-RING_COPY_REQUEST.patch xsa155-netbsd-xsa155-0002-netbsd-netback-Use-RING_COPY_REQUEST-instead-of-RING.patch xsa155-netbsd-xsa155-0003-netbsd-ring-Add-barrier-to-provide-an-compiler-barri.patch xsa155-netbsd-xsa155-0004-netbsd-block-only-read-request-operation-from-shared.patch xsa155-netbsd-xsa155-0005-netbsd-pciback-Operate-on-local-version-of-xen_pci_o.patch xen: xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch xen 4.4: All patches except #3 will apply, please use: xsa155-xen44-0003-libvchan-Read-prod-cons-only-once.patch $ sha256sum xsa155* d9fbc104ab2ae797971e351ee0e04e7b7e9c7c33385309bb406c7941dc9a33b4 xsa155-linux319-xsa155-0006-xen-scsiback-safely-copy-requests.patch 590656d83ad7b6052b54659eccb3469658b3942c0dc1366423a66f2f5ac643e1 xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch 2bd18632178e09394c5cd06aded2c14bcc6b6e360ad6e81827d24860fe3e8ca4 xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch cecdeccb8e2551252c81fc5f164a8298005df714a574a7ba18b84e8ed5f2bb70 xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch 3916b847243047f0e1053233ade742c14a7f29243584e60bf5db4842a8068855 xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch 746c8eb0aeb200d76156c88dfbbd49db79f567b88b07eda70f7c7d095721f05a xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch 18517a184a02f7441065b8d3423086320ec4c2345c00d551231f7976381767f5 xsa155-linux-xsa155-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch 2e6d556d25b1cc16e71afde665ae3908f4fa8eab7e0d96283fc78400301baf92 xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch 5e130d8b61906015c6a94f8edd3cce97b172f96a265d97ecf370e7b45125b73d xsa155-linux-xsa155-0007-xen-pciback-Save-xen_pci_op-commands-before-processi.patch 08c2d0f95dcc215165afbce623b6972b81dd45b091b5f40017579b00c8612e03 xsa155-netbsd-xsa155-0001-netbsd-xen-Add-RING_COPY_REQUEST.patch 0a66010f736092f91f70bb0fd220685e4395efef1db6d23a3d1eace31d144f51 xsa155-netbsd-xsa155-0002-netbsd-netback-Use-RING_COPY_REQUEST-instead-of-RING.patch 5e913a8427cab6b4d384d1246e05116afc301eb117edd838101eb53a82c2f2ff xsa155-netbsd-xsa155-0003-netbsd-ring-Add-barrier-to-provide-an-compiler-barri.patch 3b8f14eafaed3a7bc66245753a37af4249acf8129fbedb70653192252dc47dc9 xsa155-netbsd-xsa155-0004-netbsd-block-only-read-request-operation-from-shared.patch 81ae5fa998243a78dad749fc561be647dc1dc1be799e8f18484fdf0989469705 xsa155-netbsd-xsa155-0005-netbsd-pciback-Operate-on-local-version-of-xen_pci_o.patch 044ff74fa048df820d528f64f2791ec9cb3940bd313c1179020bd49a6cde2ca3 xsa155-qemu-qdisk-double-access.patch 1150504589eb7bfa108c80ce63395e57d0e627b12d9201219d968fdd026919a6 xsa155-qemut-qdisk-double-access.patch 63186246ab6913b54bfef5f09f33e815935ac40ff821c27a3efda62339bbbd5f xsa155-qemut-xenfb.patch e53b4ac298648cde79344192d5a58ca8d8724344f5105bec7c09eef095c668f6 xsa155-qemu-xenfb.patch e52467fcec73bcc86d3e96d06f8ca8085ae56a83d2c42a30c16bc3dc630d8f8a xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch eae34c8ccc096ad93a74190506b3d55020a88afb0cc504a3a514590e9fd746fd xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch 42780265014085a4221ad32b026214693d751789eb5219e2e83862c0006c66f4 xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch dfcaddb8a908a4fc1b048a43187e885117e67dc566f5c841037ee366dcd437d1 xsa155-xen44-0003-libvchan-Read-prod-cons-only-once.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWcrpdAAoJEIP+FMlX6CvZ9soIALqQ/GHP6bZn2LqJTD9DIzsm zVB4yCPiVfDqHSOq9QNCzBzqpvOX+RhKTzRH1jsZczr8CSnkePxaCrmZgH8SAygB hFcF9xJGlJDjs647sgpQmYs++3mgD/57uml7IW/8NX46tXUelVByW7muNgUN2xlm kjeD8auJEs+jK1iwpt/hOmYe4moRx3+3ujfgqMCNAWtqZz9D9wM5tao+p6yKYlhM u8hSi1V3b7sAbf92mwzpzfpbwdgg25xeHtZ/oJxp/ZY0FhqDEsTxV+h8HjD/Eink GwqPS19O77tMmz9fUUTyJDSsU7ayFRI0HyYmXju4eJktJkhXagjAdCSyGky9z5g= =FlX2 -----END PGP SIGNATURE-----